Refer to the exhibit, which shows the settings on the company's MCs. You have deployed about 100 new HPE Aruba Networking 335 APs. What is required for the APs to become managed?
Correct Answer: B
The scenario involves an AOS-8 Mobility Controller (MC) with Control Plane Security (CPSec) enabled and auto certificate provisioning disabled. CPSec is a feature that secures the control plane communication between the MC and APs using certificates. When CPSec is enabled, APs must be authorized and trusted by the MC to become managed. CPSec Enabled, Auto Cert Provisioning Disabled: When CPSec is enabled, APs must have a valid certificate to establish a secure control plane connection with the MC. If auto certificate provisioning is disabled (as shown in the exhibit), the MC does not automatically provision certificates to the APs. Instead, the APs must already have a factory-installed certificate (or a manually installed certificate), and the MC must trust the AP's certificate by having the issuing CA in its trust list. Additionally, the AP must be on the MC's AP whitelist to be authorized. AP Whitelist: The AP whitelist is a list of authorized APs maintained on the MC (or Mobility Master, MM, if present). For an AP to become managed, its MAC address must be in the whitelist, especially when CPSec is enabled and auto provisioning is disabled. This ensures that only authorized APs can connect to the MC. Option A, "Installing CA-signed certificates on the APs," is incorrect because HPE Aruba Networking APs, such as the 335 series, come with factory-installed certificates signed by Aruba's CA. These certificates are sufficient for CPSec, provided the MC trusts the Aruba CA (which is typically preconfigured). Manually installing CA-signed certificates is not required unless the factory certificates are not used or trusted. Option B, "Approving the APs as authorized APs on the AP whitelist," is correct. With CPSec enabled and auto cert provisioning disabled, the APs must be explicitly authorized by adding their MAC addresses to the AP whitelist on the MC. This step ensures that the MC accepts the AP's certificate and allows it to become managed. Option C, "Installing self-signed certificates on the APs," is incorrect because self-signed certificates are not typically used for CPSec. APs use factory-installed certificates, and the MC must trust the issuing CA. Self-signed certificates would require manual trust configuration on the MC, which is not a standard practice. Option D, "Configuring a PAPI key that matches on the APs and MCs," is incorrect. PAPI (Protocol for AP Provisioning and Information) keys are used for securing communication between APs and the MC in non-CPSec environments or for specific configurations (e.g., when CPSec is disabled). When CPSec is enabled, certificate-based authentication replaces the need for a PAPI key. The HPE Aruba Networking AOS-8 8.11 User Guide states: "When Control Plane Security (CPSec) is enabled and auto certificate provisioning is disabled, APs must be authorized by adding their MAC addresses to the AP whitelist on the Mobility Controller (or Mobility Master). The AP uses its factory-installed certificate to establish a secure control plane connection with the MC. The MC must trust the CA that issued the AP's certificate (e.g., Aruba's CA), and the AP must be in the whitelist to become managed. To add an AP to the whitelist, navigate to Configuration > Access Points > AP Whitelist in the MC UI and add the AP's MAC address." (Page 395, CPSec Configuration Section) Additionally, the HPE Aruba Networking CPSec Deployment Guide notes: "If auto cert provisioning is disabled, the AP whitelist becomes mandatory for CPSec. Each AP must be explicitly approved by adding its MAC address to the whitelist, ensuring that only authorized APs can connect to the MC. The AP's factory certificate is used for authentication, and no manual certificate installation is required on the AP." (Page 12, CPSec with Manual Provisioning Section) : HPE Aruba Networking AOS-8 8.11 User Guide, CPSec Configuration Section, Page 395. HPE Aruba Networking CPSec Deployment Guide, CPSec with Manual Provisioning Section, Page 12.
Question 77
An organization has HPE Aruba Networking infrastructure, including AOS-CX switches and an AOS-8 mobility infrastructure with Mobility Controllers (MCs) and APs. Clients receive certificates from ClearPass Onboard. The infrastructure devices authenticate clients to ClearPass Policy Manager (CPPM). The company wants to start profiling clients to take their device type into account in their access rights. What is a role that CPPM should play in this plan?
Correct Answer: A
HPE Aruba Networking ClearPass Policy Manager (CPPM) is a network access control (NAC) solution that provides device profiling, authentication, and policy enforcement. In this scenario, the company wants to profile clients to determine their device type and use that information to define access rights. Device profiling in ClearPass involves identifying and categorizing devices based on various attributes, such as DHCP fingerprints, HTTP User-Agent strings, or TCP fingerprinting, to assign them to specific device categories (e.g., Windows, macOS, IoT devices, etc.). These categories can then be used in policy decisions to grant or restrict access. Option A, "Assigning clients to their device categories," directly aligns with ClearPass's role in device profiling. ClearPass collects profiling data from network devices (like APs, MCs, or switches) and uses its profiling engine to categorize devices. This categorization is a core function of ClearPass Device Insight, which is integrated into CPPM, and is used to build policies based on device type. Option B, "Helping to forward profiling information to the component responsible for profiling," is incorrect because ClearPass itself is the component responsible for profiling. It doesn't forward data to another system for profiling; instead, it collects data (e.g., via DHCP snooping, HTTP headers, or mirrored traffic) and processes it internally. Option C, "Accepting and enforcing CoA messages," refers to ClearPass's ability to send Change of Authorization (CoA) messages to network devices to dynamically change a client's access rights (e.g., reassign a role or disconnect a session). While CoA is part of ClearPass's enforcement capabilities, it is not directly related to the profiling process or categorizing devices. Option D, "Enforcing access control decisions," is a broader function of ClearPass. While ClearPass does enforce access control decisions based on profiling data (e.g., by assigning roles or VLANs), the question specifically asks about its role in the profiling process, not the enforcement step that follows. The HPE Aruba Networking ClearPass Policy Manager 6.11 User Guide states: "ClearPass Policy Manager provides a mechanism to profile devices that connect to the network. Device profiling collects information about a device during its authentication or through network monitoring (e.g., DHCP, HTTP, or SNMP). The collected data is used to identify and categorize the device into a device category (e.g., Computer, Smartphone, Printer, etc.) and device family (e.g., Windows, Android, etc.). These categories can then be used in policy conditions to enforce access control." (Page 245, Device Profiling Section) Additionally, the ClearPass Device Insight Data Sheet notes: "ClearPass Device Insight uses a combination of passive and active profiling techniques to identify and classify devices. It assigns devices to categories based on their attributes, enabling organizations to create granular access policies." (Page 2) : HPE Aruba Networking ClearPass Policy Manager 6.11 User Guide, Device Profiling Section, Page 245. ClearPass Device Insight Data Sheet, Page 2.
Question 78
Your company policies require you to encrypt logs between network infrastructure devices and Syslog servers. What should you do to meet these requirements on an ArubaOS-CX switch?
Correct Answer: A
To ensure secure transmission of log data over the network, particularly when dealing with sensitive or critical information, using TLS (Transport Layer Security) for encrypted communication between network devices and syslog servers is necessary: Secure Logging Setup: When configuring an ArubaOS-CX switch to send logs securely to a Syslog server, specifying the server with the TLS option ensures that all transmitted log data is encrypted. Additionally, the switch must have a valid certificate to establish a trusted connection, preventing potential eavesdropping or tampering with the logs in transit. Other Options: Option B, Option C, and Option D are less accurate or applicable for directly encrypting log data between the device and Syslog server as specified in the company policies.
Question 79
You need to set up Aruba network infrastructure devices for management with SNMP. The SNMP server has this SNMPv3 user configured on it: username: airwave auth algorithm: sha auth key: fyluqp18@S!9a priv algorithm: aes priv key: 761oxaiaoeu19& What correctly describes the setup on the infrastructure device?
Correct Answer: D
In SNMPv3, security is paramount and each SNMP entity (client or agent) needs to have a user with a security name (username) and optionally, a security level which determines whether authentication and encryption are used. When configuring SNMPv3 users on network infrastructure devices, it is essential to match the username, authentication (auth) algorithm, authentication key (auth key), privacy (priv) algorithm, and privacy key (priv key) exactly as they are configured on the SNMP server to ensure successful communication. This is because the SNMPv3 security model relies on a combination of a username and a pair of keys (authentication and privacy keys) to uniquely identify and secure communication between the agent and the manager. The keys are used to verify the integrity (auth key) and confidentiality (priv key) of the messages. Using the same algorithms ensures that the messages can be properly encrypted and decrypted on both ends.
Question 80
How does the AOS firewall determine which rules to apply to a specific client's traffic?
Correct Answer: A
In an AOS-8 architecture, the Mobility Controller (MC) includes a stateful firewall that enforces policies on client traffic. The firewall uses user roles to apply policies, allowing granular control over traffic based on the client's identity and context. User Roles: In AOS-8, each client is assigned a user role after authentication (e.g., via 802.1X, MAC authentication, or captive portal). The user role contains firewall policies (rules) that define what traffic is allowed or denied for clients in that role. For example, a "guest" role might allow only HTTP/HTTPS traffic, while an "employee" role might allow broader access. Option A, "The firewall applies the rules in policies associated with the client's user role," is correct. The AOS firewall evaluates traffic based on the user role assigned to the client. Each role has a set of policies (rules) that are applied in order, and the first matching rule determines the action (permit or deny). For example, if a client is in the "employee" role, the firewall applies the rules defined in the "employee" role's policy. Option B, "The firewall applies every rule that includes the client's IP address as the source," is incorrect. The firewall does not apply rules based solely on the client's IP address; it uses the user role. Rules within a role may include IP addresses, but the role determines which rules are evaluated. Option C, "The firewall applies the rules in policies associated with the client's WLAN," is incorrect. While the WLAN configuration defines the initial role for clients (e.g., the default 802.1X role), the firewall applies rules based on the client's current user role, which may change after authentication (e.g., via a RADIUS VSA like Aruba-User-Role). Option D, "The firewall applies every rule that includes the client's IP address as the source or destination," is incorrect for the same reason as Option B. The firewall uses the user role to determine which rules to apply, not just the client's IP address. The HPE Aruba Networking AOS-8 8.11 User Guide states: "The AOS firewall on the Mobility Controller applies rules based on the user role assigned to a client. Each user role contains a set of firewall policies that define the allowed or denied traffic for clients in that role. For example, a policy in the 'employee' role might include a rule like ipv4 user any http permit to allow HTTP traffic. The firewall evaluates the rules in the client's role in order, and the first matching rule determines the action for the traffic." (Page 325, Firewall Policies Section) Additionally, the HPE Aruba Networking Security Guide notes: "User roles in AOS-8 provide a powerful mechanism for firewall policy enforcement. The firewall determines which rules to apply to a client's traffic by looking at the policies associated with the client's user role, which is assigned during authentication or via a RADIUS VSA like Aruba-User-Role." (Page 50, Role-Based Access Control Section) : HPE Aruba Networking AOS-8 8.11 User Guide, Firewall Policies Section, Page 325. HPE Aruba Networking Security Guide, Role-Based Access Control Section, Page 50.
