A.  

Having HPE Aruba Networking ClearPass Policy Manager (CPPM) send standard RADIUS AVPs to customize port settings

B.  

Having switches pull port configurations dynamically from HPE Aruba Networking Activate

C.  

Having switches download user-roles from HPE Aruba Networking gateways

D.  

Having switches download user-roles from HPE Aruba Networking ClearPass Policy Manager (CPPM)

A.  

RADIUS start-stop and interim accounting with the port-access option

B.  

Command authorization to HPE Aruba Networking ClearPass Policy Manager (CPPM) acting as a TACACS+ server

C.  

SSH public key authentication for all managers who access the AOS-CX switches

D.  

Logging to a Syslog server with the severity set at error level

A.  

Whether the company has rare Internet of Things (loT) devices

B.  

Whether some devices are incapable of captive portal or 802.1X authentication

C.  

Whether the company has devices that use PXE boot

D.  

Whether some devices are running legacy operating systems

A.  

HTTPS traffic from 10.2.2.2 to 10.5.5.5 is denied.

B.  

HTTPS traffic from 10.2.2.2 to 203.0.113.12 is denied.

C.  

Traffic from 10.5.3.3 in an active HTTPS session between 10.2.2.2 and 10.5.3.3 is permitted.

D.  

Traffic from 198.51.100.12 in an active HTTP session between 10.2.2.2 and 198.51.100.12 is denied.

A.  

Deploy gateways and have the APs tunnel traffic to the gateways. Then, enable the gateway IDS/IPS engine.

B.  

Enable Client IPS at the " custom " level, and then specify the check for YouTube.

C.  

Enable WebCC on all client firewall roles. Then, create WebCC category rules that deny suspicious URLs.

D.  

Enable DPI. Then, create application rules to deny YouTube on the firewall roles.

A.  

Specify CPPM as the RADIUS server with the exact CN in CPPM ' s HTTPS certificate.

B.  

Install the root CA certificate for CPPM ' s RADIUS certificate in a TA profile on the switches.

C.  

Configure empty user-roles with names that match enforcement profile names on CPPM.

D.  

Specify a ClearPass username and password that match the name and RADIUS secret in a CPPM network device entry.

A.  

CPPM no longer supports any Device Profiler features and relies on CPDI for this profile information.

B.  

CPDI must be configured as an audit server on CPPM for the integration to be successful.

C.  

CPDI must have security analysis disabled on it for the integration to be successful.

D.  

CPPM can submit profile information to CPDI, but if CPDI derives a different classification, CPDI takes precedence.

A.  

HPE Aruba Networking recommends turning on both wired and wireless prevention whenever you enable detection at high.

B.  

HPE Aruba Networking recommends using hybrid AP mode, as opposed to Air Monitors (AMs), when implementing detection without prevention.

C.  

HPE Aruba Networking recommends disabling client detection when you configure infrastructure detection at high, as infrastructure detection includes all the client checks and more.

D.  

HPE Aruba Networking recommends configuring infrastructure and client detection at a custom level and disabling or tuning some of the settings that are likely to produce false positives.

A.  

Its site-to-site VPN connections failing

B.  

Traffic matching a rule in the active ruleset

C.  

Its IDPS engine failing

D.  

Traffic showing anomalous behavior

A.  

Logging with CPPM configured as a Syslog server.

B.  

Dynamic authorization enabled in the RADIUS settings for CPPM.

C.  

RADIUS accounting to CPPM, including interim updates.

D.  

An IF-MAP interface with CPPM as the destination.

A.  

HPE Aruba Networking ClearPass Device Insight (CPDI)

B.  

HPE Aruba Networking Network Analytics Engine (NAE)

C.  

HPE Aruba Networking Mobility Conductor

D.  

HPE Aruba Networking ClearPass OnBoard

A.  

10.1.14.10 might be running a TCP port scan, but it may simply be trying to open TCP sessions with several destinations.

B.  

10.1.14.10 is almost certainly running a TCP port scan because this type of packet does not legitimately exist.

C.  

10.1.14.10 is launching a denial-of-service attack against Windows machines in 10.1.15.0/24.

D.  

10.1.14.10 is showing some signs of launching a DoS attack, but might simply be misconfigured.

A.  

Connecting a known device of this type and getting it discovered in CPPM ' s Endpoints Repository.

B.  

Enabling HPE Aruba Networking ClearPass Device Insight integration with the correct Data Collector token.

C.  

Pre-defining the desired attributes and rules in an XML format file.

D.  

Disabling the " Automatically download Endpoint Profiler Fingerprints " feature in cluster-wide parameters.

A.  

Intermediate CA with EST disabled

B.  

Intermediate CA with EST enabled

C.  

Root CA

D.  

Registration authority

A.  

Configure ARP inspection on VLANs 10-19 on Switch-2.

B.  

Configure DHCP snooping on VLANs 10-19 on Switch-2.

C.  

Configure Switch-1 uplinks as trusted ARP inspection ports.

D.  

Create a static IP-to-MAC binding on Switch-1 for the DHCP server.

A.  

In VPNCs’ groups, establish VPN pools to control which branches connect to which VPNCs.

B.  

In BGWs’ and VPNCs’ groups, create default IKE policies for the SD-WAN Orchestrator to use.

C.  

In BGWs’ groups, select the VPNCs to which to connect in a DC preference list.

D.  

At the global level, create default IPsec policies for the SD-WAN Orchestrator to use.

A.  

Centralizing the distribution of wired traffic without requiring HPE Aruba Networking gateways

B.  

Tunneling traffic directly to a third-party firewall in a client data center

C.  

Adding 802.1X while continuing to use the existing VLAN and ACL structure in the Ethernet network

D.  

Applying enhanced security features such as deep packet inspection (DPI) to wired traffic

A.  

Gateway zone set to " 3000 " with no gateway role set

B.  

Gateway zone set to " vni-3000 " with no gateway role set

C.  

Access VLAN set to the VLAN mapped to VNI 3000

D.  

Access VLAN ID set to " 3000 "

A.  

profile3

B.  

profile1

C.  

Deny Access Profile

D.  

profile2

A.  

Create a user tag from the Generic Devices page, select the desired attributes for the tag, and save the tag.

B.  

In the device details, select reclassify, create a user rule based on its attributes, and choose " Save & Reclassify. "

C.  

In the device details, select filter, create a user tag based on the device attributes, and save the tag.

D.  

Create a user rule from the Generic Devices page, select the desired attributes for the rule, and choose " Save. "

A.  

When the Device Insight integration poll interval is set to a relatively long interval but you still want CPPM to be informed quickly about devices ' new tags.

B.  

When Device Insight tags are only used to identify dangerous devices, and you want to disconnect those devices without having to set up new rules in enforcement policies.

C.  

When CPPM is gathering posture information for CPDI, and you want CPDI to always have access to the most up-to-date information.

D.  

When you plan to have CPPM issue CoAs for clients with new tags, but do not want to have to list those specific tags in the Device Integration settings in advance.

A.  

CPDI has detected that these devices match about 70% of the system rule for defining " Windows 8/10 " devices.

B.  

CPDI has matched these devices against several, conflicting system rules. 70% of those rules are for " Windows 8/10 " devices.

C.  

CPDI has grouped this cluster with similar classified devices. 70% of those classified devices are " Windows 8/10. "

D.  

CPDI has used MAC OUI to group these devices together. The average device ' s MAC address matches 70% of the " Windows 8/10 " OUI.

A.  

Configure CPPM to assign the role using a RADIUS enforcement profile with a RADIUS:IETF Username attribute.

B.  

Configure CPPM to assign the role using a RADIUS enforcement profile with an Aruba-User-Role VSA.

C.  

OCreate server rules on the APs to assign clients to roles based on RADIUS IETF attributes returned by CPPM.

D.  

Create user rules on the APs to assign clients to roles based on a variety of criteria.

A.  

Install the root CA for CPPM’s HTTPS certificate as trusted in the CPDI application.

B.  

Enable Insight in the CPPM server configuration settings.

C.  

Configure WMI, SSH, and SNMP external accounts for device scanning on CPPM.

D.  

Collect a Data Collector token from HPE Aruba Networking Central.

A.  

The posture is unknown, and CPDI has detected exactly four vulnerabilities on the device.

B.  

The posture is healthy, but CPDI has detected multiple vulnerabilities on the device.

C.  

The posture is unhealthy, and CPDI has also detected at least one vulnerability on the device.

D.  

The posture is unhealthy, but CPDI has not detected any vulnerabilities on the device.

A.  

Add the Shell service to the managers ' TACACS+ enforcement profiles.

B.  

Edit the TACACS+ settings in the AOS-CX switches ' network device entries.

C.  

Create an enforcement policy with the TACACS+ type.

D.  

Edit the settings for CPPM ' s default TACACS+ admin roles.

A.  

Enable RADIUS accounting to CPPM, including interim RADIUS accounting.

B.  

Configure a RADIUS track that references CPPM ' s FQDN or IP address.

C.  

Enable dynamic authorization, and specify CPPM as a dynamic authorization client.

D.  

Re-configure the authentication server on the switch specifying CPPM as a TACACS server.

A.  

Enforcing the rule only during the specified time range

B.  

Tuning the session timeout for sessions established with this rule

C.  

Locking clients that violate the rule for the specified time range

D.  

Setting the time range over which hit counts for the rule are aggregated

A.  

No trust for DSCP

B.  

Trust for DSCP

C.  

Auth-mode left at client-mode

D.  

Access VLAN 18 with no support for VLAN 12

A.  

ClearPass Device Insight integration is disabled.

B.  

The Check Point Extension is installed through ClearPass Guest.

C.  

The CoA delay value is set to 0 on the server.

D.  

Ingress Event Dictionaries for Check Point messages are enabled.

A.  

Gateways at the remote clients ' locations and devices accessed by the clients at the main site

B.  

The remote clients and devices accessed by the clients at the main site

C.  

The remote clients and a gateway at the main site

D.  

Gateways at the remote clients ' locations and a gateway at the main site

A.  

AMs support tarpit containment, which introduces fewer legal issues than deauthentication containment.

B.  

AMs can support wireless clients when they are not actively containing a device, so companies benefit from better security and connectivity.

C.  

AMs support additional IDS/IPS features, such as malware and Trojan detection, to enhance overall security.

D.  

AMs can detect wireless threats much faster than hybrid APs, reducing the company’s vulnerability surface.

A.  

Access the CLI for the client’s AP. Set up a mirroring session between its radio and a management station running Wireshark.

B.  

Go to the client’s AP in HPE Aruba Networking Central. Use the " Security " page to run a packet capture.

C.  

Go to that client in HPE Aruba Networking Central. Use the " Live Events " page to run a packet capture.

D.  

Access the CLI for the client’s AP ' s switch. Set up a mirroring session between the AP’s port and a management station running Wireshark.

A.  

Applying threat inspection to users when they access certain websites

B.  

Checking whether a client has antivirus software as a condition for receiving access to resources

C.  

Redirecting compromised clients to a remediation server

D.  

Integrating with HPE Aruba Networking ClearPass OnGuard

A.  

Enabling unmanaged devices to succeed at certificate-based 802.1X

B.  

Enabling managed Windows domain computers to succeed at certificate-based 802.1X

C.  

Enhancing security for loT devices that need to authenticate with MAC-Auth

D.  

Enforcing posture-based assessment on managed Windows domain computers

A.  

CPPM can exchange contextual information about clients with third-party solutions, which helps make better decisions.

B.  

CPPM can make the third-party solutions more secure by adding signature-based threat detection capabilities.

C.  

CPPM can offload policy decisions to the third-party solutions, enabling CPPM to respond to authentication requests more quickly.

D.  

CPPM can take over filtering internal traffic so that the third-party solutions have more processing power to devote to filtering external traffic.

A.  

The AP assigns the client to the WLAN ' s default role.

B.  

The AP drops the client because authentication aborts.

C.  

The AP assigns the client to the WLAN ' s critical role.

D.  

The AP assigns the client to the WLAN ' s initial role.

A.  

The organization needs a faster way to quarantine clients that have generated threats, as detected by third-party firewalls.

B.  

Hybrid workers are exposing their computers to risky internet sites and infection by malware when they work from home.

C.  

Remote workers need access to private data center applications without exposing those applications to unauthorized users.

D.  

The organization currently has no way to prevent users from exfiltrating sensitive data from SaaS applications.

A.  

The traffic is permitted

B.  

The traffic is dropped and logged

C.  

The traffic is dropped, and the client is denylisted

D.  

The traffic is dropped (without any logging or further action against the client)

A.  

The one with the lowest MAC address

B.  

The one with the highest port ID

C.  

The one with the highest MAC address

D.  

The one with the lowest port ID

A.  

Export roles on CPPM to a file that uses XML format.

B.  

Create an admin account for the switch on CPPM with the HPE Aruba Networking User Role Download privilege level.

C.  

Configure RADIUS enforcement profiles that specify the HPE-User-Role VSA.

D.  

Upload the switch TPM certificate as a trusted CA certificate with the Others usage.

A.  

The recommendation has 96% confidence, and it is based on 13 classified devices.

B.  

The recommendation has 98% confidence, and it is based on 5 classified devices.

C.  

The recommendation has 93% confidence, and it is based on 36 classified devices.

D.  

The recommendation has 100% confidence, and it is based on 4 classified devices.

A.  

In CPPM’s Access Tracker, filter for that destination.

B.  

Use ClearPass Insight to run an Active Endpoint Security report.

C.  

In CPDI, look in Generic Device clusters based on that destination.

D.  

In CPDI, filter for that destination and save the filter as a tag.

A.  

Associate the applications directly with the IdP used to authenticate the users; choose any for the destination in the policy rule.

B.  

Apply the same tag to the applications; select the tag as a destination in the policy rule.

C.  

Place all the applications in the same connector zone; select that zone as a destination in the policy rule.

D.  

Select the applications within a non-default web profile; select that profile in the policy rule.

A.  

The switch always sends the users ' traffic to the VRRP master.

B.  

The switch always sends all users ' traffic to the primary gateway configured in the UBT zone.

C.  

The switch always load shares the users ' traffic across both gateways.

D.  

The switch always sends all users ' traffic to the gateway assigned as the active device designed gateway.

A.  

In CPPM’s Device Profiler dashboard

B.  

In HPE Aruba Networking Central’s Audit Trail for the client’s switch

C.  

In the logs stored on the client’s switch

D.  

In CPDI’s History tab for the client