You have been instructed to look in an AOS Security Dashboard's client list. Your goal is to find clients that belong to the company and have connected to devices that might belong to hackers. Which client fits this description?
Correct Answer: A
The AOS Security Dashboard in an AOS-8 solution (Mobility Controllers or Mobility Master) provides a client list through its Wireless Intrusion Prevention (WIP) system, showing the classification of clients and the APs they are connected to. The goal is to identify clients that belong to the company (Authorized clients) and have connected to devices that might belong to hackers (rogue or suspected rogue APs). Client Classification: Authorized: A client that has successfully authenticated to an authorized AP and is part of the company's network (e.g., an employee device). Interfering: A client that is not authenticated to the company's network and is considered external or potentially malicious. AP Classification: Authorized: An AP that is part of the company's network and managed by the MC. Suspected Rogue: An AP that is not authorized and is suspected of being malicious, often because it exhibits suspicious behavior (e.g., a BSSID close to an authorized AP, indicating potential spoofing). Neighbor: An AP that is not part of the company's network but is not connected to the wired network (e.g., a nearby AP from another organization). Interfering: An AP that is not part of the company's network and may be causing interference, but is not necessarily malicious. The requirement is to find a client that is Authorized (belongs to the company) and connected to a Suspected Rogue AP (might belong to hackers). Option A: MAC address: d8:50:e6:f3:6d:a4; Client Classification: Authorized; AP Classification: Suspected Rogue This client is classified as "Authorized," meaning it belongs to the company, and it is connected to a "Suspected Rogue" AP, which might belong to hackers. This matches the requirement perfectly. Option B: MAC address: d8:50:e6:f3:6e:c5; Client Classification: Interfering; AP Classification: Neighbor This client is "Interfering" (not a company client) and connected to a "Neighbor" AP, which is not considered a hacker's device (it's just a nearby AP). Option C: MAC address: d8:50:e6:f3:6e:60; Client Classification: Interfering; AP Classification: Interfering This client is "Interfering" (not a company client) and connected to an "Interfering" AP, which is not necessarily a hacker's device (it may just be causing interference). Option D: MAC address: d8:50:e6:f3:70:ab; Client Classification: Interfering; AP Classification: Suspected Rogue This client is "Interfering" (not a company client), although it is connected to a "Suspected Rogue" AP. It does not meet the requirement of being a company client. The HPE Aruba Networking AOS-8 8.11 User Guide states: "The Security Dashboard's client list in ArubaOS shows the classification of each client and the AP it is connected to. An 'Authorized' client is one that has successfully authenticated to an authorized AP and is part of the company's network. A 'Suspected Rogue' AP is an unauthorized AP that exhibits suspicious behavior, such as a BSSID close to an authorized AP, indicating potential spoofing by a hacker. To identify security risks, look for authorized clients connected to suspected rogue APs, as this may indicate a company device has connected to a malicious AP." (Page 415, Security Dashboard Section) Additionally, the HPE Aruba Networking Security Guide notes: "WIP classifies clients as 'Authorized' if they have authenticated to an authorized AP managed by the controller. A 'Suspected Rogue' AP is a potential threat, as it may be attempting to mimic a legitimate AP to lure clients. Identifying authorized clients connected to suspected rogue APs is critical for detecting potential attacks, such as man-in-the-middle attempts by hackers." (Page 78, WIP Classifications Section) : HPE Aruba Networking AOS-8 8.11 User Guide, Security Dashboard Section, Page 415. HPE Aruba Networking Security Guide, WIP Classifications Section, Page 78.
Question 47
Refer to the exhibit. You are deploying a new HPE Aruba Networking Mobility Controller (MC), which is enforcing authentication to HPE Aruba Networking ClearPass Policy Manager (CPPM). The authentication is not working correctly, and you find the error shown in the exhibit in the CPPM Event Viewer. What should you check?
Correct Answer: A
The exhibit shows an error in the CPPM Event Viewer: "RADIUS authentication attempt from unknown NAD 10.1.10.8:1812." This indicates that a new HPE Aruba Networking Mobility Controller (MC) is attempting to send RADIUS authentication requests to HPE Aruba Networking ClearPass Policy Manager (CPPM), but CPPM does not recognize the MC as a Network Access Device (NAD), resulting in the authentication failure. Unknown NAD Error: In CPPM, a NAD is a device (e.g., an MC, switch, or AP) that sends RADIUS requests to CPPM for authentication. Each NAD must be configured in CPPM with its IP address and a shared secret. The error "unknown NAD 10.1.10.8:1812" means that the IP address 10.1.10.8 (the source IP of the MC's RADIUS request) is not listed as a NAD in CPPM's configuration, so CPPM rejects the request. Option A, "That the IP address that the MC is using to reach CPPM matches the one defined for the device on CPPM," is correct. You need to check that the MC's IP address (10.1.10.8) is correctly configured as a NAD in CPPM. In CPPM, go to Configuration > Network > Devices, and verify that a NAD entry exists for 10.1.10.8. If the IP address does not match (e.g., due to NAT, a different interface, or a misconfiguration), CPPM will reject the request as coming from an unknown NAD. Option B, "That the MC has valid admin credentials configured on it for logging into the CPPM," is incorrect. Admin credentials on the MC are used for management access (e.g., SSH, web UI), not for RADIUS authentication. RADIUS communication between the MC and CPPM uses a shared secret, not admin credentials. Option C, "That the MC has been added as a domain machine on the Active Directory domain with which CPPM is synchronized," is incorrect. Adding the MC as a domain machine in Active Directory (AD) is relevant only if the MC itself is authenticating users against AD (e.g., for machine authentication), but this is not required for the MC to act as a NAD sending RADIUS requests to CPPM. Option D, "That the shared secret configured for the CPPM authentication server matches the one defined for the device on CPPM," is incorrect in this context. While a shared secret mismatch would cause authentication failures, it would not result in an "unknown NAD" error. The "unknown NAD" error occurs before the shared secret is checked, as CPPM does not recognize the IP address as a valid NAD. The HPE Aruba Networking ClearPass Policy Manager 6.11 User Guide states: "The error 'RADIUS authentication attempt from unknown NAD <IP-address>' in the Event Viewer indicates that the IP address of the device sending the RADIUS request (e.g., a Mobility Controller) is not configured as a Network Access Device (NAD) in ClearPass. To resolve this, go to Configuration > Network > Devices in the CPPM UI, and ensure that the IP address of the device (e.g., 10.1.10.8) is added as a NAD with the correct shared secret. The IP address used by the device to reach CPPM must match the one defined in the NAD configuration." (Page 302, Troubleshooting RADIUS Issues Section) Additionally, the HPE Aruba Networking AOS-8 8.11 User Guide notes: "When configuring a Mobility Controller to use ClearPass as a RADIUS server, ensure that the MC's IP address is added as a NAD in ClearPass. If ClearPass logs an 'unknown NAD' error, verify that the IP address the MC uses to send RADIUS requests (e.g., the source IP of the request) matches the IP address configured in ClearPass under Configuration > Network > Devices." (Page 498, Configuring RADIUS Authentication Section) : HPE Aruba Networking ClearPass Policy Manager 6.11 User Guide, Troubleshooting RADIUS Issues Section, Page 302. HPE Aruba Networking AOS-8 8.11 User Guide, Configuring RADIUS Authentication Section, Page 498.
Question 48
You have an Aruba Mobility Controller (MC). for which you are already using Aruba ClearPass Policy Manager (CPPM) to authenticate access to the Web Ul with usernames and passwords You now want to enable managers to use certificates to log in to the Web Ul CPPM will continue to act as the external server to check the names in managers' certificates and tell the MC the managers' correct rote in addition to enabling certificate authentication. what is a step that you should complete on the MC?
Correct Answer: B
Question 49
Your AOS solution has detected a rogue AP with Wireless Intrusion Prevention (WIP). Which information about the detected radio can best help you to locate the rogue device?
Correct Answer: A
In an HPE Aruba Networking AOS-8 solution, the Wireless Intrusion Prevention (WIP) system is used to detect and classify rogue Access Points (APs). When a rogue AP is detected, the AOS system provides various pieces of information about the detected radio, such as the SSID, BSSID, match method, match type, confidence level, and the devices that detected the rogue AP. The goal is to locate the physical rogue device, which requires identifying its approximate location in the network environment. Option A, "The detecting devices," is correct. The "detecting devices" refer to the authorized APs or radios that detected the rogue AP's signal. This information is critical for locating the rogue device because it provides the physical locations of the detecting APs. By knowing which APs detected the rogue AP and their signal strength (RSSI) readings, you can triangulate the approximate location of the rogue AP. For example, if AP-1 in Building A and AP-2 in Building B both detect the rogue AP, and AP-1 reports a stronger signal, the rogue AP is likely closer to AP-1 in Building A. Option B, "The match method," is incorrect. The match method (e.g., "Plus one," "Eth-Wired-Mac-Table") indicates how the rogue AP was classified (e.g., based on a BSSID close to a known MAC or its presence on the wired network). While this helps understand why the AP was classified as rogue, it does not directly help locate the physical device. Option C, "The confidence level," is incorrect. The confidence level indicates the likelihood that the AP is correctly classified as rogue (e.g., 90% confidence). This is useful for assessing the reliability of the classification but does not provide location information. Option D, "The match type," is incorrect. The match type (e.g., "Rogue," "Suspected Rogue") specifies the category of the classification. Like the match method, it helps understand the classification but does not aid in physically locating the device. The HPE Aruba Networking AOS-8 8.11 User Guide states: "When a rogue AP is detected by the Wireless Intrusion Prevention (WIP) system, the 'detecting devices' information lists the authorized APs or radios that detected the rogue AP's signal. This is the most useful information for locating the rogue device, as it provides the physical locations of the detecting APs. By analyzing the signal strength (RSSI) reported by each detecting device, you can triangulate the approximate location of the rogue AP. For example, if AP-1 and AP-2 detect the rogue AP, and AP-1 reports a higher RSSI, the rogue AP is likely closer to AP-1." (Page 416, Rogue AP Detection Section) Additionally, the HPE Aruba Networking Security Guide notes: "To locate a rogue AP, use the 'detecting devices' information in the AOS Detected Radios page. This lists the APs that detected the rogue AP, along with signal strength data, enabling triangulation to pinpoint the rogue device's location." (Page 80, Locating Rogue APs Section) : HPE Aruba Networking AOS-8 8.11 User Guide, Rogue AP Detection Section, Page 416. HPE Aruba Networking Security Guide, Locating Rogue APs Section, Page 80.
Question 50
Which is a correct description of a stage in the Lockheed Martin kill chain?
Correct Answer: D
The Lockheed Martin Cyber Kill Chain model describes the stages of a cyber attack. In the exploitation phase, the attacker uses vulnerabilities to gain access to the system. Following this, in the installation phase, the attacker installs a backdoor or other malicious software to ensure persistent access to the compromised system. This backdoor can then be used to control the system, steal data, or execute additional attacks. : Lockheed Martin Cyber Kill Chain framework.
