A.  

EAP only

B.  

DHCP, DNS and RADIUS only

C.  

RADIUS only

D.  

DHCP, DNS, and EAP only

A.  

Add the "-C and *-c port-access" options to the "show logging" command.

B.  

Configure a logging Tiller for the "port-access" category, and apply that filter globally.

C.  

Enable debugging for "portaccess" to move the relevant logs to a buffer.

D.  

Specify a logging facility that selects for "port-access" messages.

A.  

one AP license per-switch

B.  

one PEF license per-switch

C.  

one PEF license per-switch. and one WCC license per-switch

D.  

one AP license per-switch. and one PEF license per-switch

A.  

Disable Its console ports

B.  

Place a Tamper Evident Label (TELS) over its console port

C.  

Disable the Web Ul.

D.  

Configure WPA3-Enterpnse security on the AP

E.  

install a CA-signed certificate

A.  

Hackers use Artificial Intelligence (Al) to mimic a user’s online behavior so they can infiltrate a network and launch an attack.

B.  

Hackers use employees to circumvent network security and gather the information they need to launch an attack.

C.  

Hackers intercept traffic between two users, eavesdrop on their messages, and pretend to be one or both users.

D.  

Hackers spoof the source IP address in their communications so they appear to be a legitimate user.

A.  

CPPM can use Wireshark to actively probe devices, analyze their traffic patterns, and construct an endpoint profile.

B.  

CPPM can use SNMP to configure Aruba switches and mobility devices to mirror client traffic to CPPM for analysis.

C.  

CPPM can analyze settings such as TTL and time window size in endpoints' TCP traffic in order to fingerprint the OS.

D.  

CPPM can analyze settings such as TCP/UDP ports used for HTTP, DHCP, and DNS in endpoints' traffic to fingerprint the OS.

A.  

As a Layer 2 authentication method, MAC-Auth cannot be used to authenticate devices to an external authentication server.

B.  

It is very easy for hackers to spoof their MAC addresses and get around MAC authentication.

C.  

MAC-Auth can add a degree of security to an open WLAN by enabling the generation of a PMK to encrypt traffic.

D.  

Headless devices, such as Internet of Things (loT) devices, must be configured in advance to support MAC-Auth.

A.  

Enable packet capturing on Instant AP or Moodily Controller (MC) datepath on an ongoing basis

B.  

Enable packet capturing on Instant AP or Mobility Controller (MC) control path on an ongoing basis.

C.  

Ensure that all network infrastructure devices receive a valid clock using authenticated NTP

D.  

Ensure that all network Infrastructure devices use RADIUS rather than TACACS+ to authenticate managers

A.  

An email is used to impersonate a bank and trick users into entering their bank login information on a fake website page.

B.  

An attack exploits an operating system vulnerability and locks out users until they pay the ransom.

C.  

A hacker eavesdrops on insecure communications, such as Remote Desktop Protocol (RDP), and discovers login credentials.

D.  

A user visits a website and downloads a file that contains a worm, which self-replicates throughout the network.

A.  

Set the aaa authentication login method for SSH to the "radius" server-group (with local as backup).

B.  

Configure a CPPM username and password that match a CPPM admin account.

C.  

Create port-access roles with the same names of the roles that CPPM will send in Aruba-Admin-Role VSAs.

D.  

Disable SSH on the default VRF and enable it on the mgmt VRF instead.

A.  

Change the local user role to read-only

B.  

Clear the MSCHAP check box

C.  

Disable local authentication

D.  

Change the default role to "guest-provisioning"

A.  

It uses ARP poisoning to disconnect wireless clients from the legitimate wireless network and force clients to connect to the hacker’s wireless network instead.

B.  

It runs an NMap scan on the wireless client to find the client's MAC and IP address. The hacker then connects to another network and spoofs those addresses.

C.  

It uses a combination of software and hardware to jam the RF band and prevent the client from connecting to any wireless networks.

D.  

It examines wireless clients' probes and broadcasts the SSIDs in the probes, so that wireless clients will connect to it automatically.

A.  

On Switch-1, enable ARP inspection on VLAN 100 and DHCP snooping on VLANs 15 and 25.

B.  

On Switch-2, enable DHCP snooping globally and on VLANs 15 and 25. Later, enable ARP inspection on the same VLANs.

C.  

On Switch-2, enable BPDU filtering on all edge ports in order to prevent eavesdropping attacks by untrusted devices.

D.  

On Switch-1, enable DHCP snooping on VLAN 100 and ARP inspection on VLANs 15 and 25.

A.  

The firewall applies every rule that includes the dent's IP address as the source.

B.  

The firewall applies the rules in policies associated with the client's wlan

C.  

The firewall applies thee rules in policies associated with the client's user role.

D.  

The firewall applies every rule that includes the client's IP address as the source or destination.

A.  

Specify the "warning" severity level for the logging server.

B.  

Add logging categories at the global level.

C.  

Ask for the Syslog password and configure it on the switch.

D.  

Configure logging as a debug destination.

A.  

A university wants to protect communications between the students' devices and the network access server.

B.  

A corporation wants to implement EAP-TLS to authenticate wireless users at their main office.

C.  

A school district wants to protect messages sent between RADIUS clients and servers over an untrusted network.

D.  

A organization wants to strengthen the encryption used to protect RADIUS communications without increasing complexity.

A.  

that the MC has been added as a domain machine on the Active Directory domain with which CPPM is synchronized

B.  

that the snared secret configured for the CPPM authentication server matches the one defined for the device on CPPM

C.  

that the IP address that the MC is using to reach CPPM matches the one defined for the device on CPPM

D.  

that the MC has valid admin credentials configured on it for logging into the CPPM

A.  

The company wants to use ClearPass Policy Manager (CPPM) to profile devices and needs to receive HTTP User-Agent strings from the MC.

B.  

The security team believes that a wireless endpoint connected to the MC is launching an attack and wants to examine the traffic more closely.

C.  

You want the MC to analyze wireless clients' traffic at a lower level, so that the ArubaOS firewall can control the traffic I based on application.

D.  

You want the MC to analyze wireless clients' traffic at a lower level, so that the ArubaOS firewall can control Web traffic based on the destination URL.

A.  

Use local authentication rather than external authentication to authenticate admins.

B.  

Change the password recovery password.

C.  

Set the local admin password to a long random value that is unknown or locked up securely.

D.  

Disable local authentication of administrators entirely.

A.  

Assigning clients to their device categories

B.  

Helping to forward profiling information to the component responsible for profiling

C.  

Accepting and enforcing CoA messages

D.  

Enforcing access control decisions

A.  

Installing CA-signed certificates on the APs

B.  

Approving the APs as authorized APs on the AP whitelist

C.  

Installing self-signed certificates on the APs

D.  

Configuring a PAPI key that matches on the APs and MCs

A.  

Opportunistic Wireless Encryption (OWE) and WPA3-Personal

B.  

WPA3-Personal and MAC-Auth

C.  

Captive portal and Opportunistic Wireless Encryption (OWE) in transition mode

D.  

Captive portal and WPA3-Personal

A.  

HPE Aruba Networking EdgeConnect SD-WAN

B.  

HPE Aruba Networking ClearPass OnGuard

C.  

HPE Aruba Networking Central

D.  

HPE Aruba Networking ClearPass Onboard

A.  

Go to the CPPM Event Viewer, because this is where RADIUS Access Rejects are stored.

B.  

Verify that you are logged in to the CPPM UI with read-write, not read-only, access.

C.  

Make sure that CPPM cluster settings are configured to show Access-Rejects.

D.  

Click Edit in Access Viewer and make sure that the correct servers are selected.

A.  

An attacker sends TCP messages to many different ports to discover which ports are open.

B.  

An attacker checks a user’s password by using trying millions of potential passwords.

C.  

An attacker lures clients to connect to a software-based AP that is using a legitimate SSID.

D.  

An attacker sends emails posing as a service team member to get users to disclose their passwords.

A.  

The AP Is connected to your LAN because It is transmitting wireless traffic with your network's default gateway's MAC address as a source MAC Because it does not belong to the company, it is a rogue

B.  

The ap has a BSSID mat matches authorized client MAC addresses. This indicates that the AP is spoofing the MAC address to gam unauthorized access to your company's wireless services, so It is a rogue

C.  

The AP has been detected as launching a DoS attack against your company's default gateway. This qualities it as a rogue which needs to be contained with wireless association frames immediately

D.  

The AP is spoofing a routers MAC address as its BSSI

D.  

A.  

Create a device fingerprinting policy that includes HTTP, and apply the policy to edge ports.

B.  

Create remote mirrors that collect traffic on edge ports, and mirror it to CPPM's IP address.

C.  

Configure CPPM as the sFlow collector, and make sure that sFlow is enabled on edge ports.

D.  

Connect the switches to CPPM's span ports, and set up mirroring of HTTP traffic on the switches.

A.  

MAC address: d8:50:e6:f3:70:ab; Client Classification: Interfering; AP Classification: Rogue

B.  

MAC address: d8:50:e6:f3:6e:c5; Client Classification: Interfering; AP Classification: Neighbor

C.  

MAC address: d8:50:e6:f3:6e:60; Client Classification: Interfering; AP Classification: Authorized

D.  

MAC address: d8:50:e6:f3:6d:a4; Client Classification: Authorized; AP Classification: Rogue

A.  

Make sure DPI is enabled, and add application rules that deny gaming and peer-to-peer applications to the "user_groupr role.

B.  

Create ALGs for the gaming and peer-to-peer applications, and deny the "user_group1" role on the ALGs.

C.  

Add access control rules to the "user_group1" role, which deny HTTP/HTTPS traffic to IP addresses associated with gaming and peer-to-peer applications.

D.  

Create service aliases for the TCP ports associated with gaming and peer-to-per applications, and use those aliases in access control rules for the "user_group" rules.

A.  

In the MC CLI, set up a control plane packet capture and filter for the client's IP address.

B.  

In the MC CLI, set up a data plane packet capture and filter for the client's MAC address.

C.  

In the MC UI’s Traffic Analytics dashboard, look for the client's IP address.

D.  

In the MC UI’s Diagnostics > Logs pages, add a "user-debug" log setting for the client's MAC address.

A.  

On Switch-1, enable ARP protection globally, and enable ARP protection on ail VLANs.

B.  

On Switch-2, make ports connected to employee devices trusted ports for ARP protection

C.  

On Swltch-2, enable DHCP snooping globally and on VLAN 201 before enabling ARP protection

D.  

On Swltch-2, configure static PP-to-MAC bindings for all end-user devices on the network

A.  

Enable packet capturing on Instant AP or Mobility Controller (MC) datapath on an ongoing basis.

B.  

Ensure that all network infrastructure devices use RADIUS rather than TACACS+ to authenticate managers.

C.  

Ensure that all network infrastructure devices receive a valid clock using authenticated NTP.

D.  

Enable packet capturing on Instant AP or Mobility Controller (MC) controlpath on an ongoing basis.

A.  

Create the CSR online using the MC Web Ul if your company requires you to archive the private key.

B.  

if you create the CSR and public/private Keypair offline, create a matching private key online on the MC.

C.  

Create the CSR and public/private keypair offline If you want to install the same certificate on multiple MCs.

D.  

Generate the private key online, but the public key and CSR offline, to install the same certificate on multiple MCs.

A.  

Establish a Control Plane Policing class that selects traffic from 192.168 1.0/24.

B.  

Specify 192.168.1.0.255.255.255.0 as authorized IP manager address

C.  

Configure the switch to listen for these protocols on OOBM only.

D.  

Specify vlan 100 as the management vlan for the switches.

A.  

It protects management traffic between APs and Mobility Controllers (MCs) from eavesdropping.

B.  

It prevents Denial of Service (DoS) attacks against Mobility Controllers' (MCs') control plane.

C.  

It protects wireless clients' traffic, tunneled between APs and Mobility Controllers, from eavesdropping.

D.  

It prevents access from unauthorized IP addresses to critical services, such as SSH, on Mobility Controllers (MCs).

A.  

In the weaponization stage, which occurs after malware has been delivered to a system, the malware executes its function.

B.  

In the exploitation and installation phases, malware creates a backdoor into the infected system for the hacker.

C.  

In the reconnaissance stage, the hacker assesses the impact of the attack and how much information was exfiltrated.

D.  

In the delivery stage, malware collects valuable data and delivers or exfiltrates it to the hacker.

A.  

WPA3-Personal and MAC-Auth

B.  

Captive portal and WPA3-Personai

C.  

Captive portal and Opportunistic Wireless Encryption (OWE) in transition mode

D.  

Opportunistic Wireless Encryption (OWE) and WPA3-Personal

A.  

Install this thumbprint on management stations to use as two-factor authentication along with manager usernames and passwords, this will ensure managers connect from valid stations

B.  

Copy the thumbprint to other Aruba switches to establish a consistent SSH Key for all switches this will enable managers to connect to the switches securely with less effort

C.  

When you first connect to the switch with SSH from a management station, make sure that the thumbprint matches to ensure that a man-in-t he-mid die (MITM) attack is not occurring

D.  

install this thumbprint on management stations the stations can then authenticate with the thumbprint instead of admins having to enter usernames and passwords.

A.  

The firewall is stateful which means that n can track client sessions and automatically allow return traffic for permitted sessions

B.  

The firewall Includes application layer gateways (ALGs). which it uses to filter Web traffic based on the reputation of the destination web site.

C.  

The firewall examines all traffic at Layer 2 through Layer 4 and uses source IP addresses as the primary way to determine how to control traffic.

D.  

The firewall is designed to fitter traffic primarily based on wireless 802.11 headers, making it ideal for mobility environments

A.  

Create datapath mirrors that use the CPPM's IP address as the destination.

B.  

Create an IF-MAP profile, which specifies credentials for an API admin account on CPPM.

C.  

Create control path mirrors to mirror HTTP traffic from clients to CPPM.

D.  

Create a firewall whitelist rule that permits HTTP and CPPM's IP address.

A.  

It could open a backdoor into the corporate LAN for unauthorized users.

B.  

It is running in a non-standard 802.11 mode and could effectively jam the wireless signal.

C.  

It is flooding the air with many wireless frames in a likely attempt at a DoS attack.

D.  

It could be attempting to conceal itself from detection by changing its BSSID and SSID frequently.

A.  

EAP-TLS creates a TLS tunnel for transmitting user credentials, while PEAP authenticates the server and supplicant during a TLS handshake.

B.  

EAP-TLS requires the supplicant to authenticate with a certificate, hut PEAP allows the supplicant to use a username and password.

C.  

EAP-TLS begins with the establishment of a TLS tunnel, but PEAP does not use a TLS tunnel as part of Its process

D.  

EAP-TLS creates a TLS tunnel for transmitting user credentials securely while PEAP protects user credentials with TKIP encryption.

A.  

WPA3-Perscn3i is more secure against password leaking Because all users nave their own username and password

B.  

WPA3-Personai prevents eavesdropping on other users' wireless traffic by a user who knows the passphrase for the WLAN.

C.  

WPA3-Personai is more resistant to passphrase cracking Because it requires passphrases to be at least 12 characters

D.  

WPA3-Personal is more complicated to deploy because it requires a backend authentication server

A.  

In the delivery stage, malware collects valuable data and delivers or exfilltrated it to the hacker.

B.  

In the reconnaissance stage, the hacker assesses the impact of the attack and how much information was exfilltrated.

C.  

In the weaponization stage, which occurs after malware has been delivered to a system, the malware executes Its function.

D.  

In the exploitation and installation phases, malware creates a backdoor into the infected system for the hacker.

A.  

It is best practice to implement automatic containment of unauthorized devices to eliminate the need to locate and remove them.

B.  

Wireless containment only works against unauthorized wireless devices that connect to your corporate LAN, so it does not offer protection against Interfering APs.

C.  

Your company should consider legal implications before you enable automatic containment or implement manual containment.

D.  

Because wireless containment has a lower risk of targeting legitimate neighbors than wired containment, it is recommended in most use cases.

A.  

only links in the campus LAN to ensure seamless roaming

B.  

only links between MC ports and the core routing switches

C.  

only links on the path between APs and the core routing switches

D.  

only links on the path between APs and the MC

A.  

installing CA-signed certificates on the APs

B.  

installing self-signed certificates on the APs

C.  

approving the APs as authorized APs on the AP whitelist

D.  

configuring a PAPI key that matches on the APs and MCs

A.  

It could be attempting to conceal itself from detection by changing its BSSID and SSID frequently.

B.  

It could open a backdoor into the corporate LAN for unauthorized users.

C.  

It is running in a non-standard 802.11 mode and could effectively jam the wireless signal.

D.  

It is flooding the air with many wireless frames in a likely attempt at a DoS attack.

A.  

It makes sure that the key in the certificate matches the key that DeviceA uses for HTTPS.

B.  

It makes sure the certificate has a DNS SAN that matches arubapedia.arubanetworks.com

C.  

It makes sure that the public key in the certificate matches DeviceA's private HTTPS key.

D.  

It makes sure that the public key in the certificate matches a private key stored on DeviceA.

A.  

users are logging in with the wrong usernames and passwords or invalid certificates.

B.  

Clients are configured to use a mismatched EAP method from the one In the CPPM service.

C.  

The RADIUS shared secret does not match between the switch and CPPM.

D.  

CPPM does not have a network device defined for the switch's IP address.

E.  

Clients are not configured to trust the root CA certificate for CPPM's RADIUS/EAP certificate.