What is a guideline for deploying Aruba ClearPass Device Insight?
Correct Answer: D
For deploying Aruba ClearPass Device Insight effectively, especially in environments with multiple sites, it is recommended to deploy a pair of Device Insight Collectors at the headquarters or the central data center. This deployment strategy helps in centralizing the data collection and analysis, which simplifies management and enhances performance by reducing the data load on the WAN links connecting different sites. Centralizing the collectors at a major site or data center allows for better scalability and reliability of the network management system. This configuration also aids in achieving a more consistent and comprehensive monitoring and analysis of the devices across the network, ensuring that the security and management policies are uniformly applied. This recommendation is based on best practices for network architecture design, particularly those discussed in Aruba's deployment guides and network management strategies.
Question 77
You need to deploy an Aruba instant AP where users can physically reach It. What are two recommended options for enhancing security for management access to the AP? (Select two )
Correct Answer: C,E
When deploying an Aruba Instant AP in a location where users can physically access it, enhancing security for management access could involve several measures: C. Disabling the Web UI will prevent unauthorized access via the browser-based management interface, which could be a security risk if the AP is within physical reach of untrusted parties. E. Installing a CA-signed certificate helps ensure that any communication with the AP's management interface is encrypted and authenticated, preventing man-in-the-middle attacks and eavesdropping.
Question 78
You are checking the Security Dashboard in the Web Ul for your ArubaOS solution and see that Wireless Intrusion Prevention (WIP) has discovered a rogue radio operating in ad hoc mode with open security. What correctly describes a threat that the radio could pose?
Correct Answer: A
A rogue radio operating in ad hoc mode with open security can pose several threats to a network. Ad hoc networks allow direct device-to-device communication without centralized control. If such a radio is present within or near a corporate environment, it can potentially be used to create a peer-to-peer network that bypasses corporate security controls, effectively acting as a backdoor into the corporate network for unauthorized users or devices. This can lead to a breach of data security and unauthorized access to network resources.
Question 79
What is one difference between EAP-Tunneled Layer security (EAP-TLS) and Protected EAP (PEAP)?
Correct Answer: B
EAP-TLS and PEAP both provide secure authentication methods, but they differ in their requirements for client-side authentication. EAP-TLS requires both the client (supplicant) and the server to authenticate each other with certificates, thereby ensuring a very high level of security. On the other hand, PEAP requires a server-side certificate to create a secure tunnel and allows the client to authenticate using less stringent methods, such as a username and password, which are then protected by the tunnel. This makes PEAP more flexible in environments where client-side certificates are not feasible.References: EAP-TLS and PEAP authentication protocols comparison.
Question 80
What is an Authorized client, as defined by AOS Wireless Intrusion Prevention System (WIP)?
Correct Answer: D
The AOS Wireless Intrusion Prevention System (WIP) in an AOS-8 architecture (Mobility Controllers or Mobility Master) is designed to detect and mitigate wireless threats, such as rogue APs and unauthorized clients. WIP classifies clients and APs based on their behavior and status in the network. Authorized Client Definition: In the context of WIP, an "Authorized" client is one that has successfully authenticated to an authorized AP (an AP managed by the MC and part of the company's network) and is actively passing encrypted traffic. This typically means the client has completed 802.1X authentication (e.g., in a WPA3-Enterprise network) or PSK authentication (e.g., in a WPA3-Personal network) and is communicating securely with the AP. Option D, "A client that has successfully authenticated to an authorized AP and passed encrypted traffic," is correct. This matches the WIP definition of an Authorized client: the client must authenticate to an AP that is classified as "Authorized" (i.e., part of the company's network) and must be passing encrypted traffic, indicating a secure connection (e.g., using WPA3 encryption). Option A, "A client that is on the WIP whitelist," is incorrect. WIP does not use a client whitelist for classification. The AP whitelist is used to authorize APs, not clients. Client classification (e.g., Authorized, Interfering) is based on their authentication status and connection to authorized APs. Option B, "A client that has a certificate issued by a trusted Certification Authority (CA)," is incorrect. While a certificate might be used for 802.1X authentication (e.g., EAP-TLS), WIP does not classify clients as Authorized based on their certificate status. The classification depends on successful authentication to an authorized AP and encrypted traffic. Option C, "A client that is NOT on the WIP blacklist," is incorrect. WIP does use blacklisting (e.g., for clients that violate security policies), but being "not on the blacklist" does not make a client Authorized. A client must actively authenticate to an authorized AP and pass encrypted traffic to be classified as Authorized. The HPE Aruba Networking AOS-8 8.11 User Guide states: "In the Wireless Intrusion Prevention (WIP) system, an 'Authorized' client is defined as a client that has successfully authenticated to an authorized AP and is passing encrypted traffic. An authorized AP is one that is managed by the Mobility Controller and part of the company's network. For example, a client that completes 802.1X authentication to an authorized AP using WPA3-Enterprise and sends encrypted traffic is classified as Authorized." (Page 414, WIP Client Classification Section) Additionally, the HPE Aruba Networking Security Guide notes: "WIP classifies clients as 'Authorized' if they have authenticated to an authorized AP and are passing encrypted traffic, indicating a secure connection. Clients that are not authenticated or are connected to rogue or neighbor APs are classified as 'Interfering' or other categories, depending on their behavior." (Page 78, WIP Classifications Section) : HPE Aruba Networking AOS-8 8.11 User Guide, WIP Client Classification Section, Page 414. HPE Aruba Networking Security Guide, WIP Classifications Section, Page 78.
