HP Exam HPE6-A84 Topic 6 Question 24 Discussion

Actual exam question for HP's HPE6-A84 exam

Question #: 24
Topic #: 6

Refer to the scenario.

# Introduction to the customer

You are helping a company add Aruba ClearPass to their network, which uses Aruba network infrastructure devices.

The company currently has a Windows domain and Windows C

AThe Window CA issues certificates to domain computers, domain users, and servers such as domain controllers. An example of a certificate issued by the Windows CA is shown here.

The company is in the process of adding Microsoft Endpoint Manager (Intune) to manage its mobile clients. The customer is maintaining the on-prem AD for now and uses Azure AD Connect to sync with Azure AD.
# Requirements for issuing certificates to mobile clients
The company wants to use ClearPass Onboard to deploy certificates automatically to mobile clients enrolled in Intune. During this process, Onboard should communicate with Azure AD to validate the clients. High availability should also be provided for this scenario; in other words, clients should be able to get certificates from Subscriber 2 if Subscriber 1 is down.
The Intune admins intend to create certificate profiles that include a UPN SAN with the UPN of the user who enrolled the device.
# Requirements for authenticating clients
The customer requires all types of clients to connect and authenticate on the same corporate SSID.
The company wants CPPM to use these authentication methods:
To succeed, EAP-TLS (standalone or as a TEAP method) clients must meet these requirements:
# Requirements for assigning clients to roles
After authentication, the customer wants the CPPM to assign clients to ClearPass roles based on the following rules:
The customer requires CPPM to assign authenticated clients to AOS firewall roles as follows:
# Other requirements
Communications between ClearPass servers and on-prem AD domain controllers must be encrypted.
# Network topology
For the network infrastructure, this customer has Aruba APs and Aruba gateways, which are managed by Central. APs use tunneled WLANs, which tunnel traffic to the gateway cluster. The customer also has AOS-CX switches that are not managed by Central at this point.

# ClearPass cluster IP addressing and hostnames
A customer's ClearPass cluster has these IP addresses:
The customer's DNS server has these entries
On CPPM, you are creating the authentication method shown in the exhibit below:

You will use the method for standalone EAP-TLS and for inner methods in TEAP.
What should you do?

AConfigure OCSP override and set the OCSP URL to localhost/onboard/mdps ocspphp/2

BEnable certificate comparison.

CEnable authorization.

DConfigure OCSP override and leave the OCSP URL blank.

Show Suggested Answer

Suggested Answer: B

This is because SNMPv3 is a secure version of SNMP that provides authentication, encryption, and access control for network management. SNMPv3-only is a configuration option on AOS-CX switches that disables SNMPv1 and SNMPv2c, which are insecure versions of SNMP that use plain text community strings for authentication. By setting the snmp-server settings to ''snmpv3-only'', the switch will only respond to SNMPv3 requests and reject any SNMPv1 or SNMPv2c requests, thus remedying the vulnerability and meeting the customer's requirements.

A) Enabling control plane policing to automatically drop SNMP GET requests. This is not a valid recommendation because control plane policing is a feature that protects the switch from denial-of-service (DoS) attacks by limiting the rate of traffic sent to the CPU. Control plane policing does not disable SNMPv1 or SNMPv2c, but rather applies a rate limit to all SNMP requests, regardless of the version. Moreover, control plane policing might also drop legitimate SNMP requests if they exceed the rate limit, which could affect the network management.

C) Adding an SNMP community with a long random name. This is not a valid recommendation because an SNMP community is a shared secret that acts as a password for accessing network devices using SNMPv1 or SNMPv2c. Adding an SNMP community with a long random name does not disable SNMPv1 or SNMPv2c, but rather creates another community string that can be used for authentication. Moreover, adding an SNMP community with a long random name does not improve the security of SNMPv1 or SNMPv2c, as the community string is still transmitted in plain text and can be intercepted by an attacker.

D) Enabling SNMPv3, which implicitly disables SNMPv1/v2. This is not a valid recommendation because enabling SNMPv3 does not implicitly disable SNMPv1 or SNMPv2c on AOS-CX switches. Enabling SNMPv3 only adds support for the secure version of SNMP, but does not remove support for the insecure versions. Therefore, enabling SNMPv3 alone does not remedy the vulnerability or meet the customer's requirements.

by Irma at Jul 16, 2024, 09:12 AM

Limited Time Offer

25%

Off

Get Premium HPE6-A84 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Van

2 months ago

Ah, the classic networking troubleshooting dance of enabling and rebooting. I hope the gateways don't take too long to come back up!

upvoted 0 times

...

3 months ago

I think D is a good option too. Enabling deep packet inspection on the Aruba APs and rebooting them could also help resolve the issue of not seeing flow attributes for wireless clients.

upvoted 0 times

Marshall

1 months ago

User 1

upvoted 0 times

...

Sabrina

1 months ago

User 2

upvoted 0 times

...

Maurine

2 months ago

User 1

upvoted 0 times

...

4 months ago

I think we should check if deep packet inspection is enabled on the role assigned to the Aruba APs.

upvoted 0 times

...