How should admins deal with vulnerabilities that they find in their systems?
Correct Answer: A
Question 97
You have a network with AOS-CX switches for which HPE Aruba Networking ClearPass Policy Manager (CPPM) acts as the TACACS+ server. When an admin authenticates, CPPM sends a response with: Aruba-Priv-Admin-User = 1 TACACS+ privilege level = 15 What happens to the user?
Correct Answer: C
HPE Aruba Networking AOS-CX switches support TACACS+ for administrative authentication, where ClearPass Policy Manager (CPPM) can act as the TACACS+ server. When an admin authenticates, CPPM sends a TACACS+ response that includes attributes such as the TACACS+ privilege level and vendor-specific attributes (VSAs) like Aruba-Priv-Admin-User. In this scenario, CPPM sends: TACACS+ privilege level = 15: In TACACS+, privilege level 15 is the highest level and typically grants full administrative access (equivalent to a superuser or administrator role). Aruba-Priv-Admin-User = 1: This Aruba-specific VSA indicates that the user should be granted the highest level of administrative access on the switch. On AOS-CX switches, the privilege level 15 maps to the administrator role, which provides full read-write access to all switch functions. The Aruba-Priv-Admin-User = 1 attribute reinforces this by explicitly assigning the admin role, ensuring the user has unrestricted access. Option A, "The user receives auditors access," is incorrect because auditors typically have read-only access, which corresponds to a lower privilege level (e.g., 1 or 3) on AOS-CX switches. Option B, "The user receives no access," is incorrect because the authentication was successful, and CPPM sent a response granting access with privilege level 15. Option D, "The user receives operators access," is incorrect because operators typically have a lower privilege level (e.g., 5 or 7), which provides limited access compared to an administrator. The HPE Aruba Networking AOS-CX 10.12 Security Guide states: "When using TACACS+ for administrative authentication, the switch interprets the privilege level returned by the TACACS+ server. A privilege level of 15 maps to the administrator role, granting full read-write access to all switch functions. The Aruba-Priv-Admin-User VSA, when set to 1, explicitly assigns the admin role, ensuring the user has unrestricted access." (Page 189, TACACS+ Authentication Section) Additionally, the HPE Aruba Networking ClearPass Policy Manager 6.11 User Guide notes: "ClearPass can send the Aruba-Priv-Admin-User VSA in a TACACS+ response to specify the administrative role on Aruba devices. A value of 1 indicates the admin role, which provides full administrative privileges." (Page 312, TACACS+ Enforcement Section) : HPE Aruba Networking AOS-CX 10.12 Security Guide, TACACS+ Authentication Section, Page 189. HPE Aruba Networking ClearPass Policy Manager 6.11 User Guide, TACACS+ Enforcement Section, Page 312.
Question 98
Refer to the exhibit. You need to ensure that only management stations in subnet 192.168.1.0/24 can access the ArubaOS-Switches' CLI. Web Ul. and REST interfaces The company also wants to let managers use these stations to access other parts of the network What should you do?
Correct Answer: B
To ensure that only management stations in the subnet 192.168.1.0/24 can access the ArubaOS-Switches' Command Line Interface (CLI), Web UI, and REST interfaces, while also allowing managers to access other parts of the network, you should specify 192.168.1.0 255.255.255.0 as the authorized manager IP address on the switches. This configuration will restrict access to the switch management interfaces to devices within the specified IP address range, effectively creating a management access list. References: ArubaOS-Switch management and configuration guide detailing IP authorized manager settings. Network management best practices which recommend controlling access to network devices' management interfaces.
Question 99
Refer to the exhibit. You have set up a RADIUS server on an ArubaOS Mobility Controller (MC) when you created a WLAN named "MyEmployees .You now want to enable the MC to accept change of authorization (CoA) messages from this server for wireless sessions on this WLAN. What Is a part of the setup on the MC?
Correct Answer: A
To enable an ArubaOS Mobility Controller (MC) to accept Change of Authorization (CoA) messages from a RADIUS server for wireless sessions on a WLAN, part of the setup on the MC involves creating a dynamic authorization, or RFC 3576, server with the provided IP address (10.5.5.5) and the correct shared secret. This setup allows the MC to handle CoA requests, which are used to change the authorization attributes of a session after it has been authenticated, such as disconnecting a user or changing a user's VLAN assignment.
Question 100
Which correctly describes one of HPE Aruba Networking ClearPass Policy Manager's (CPPM's) device profiling methods?
Correct Answer: C
HPE Aruba Networking ClearPass Policy Manager (CPPM) uses device profiling to identify and classify endpoints on the network, enabling granular access control based on device type, OS, or other attributes. CPPM supports both passive and active profiling methods. Option C, "CPPM can analyze settings such as TTL and time window size in endpoints' TCP traffic in order to fingerprint the OS," is correct. TCP fingerprinting is a passive profiling method used by CPPM. It involves analyzing TCP packet headers, such as the Time To Live (TTL) value and TCP window size, which vary between operating systems (e.g., Windows, Linux, macOS). CPPM captures this traffic (e.g., via mirrored traffic from a switch or controller) and matches the TCP attributes against its fingerprint database to identify the OS of the endpoint. Option A, "CPPM can use Wireshark to actively probe devices, analyze their traffic patterns, and construct an endpoint profile," is incorrect. CPPM does not use Wireshark for profiling; Wireshark is a third-party packet analysis tool. CPPM has its own built-in profiling engine and does not rely on external tools like Wireshark for active probing. Option B, "CPPM can use SNMP to configure Aruba switches and mobility devices to mirror client traffic to CPPM for analysis," is incorrect. While CPPM can receive mirrored traffic for profiling (e.g., via SPAN or mirror ports), it does not use SNMP to configure the mirroring. The configuration of traffic mirroring is typically done manually on the switch or controller (e.g., using a datapath mirror on an MC), not via SNMP by CPPM. Option D, "CPPM can analyze settings such as TCP/UDP ports used for HTTP, DHCP, and DNS in endpoints' traffic to fingerprint the OS," is incorrect. While CPPM does analyze HTTP, DHCP, and DNS traffic for profiling, it does not fingerprint the OS based on TCP/UDP ports. Instead, it uses attributes like DHCP Option 55 (for DHCP fingerprinting) or HTTP User-Agent strings (for HTTP fingerprinting) to identify devices, not the ports themselves. The HPE Aruba Networking ClearPass Policy Manager 6.11 User Guide states: "ClearPass supports TCP fingerprinting as a passive profiling method to identify the operating system of endpoints. By analyzing TCP packet headers, such as the Time To Live (TTL) value and TCP window size, ClearPass can fingerprint the OS of a device. For example, Windows devices typically have a TTL of 128, while Linux devices often have a TTL of 64. These attributes are matched against ClearPass's fingerprint database to classify the device." (Page 248, TCP Fingerprinting Section) Additionally, the ClearPass Device Insight Data Sheet notes: "ClearPass uses passive profiling techniques like TCP fingerprinting to identify device operating systems. By examining TCP attributes such as TTL and window size, ClearPass can accurately determine whether a device is running Windows, Linux, macOS, or another OS, enabling precise policy enforcement." (Page 3, Profiling Methods Section) : HPE Aruba Networking ClearPass Policy Manager 6.11 User Guide, TCP Fingerprinting Section, Page 248. ClearPass Device Insight Data Sheet, Profiling Methods Section, Page 3.
