Aruba Certified Network Security Expert Written Exam v1.0

Page:    1 / 4   
Exam contains 60 questions
Expand All

A customer has an AOS 10-based mobility solution, which authenticates clients to Aruba ClearPass Policy Manager (CPPM). The customer has some wireless devices that support WPA2 in personal mode only.
How can you meet these devices’ needs but improve security?

  • A. Use MPSK on the WLAN to which the devices connect.
  • B. Configure WIDS policies that apply extra monitoring to these particular devices.
  • C. Connect these devices to the same WLAN to which 802.1X-capable clients connect, using MAC-Auth fallback.
  • D. Enable dynamic authorization (RFC 3576) in the AAA profile for the devices.


Answer : A

When would you implement BPDU protection on an AOS-CX switch port versus BPDU filtering?

  • A. Use BPDU protection on edge ports to protect against rogue devices when the switch implements MSTP; use BPDU filtering to protect against rogue devices when the switch implements PVSTP+.
  • B. Use BPDU protection on edge ports to prevent rogue devices from connecting; use BPDU filtering on inter-switch ports for specialized use cases.
  • C. Use BPDU protection on inter-switch ports to ensure that they are selected as root; use BPDU filtering on edge ports to prevent rogue devices from connecting.
  • D. Use BPDU protection on edge ports to permanently lock out rogue devices; use BPDU filtering on edge ports to temporarily lock out rogue devices.


Answer : B

Refer to the exhibit.

You have been given this certificate to install on a ClearPass server for the RADIUS/EAP and RadSec usages.
What is one issue?

  • A. The certificate has a wildcard in the subject common name.
  • B. The certificate uses a fully qualified the “.local” domain name.
  • C. The certificate does not have a URI subject alternative name (SAN).
  • D. The certificate does not have an IP subject alternative name (SAN).


Answer : C

A customer needs you to configure Aruba ClearPass Policy Manager (CPPM) to authenticate domain users on domain computers. Domain users, domain computers, and domain controllers receive certificates from a Windows CA. CPPM should validate these certificates and verify that the users and computers have accounts in Windows AD. The customer requires encryption for all communications between CPPM and the domain controllers.
You have imported the root certificate for the Windows CA to the ClearPass CA Trust list.
Which usages should you add to it based on these requirements?

  • A. Radec and Aruba infrastructure
  • B. EAP and AD/LDAP Server
  • C. EAP and Radsec
  • D. LDAP and Aruba infrastructure


Answer : C

A customer's admins have added RF Protect licenses and enabled WIDS for a customer's AOS 8-based solution. The customer wants to use the built-in capabilities of APs without deploying dedicated air monitors (AMs). Admins tested rogue AP detection by connecting an unauthorized wireless AP to a switch. The rogue AP was not detected even after several hours.
What is one point about which you should ask?

  • A. Whether APs’ switch ports support all the VLANs that are accessible at the edge
  • B. Whether admins enabled wireless containment
  • C. Whether admins set at least one radio on each AP to air monitor mode
  • D. Whether the customer is using non-standard Wi-Fi channels in the deployment


Answer : C

A customer has an AOS 10-based solution, including Aruba APs. The customer wants to use Cloud Auth to authenticate non-802.1X capable IoT devices.
What is a prerequisite for setting up the device role mappings?

  • A. Configuring a NetConductor-based fabric
  • B. Configuring Device Insight (client profile) tags in Central
  • C. Integrating Aruba ClearPass Policy Manager (CPPM) and Device Insight
  • D. Creating global role-to-role firewall policies in Central


Answer : B

You want to use Device Insight tags as conditions within CPPM role mapping or enforcement policy rules.
What guidelines should you follow?

  • A. Create an HTTP authentication source to the Central API that queries for the tags. To use that source as the type for rule conditions, add it an authorization source for the service in question.
  • B. Use the Application type for the rule conditions; no extra authorization source is required for services that use policies with these rules.
  • C. Use the Endpoints Repository type for the rule conditions; Add Endpoints Repository as a secondary authentication source for services that use policies with these rules.
  • D. Use the Endpoint type for the rule conditions; no extra authorization source is required for services that use policies with these rules.


Answer : D

A customer has an AOS 10 architecture, which includes Aruba APs. Admins have recently enabled WIDS at the high level. They also enabled alerts and email notifications for several events, as shown in the exhibit.

Admins are complaining that they are getting so many emails that they have to ignore them, so they are going to turn off all notifications.
What is one step you could recommend trying first?

  • A. Send the email notifications directly to a specific folder, and only check the folder once a week.
  • B. Disable email notifications for Rogue AP, but leave the Infrastructure Attack Detected and Client Attack Detected notifications on.
  • C. Change the WIDS level to custom, and enable only the checks most likely to indicate real threats.
  • D. Disable just the Rogue AP and Client Attack Detected alerts, as they overlap with the Infrastructure Attack Detected alert.


Answer : C

Refer to the scenario.
A customer has asked you to review their AOS-CX switches for potential vulnerabilities. The configuration for these switches is shown below:

What is one recommendation to make?

  • A. Let the RADIUS server configure VLANs on LAG 1 dynamically.
  • B. Use MDS instead of SHA1 for the NTP authentication key.
  • C. Encrypt the certificate in the TA-profile.
  • D. Create a control plane ACL to limit the sources that can access the switch with SSH.


Answer : D

Refer to the scenario.
A customer has asked you to review their AOS-CX switches for potential vulnerabilities. The configuration for these switches is shown below:

What is one immediate remediation that you should recommend?

  • A. Changing the switch’s DNS server to the mgmt VRF
  • B. Setting the clock manually instead of using NTP
  • C. Either disabling DHCPv4-snooping or leaving it enabled, but also enabling ARP inspection
  • D. Disabling Telnet


Answer : D

Refer to the exhibit.

Aruba ClearPass Policy Manager (CPPM) is using the settings shown in the exhibit. You reference the tag shown in the exhibit in enforcement policies related to NASes of several types, including Aruba APs, Aruba gateways, and AOS-CX switches.
What should you do to ensure that clients are reclassified and receive the correct treatment based on the tag?

  • A. Change the RADIUS action to [Aruba Wireless – Terminate Session] which is supported by all the NASes in question.
  • B. Change the RADIUS action to [Aruba Wireless – Bounce Switch Port] which is supported by all the NASes in question.
  • C. Enable profiling in each service using one of these enforcement profiles. Set the profiling action to the correct one for the NASes using that service.
  • D. Set the Tags Update Action to No Action. Then instead enable the RADIUS CoAs using enforcement profiles in the rules that match clients with the tag shown in the exhibit.


Answer : D

You are setting up Aruba ClearPass Policy Manager (CPPM) to enforce EAP-TLS authentication with Active Directory as the authentication source. The company wants to prevent users with disabled accounts from connecting even if those users still have valid certificates.
As the first part of meeting these criteria, what should you do to enable CPPM to determine where accounts are enabled in AD or not?

  • A. Add an Endpoint Context Server to the domain controller with actions for querying the domain controller for account status.
  • B. Enable OCSP in the EAP-TLS authentication method settings and configure an OCSP override to the domain controller FQDN.
  • C. Add a custom attribute for userAccountControl to the filters in the AD authentication source.
  • D. Install a Microsoft Active Directory extension in Aruba ClearPass Guest and set up an HTTP authentication source that points to that extension.


Answer : C

Refer to the scenario.
This customer is enforcing 802.1X on AOS-CX switches to Aruba ClearPass Policy Manager (CPPM). The customer wants switches to download role settings from CPPM. The “reception-domain” role must have these settings:
— Assigns clients to VLAN 14 on switch 1, VLAN 24 on switch 2, and so on.
— Filters client traffic as follows:
— Clients are permitted full access to 10.1.5.0/24 and the Internet
— Clients are denied access to 10.1.0.0/16
The switch topology is shown here:

How should you configure the VLAN setting for the reception role?

  • A. Assign a consistent name to VLAN 14, 24, or 34 on each access layer switch and reference that name in the enforcement profile VLAN settings.
  • B. Configure the enforcement profile as a downloadable role, but specify only the role name and leave the VLAN undefined. Then define a “reception” role with the correct VLAN setting on each individual access layer switch.
  • C. Assign a number-based ID to the access layer switches. Then use this variable in the enforcement profile VLAN settings: %(NAS-ID}4.
  • D. Create a separate enforcement profile with a different VLAN ID for each switch. Add all profiles to the profile list in the appropriate enforcement policy rule.


Answer : A

Which element helps to lay the foundation for solid network security forensics?

  • A. Enable BPDU protection and loop protection on edge switch ports
  • B. Enabling debug-level information for network infrastructure device logs
  • C. Implementing 802.1X authentication on switch ports that connect to APs
  • D. Ensuring that all network devices use a correct, consistent clock


Answer : D

Refer to the exhibit.

A customer requires protection against ARP poisoning in VLAN 4. Below are listed all settings for VLAN 4 and the VLAN 4 associated physical interfaces on the AOS-CX access layer switch:

What is one issue with this configuration?

  • A. ARP proxy is not enabled on VLAN 4.
  • B. LAG 1 is configured as trusted for ARP inspection but should be untrusted.
  • C. DHCP snooping is not enabled on VLAN 4.
  • D. Edge ports are not configured as untrusted for ARP inspection.


Answer : D

Page:    1 / 4   
Exam contains 60 questions
Expand All

Talk to us!

Have any questions or issues ? Please dont hesitate to contact us

[email protected]

Certlibrary.com is owned by MBS Tech Limited: Room 1905 Nam Wo Hong Building, 148 Wing Lok Street, Sheung Wan, Hong Kong. Company registration number: 2310926
Certlibrary doesn't offer Real Microsoft Exam Questions. Certlibrary Materials do not contain actual questions and answers from Cisco's Certification Exams.
CFA Institute does not endorse, promote or warrant the accuracy or quality of Certlibrary. CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA Institute.
Terms & Conditions | Privacy Policy