What is one difference between EAP-Tunneled Layer Security (EAP-TLS) and Protected EAP (PEAP)?
Correct Answer: B
EAP-TLS (Extensible Authentication Protocol - Transport Layer Security) and PEAP (Protected EAP) are two EAP methods used for 802.1X authentication in wireless networks, such as those configured with WPA3-Enterprise on HPE Aruba Networking solutions. Both methods are commonly used with ClearPass Policy Manager (CPPM) for secure authentication. EAP-TLS: Requires both the supplicant (client) and the server (e.g., CPPM) to present a valid certificate during authentication. Establishes a TLS tunnel to secure the authentication process, but the primary authentication mechanism is the mutual certificate exchange. The client's certificate is used to authenticate the client, and the server's certificate authenticates the server. PEAP: Requires only the server to present a certificate to authenticate itself to the client. Establishes a TLS tunnel to secure the authentication process, within which the client authenticates using a secondary method, typically a username and password (e.g., via MS-CHAPv2 or EAP-GTC). Option A, "EAP-TLS begins with the establishment of a TLS tunnel, but PEAP does not use a TLS tunnel as part of its process," is incorrect. Both EAP-TLS and PEAP establish a TLS tunnel. In EAP-TLS, the TLS tunnel is used for the mutual certificate exchange, while in PEAP, the TLS tunnel protects the inner authentication (e.g., username/password). Option B, "EAP-TLS requires the supplicant to authenticate with a certificate, but PEAP allows the supplicant to use a username and password," is correct. This is a key difference: EAP-TLS mandates certificate-based authentication for the client, while PEAP allows the client to authenticate with a username and password inside the TLS tunnel, making PEAP more flexible for environments where client certificates are not deployed. Option C, "EAP-TLS creates a TLS tunnel for transmitting user credentials, while PEAP authenticates the server and supplicant during a TLS handshake," is incorrect. Both methods use a TLS tunnel, and both authenticate the server during the TLS handshake (using the server's certificate). In EAP-TLS, the client's certificate is also part of the TLS handshake, while in PEAP, the client's credentials (username/password) are sent inside the tunnel after the handshake. Option D, "EAP-TLS creates a TLS tunnel for transmitting user credentials securely, while PEAP protects user credentials with TKIP encryption," is incorrect. PEAP does not use TKIP (Temporal Key Integrity Protocol) for protecting credentials; TKIP is a legacy encryption method used in WPA/WPA2 for wireless data encryption, not for EAP authentication. PEAP uses the TLS tunnel to protect the inner authentication credentials. The HPE Aruba Networking ClearPass Policy Manager 6.11 User Guide states: "EAP-TLS requires both the supplicant and the server to present a valid certificate for mutual authentication. The supplicant authenticates using its certificate, and the process is secured within a TLS tunnel. In contrast, PEAP requires only the server to present a certificate to establish a TLS tunnel, within which the supplicant can authenticate using a username and password (e.g., via MS-CHAPv2 or EAP-GTC). This makes PEAP more suitable for environments where client certificates are not deployed." (Page 292, EAP Methods Section) Additionally, the HPE Aruba Networking Wireless Security Guide notes: "A key difference between EAP-TLS and PEAP is the client authentication method. EAP-TLS mandates that the client authenticate with a certificate, requiring certificate deployment on all clients. PEAP allows the client to authenticate with a username and password inside a TLS tunnel, making it easier to deploy in environments without client certificates." (Page 40, 802.1X Authentication Methods Section) : HPE Aruba Networking ClearPass Policy Manager 6.11 User Guide, EAP Methods Section, Page 292. HPE Aruba Networking Wireless Security Guide, 802.1X Authentication Methods Section, Page 40.
Question 82
What is a use case for Transport Layer Security (TLS)?
Correct Answer: B
The use case for Transport Layer Security (TLS) is to enable a client and a server to establish secure communications for another protocol. TLS is a cryptographic protocol designed to provide secure communication over a computer network. It is widely used for web browsers and other applications that require data to be securely exchanged over a network, such as file transfers, VPN connections, and voice-over-IP (VoIP). TLS operates between the transport layer and the application layer of the Internet Protocol Suite and is used to secure various other protocols like HTTP (resulting in HTTPS), SMTP, IMAP, and more. This protocol ensures privacy and data integrity between two communicating applications. Detailed information about TLS and its use cases can be found in IETF RFC 5246, which outlines the specifications for TLS 1.2, and in subsequent RFCs that define TLS 1.3.
Question 83
Refer to the exhibit. A diem is connected to an ArubaOS Mobility Controller. The exhibit snows all Tour firewall rules that apply to this diem What correctly describes how the controller treats HTTPS packets to these two IP addresses, both of which are on the other side of the firewall 10.1 10.10 203.0.13.5
Correct Answer: B
Referring to the exhibit, the ArubaOS Mobility Controller treats HTTPS packets based on the firewall rules applied to the client. The rule that allows svc-https service for destination IP range 10.1.0.0 255.255.0.0 would permit an HTTPS packet to 10.1.10.10 since this IP address falls within the specified range. There are no rules shown that would allow traffic to the IP address 203.0.13.5; hence, the packet to this address would be dropped. References: ArubaOS firewall configuration guides detailing how firewall rules are interpreted and applied to traffic. Network security textbooks explaining firewall rule processing and packet filtering based on source and destination IP addresses.
Question 84
A company is deploying ArubaOS-CX switches to support 135 employees, which will tunnel client traffic to an Aruba Mobility Controller (MC) for the MC to apply firewall policies and deep packet inspection (DPI). This MC will be dedicated to receiving traffic from the ArubaOS-CX switches. What are the licensing requirements for the MC?
Correct Answer: B
When deploying ArubaOS-CX switches that tunnel client traffic to an Aruba Mobility Controller (MC), the licensing requirements typically involve Policy Enforcement Firewall (PEF) licenses. These licenses enable the MC to enforce firewall policies and perform deep packet inspection (DPI). Therefore, for each switch tunneling traffic to the MC, a PEF license would be necessary.
Question 85
Refer to the exhibit. You have set up a RADIUS server on an ArubaOS Mobility Controller (MC) when you created a WLAN named "MyEmployees .You now want to enable the MC to accept change of authorization (CoA) messages from this server for wireless sessions on this WLAN. What Is a part of the setup on the MC?
Correct Answer: A
To enable an ArubaOS Mobility Controller (MC) to accept Change of Authorization (CoA) messages from a RADIUS server for wireless sessions on a WLAN, part of the setup on the MC involves creating a dynamic authorization, or RFC 3576, server with the provided IP address (10.5.5.5) and the correct shared secret. This setup allows the MC to handle CoA requests, which are used to change the authorization attributes of a session after it has been authenticated, such as disconnecting a user or changing a user's VLAN assignment.
