HPE6-A68

Refer to the exhibit An AD user’s department attribute value is configured as “QA”. The user authenticates from a laptop running MAC OS X. Which role is assigned to the user in ClearPass?. HR Local. Remote Employee. [Guest]. Executive. IOS Device.

Refer to the exhibit Based on the Attribute configuration shown, which statement accurately describes the status of attribute values?. Only the attribute values of department and memberOf can be used in role mapping policies. The attribute values of department, title, memberOf, telephoneNumber, and mail are directly applied as ClearPass. Only the attribute value of company can be used in role mapping policies, not the other attributes. The attribute values of department and memberOf are directly applied as ClearPass roles. Only the attribute values of title, telephoneNumber, and mail can be used in role mapping policies.

Which components can use Active Directory authorization attributes for the decision-making process? (Select two.). Profiling policy. Certificate validation policy. Role Mapping policy. Enforcement policy. Posture policy.

Refer to the exhibit. Based on the Authentication sources configuration shown, which statement accurately describes the outcome if the user is not found?. If the user is not found in the remotelab AD but is present in the local user repository, a reject message is sent back to the NAD. If the user is not found in the local user repository but is present in the remotelab AD, a reject message is sent back to the NAD. If the user is not found in the local user repository a reject message is sent back to the NAD. If the user is not found in the local user repository and remotelab AD, a reject message is sent back to the NAD. If the user is not found in the local user repository a timeout message is sent back to the NAD.

Which authorization servers are supported by ClearPass? (Select two.). Aruba Controller. LDAP server. Cisco Controller. Active Directory. Aruba Mobility Access Switch.

Which CLI command is used to upgrade the image of a ClearPass server?. Image update. System upgrade. Upgrade image. Reboot. Upgrade software.

Which steps are required to use ClearPass as a TACACS+ Authentication server for a network device? (Select two.). Configure a TACACS Enforcement Profile on ClearPass for the desired privilege level. Configure a RADIUS Enforcement Profile on ClearPass for the desired privilege level. Configure ClearPass as an Authentication server on the network device. Configure ClearPass roles on the network device. Enable RADIUS accounting on the NAD.

What are Operator Profiles used for?. to enforce role based access control for Aruba Controllers. to enforce role based access control for ClearPass Policy Manager admin users. to enforce role based access control for ClearPass Guest Admin users. to assign ClearPass roles to guest users. to map AD attributes to admin privilege levels in ClearPass Guest.

Refer to the exhibit. In the Aruba RADIUS dictionary shown, what is the purpose of the RADIUS attributes?. to send information via RADIUS packets to Aruba NADs. to gather and send Aruba NAD information to ClearPass. to send information via RADIUS packets to clients. to gather information about Aruba NADs for ClearPass. to send CoA packets from ClearPass to the Aruba NAD.

Refer to the exhibit. Based on the Guest Role Mapping Policy shown, what is the purpose of the Role Mapping Policy?. to display a role name on the Self-registration receipt page. to send a firewall role back to the controller based on the Guest User’s Role ID. to assign Controller roles to guests. to assign three roles of [Contractor], [Guest] and [Employee] to every guest user. to create additional account roles for guest administrators to assign to guest accounts.

A customer wants all guests who access a company’s guest network to have their accounts approved by the receptionist, before they are given access to the network. How should the network administrator set this up in ClearPass? (Select two.). Enable sponsor approval confirmation in Receipt actions. Configure SMTP messaging in the Policy Manager. Configure a MAC caching service in the Policy Manager. Configure a MAC auth service in the Policy Manager. Enable sponsor approval in the captive portal authentication profile on the NAD.

Refer to the exhibit. When configuring a Web Login Page in ClearPass Guest, the information shown is displayed. What is the page name field used for?. for forming the Web Login Page URL. for Administrators to access the PHP page, but not guests. for Administrators to reference the page only. for forming the Web Login Page URL where Administrators add guest users. for informing the Web Login Page URL and the page name that guests must configure on their laptop wireless supplicant.

Refer to the exhibit. When configuring a Web Login Page in ClearPass Guest, the information shown is displayed. What is the Address field value ‘securelogin.arubanetworks.com’ used for?. for ClearPass to send a TACACS+ request to the NAD. for appending to the Web Login URL, before the page name. for the client to POST the user credentials to the NAD. for ClearPass to send a RADIUS request to the NAD. for appending to the Web Login URL, after the page name.

Refer to the exhibit. A guest connects to the Guest SSID and authenticates successfully using the guest.php web login page. Based on the MAC Caching service information shown, which statement about the guests’ MAC address is accurate?. It will be visible in the Guest User Repository with Unknown Status. It will be deleted from the Endpoint table. It will be visible in the Guest User Repository with Known Status. It will be visible in the Endpoints table with Known Status. It will be visible in the Endpoints table with Unknown Status.

A university wants to deploy ClearPass with the Guest module. The university has two types that need to use web login authentication. The first type of users are students whose accounts are in an Active Directory server. The second type of users are friends of students who need to self-register to access the network. How should the service be set up in the Policy Manager for this network?. Guest User Repository and Active Directory server both as authentication sources. Active Directory server as the authentication source, and Guest User Repository as the authorization source. Guest User Repository as the authentication source, and Guest User Repository and Active Directory server as authorization sources. Either the Guest User Repository or Active Directory server should be the single authentication source. Guest User Repository as the authentication source and the Active Directory server as the authorization source.

An administrator enabled the Pre-auth check for their guest self-registration. At what stage in the registration process in this check performed?. after the user clicks the login button and after the NAD sends an authentication request. after the user self-registers but before the user logs in. after the user clicks the login button but before the NAD sends an authentication request. when a user is re-authenticating to the network. before the user self-registers.

Refer to the exhibit. Based on the guest Self-Registration with Sponsor Approval workflow shown, at which stage is an email request sent to the sponsor?. after ‘Guest Role (7)’. after ‘Login Message page (5)’. after ‘Submit form (3)’. after ‘Automated NAS login (6)’. after ‘Redirects (1)’.

Refer to the exhibit. A user logged in to the Self-Service Portal as shown. What do the traffic received and sent statistics present?. These show the total amount of traffic the guest transmitted, as seen through RADIUS CoA packets from the NAD to ClearPass. These show the total amount of traffic the NAD transmitted to ClearPass, as seen through RADIUS accounting messages from the NAD to ClearPass. These show the total amount of traffic the guest transmitted after account expiration, as seen through RADIUS accounting messages sent from the NAD to ClearPass. These show the total amount of traffic the guest transmitted, as seen through RADIUS CoA packets from the client to ClearPass. These show the total amount of traffic the guest transmitted, as seen through RADIUS accounting messages sent from the NAD to ClearPass.

Refer to the exhibit. Based on the configuration of the create_user form shown, which statement accurately describes the status?. The email field will be visible to guest users when they access the web login page. The visitor_company field will be visible to operators creating the account. The visitor_company field will be visible to the guest users when they access the web login page. The visitor_phone field will be visible to the guest users in the web login page. The visitor_phone field will be visible to operators creating the account.

Refer to the exhibit. Based on the information shown, which field in the Captive Portal Authentication profile should be changed so that guest users are redirected to a page on ClearPass when they connect to the Guest SSID?. both Login and Welcome Page. Default Role. Welcome Page. Default Guest Role. Login Page.

A hotel chain deployed ClearPass Guest. When hotel guests connect to the Guest SSID, launch a web browser and enter the address www.google.com, they are unable to immediately see the web login page. What are the likely causes of this? (Select two.). The ClearPass server has a trusted server certificate issued by Verisign. The ClearPass server has an untrusted server certificate issued by the internal Microsoft Certificate server. The ClearPass server does not recognize the client’s certificate. The DNS server is not replying with an IP address for www.google.com.

Refer to the exhibit. An Enforcement Profile has been created in the Policy Manager as shown. Which action will ClearPass take based on this Enforcement Profile?. ClearPass will count down 600 seconds and send a RADIUS CoA message to the user to end the user’s session after this time is up. ClearPass will send the Session-Timeout attribute in the RADIUS Access-Accept packet to the NAD and the NAD will end the user’s session after 600 seconds. ClearPass will count down 600 seconds and send a RADIUS CoA message to the NAD to end the user’s session after this time is up. ClearPass will send the Session-Timeout attribute in the RADIUS Access-Request packet to the NAD and the NAD will end the user’s session after 600 seconds. ClearPass will send the Session-Timeout attribute in the RADIUS Access-Accept packet to the User and the user’s session will be terminated after 600 seconds.

Refer to the exhibit. Based on the information shown, what is the purpose of using [Time Source] for authorization?. to check how long it has been since the last login authentication. to check whether the guest account expired. to check whether the MAC address is in the MAC Caching repository. to check whether the MAC address status is known in the endpoints table. to check whether the MAC address status is unknown in the endpoints table.

A customer with an Aruba Controller wants it to work with ClearPass Guest. How should the customer configure ClearPass as an authentication server in the controller so that guests are able to authenticate successfully?. Add ClearPass as a RADIUS CoA server. Add ClearPass as a RADIUS authentication server. Add ClearPass as a TACACS+ authentication server. Add ClearPass as an HTTPS authentication server.

Refer to the exhibit. Based on the Enforcement Policy configuration shown, when a user with Role Remote Worker connects to the network and the posture token assigned is quarantine, which Enforcement Profile will be applied?. RestrictedACL. Remote Employee ACL. [Deny Access Profile]. EMPLOYEE_VLAN. HR VLAN.

Refer to the exhibit. Based on the Access Tracker output for the user shown, which statement describes the status?. The Aruba Terminate Session enforcement profile as applied because the posture check failed. A Healthy Posture Token was sent to the Policy Manager. A RADIUS-Access-Accept message is sent back to the Network Access Device. The authentication method used is EAP-PEAP. A NAP agent was used to obtain the posture token for the user.

Why can the Onguard posture check not be performed during 802.1x authentication?. Health Checks cannot be used with 802.1x. Onguard uses RADIUS, so an additional service must be created. Onguard uses HTTPS, so an additional service must be created. Onguard uses TACACS, so an additional service must be created. 802.1x is already secure, so Onguard is not needed.

Refer to the exhibit. Based on the Enforcement Profile configuration shown, which statement accurately describes what is sent?. A limited access VLAN value is sent to the Network Access Device. An unhealthy role value is sent to the Network Access Device. A message is sent to the Onguard Agent on the client device. A RADIUS CoA message is sent to bounce the client. A RADIUS access-accept message is sent to the Controller.

A ClearPass administrator wants to make Enforcement decisions during 802.1x authentication based on a client’s Onguard posture token. Which Enforcement profile should be used on the health check service?. RADIUS CoA. Quarantine VLAN. Full Access VLAN. RADIUS Accept. RADIUS Reject.

Refer to the exhibit Based on the Endpoint information shown, which collectors were used to profile the device as Apple iPad? (Select two.). HTTP User-Agent. SNMP. DHCP fingerprinting. SmartDevice. Onguard Agent.

Refer to the exhibit. A user who is tagged with the ClearPass roles of Role_Engineer and developer, but not testqa, connects to the network with a corporate Windows laptop. Which Enforcement Profile is applied?. WIRELESS_GUEST_NETWORK. WIRELESS_CAPTIVE_NETWORK. WIRELESS_HANDHELD_NETWORK. Deny Access. WIRELESS_EMPLOYEE_NETWORK.

An SNMP probe is sent from ClearPass to a network access device, but ClearPass is unable to obtain profiling information. What are likely causes? (Select three.). Only SNMP read has been configured but SNMP write is needed for profiling information. An external firewall is blocking SNMP traffic. SNMP is not enabled on the NAD. SNMP community string in the ClearPass and NAD configuration is mismatched. SNMP probing is not supported between ClearPass and NADs.

Which database in the Policy Manager contains the device attributes derived by profiling?. Endpoints Repository. Client Repository. Local Users Repository. Onboard Devices Repository. . Guest User Repository.

When a third party Mobile Device Management server is integrated with ClearPass, where is the endpoint information from the MDM server stored in ClearPass?. Endpoints repository. Onboard Device repository. MDM repository. Guest User repository. Local User repository.

Refer to the exhibit. Based on the network topology diagram shown, how many clusters are needed for this deployment?. 1. 2. 3. 4. 8.

Refer to the exhibit. Which statements accurately describe the cp82 ClearPass node? (Select two.). It becomes the Publisher when the primary Publisher fails. It operates as a Publisher in the same cluster as the primary Publisher when the primary is active. It operates as a Publisher in a separate cluster when the Publisher is active. It operates as a Subscriber when the Publisher is active. It stays as a Subscriber when the Publisher fails.

Refer to the exhibit. A customer wants to enable Publisher redundancy. Based on the network topology diagram shown, which node should the network administrator configure as the standby Publisher for the Publisher in the main data center?. Subscriber in the main data center. Publisher in the regional office. Any of the other three Publishers. Publisher in the mid-size branch. Publisher in the DMZ.

A customer wants to implement Virtual IP redundancy, such that in case of a ClearPass server outage, 802.1x authentications will not be interrupted. The administrator has enabled a single Virtual IP address on two ClearPass servers. Which statements accurately describe next steps? (Select two.). The NAD should be configured with the primary node IP address for RADIUS authentication on the 802.1x network. A new Virtual IP address should be created for each NAD. Both the primary and secondary nodes will respond to authentication requests sent to the Virtual IP address when the primary node is active. The primary node will respond to authentication requests sent to the Virtual IP address when the primary node is active. The NAD should be configured with the Virtual IP address for RADIUS authentications on the 802.1x network.

ClearPass and a wired switch are configured for 802.1x authentication with RADIUS CoA (RFC 3576) on UDP port 3799. This port has been blocked by a firewall between the wired switch and ClearPass. What will be the outcome of this state?. RADIUS Authentications will fail because the wired switch will not be able to reach the ClearPass server. During RADIUS Authentication, certificate exchange between the wired switch and ClearPass will fail. RADIUS Authentications will timeout because the wired switch will not be able to reach the ClearPass server. RADIUS Authentication will succeed, but Post-Authentication Disconnect-Requests from ClearPass to the wired switch will not be delivered. RADIUS Authentication will succeed, but RADIUS Access-Accept messages from ClearPass to the wired switch for Change of Role will not be delivered.

Which statement accurately describes configuration of Data and Management ports on the ClearPass appliance? (Select two.). Static IP addresses are only allowed on the management port. Configuration of the data port is mandatory. Configuration on the management port is mandatory. Configuration of the data port if optiona. Configuration of the management port is optional.

Which licenses are included in the built-in Starter kit for ClearPass?. 10 ClearPass Guest licenses, 10 ClearPass Onguard licenses and 10 ClearPass Onboard licenses. 25 ClearPass Profiler licenses. 25 ClearPass Enterprise licenses. 10 ClearPass Enterprise licenses. 25 ClearPass Redundancy licenses.

An employee provisions a personal smart phone using the Onboard process. In addition, the employee has a corporate laptop provided by IT that connects to the secure network. How many licenses does the employee consume?. 1 Policy Manager license, 2 Guest Licenses. 2 Policy Manager licenses, 1 Onboard License. 1 Policy Manager license, 1 Onboard License. 1 Policy Manager license, 1 Guest License. 2 Policy Manager licenses, 2 Onboard Licenses.

A customer would like to deploy ClearPass with these requirements: every day, 100 employees need to authenticate with their corporate laptops using EAP-TLS every Friday, a meeting with business partners takes place and an additional 50 devices need to authenticate using Web Login Guest Authentication What should the customer do regarding licenses? (Select two.). When counting policy manager licenses, include the additional 50 business partner devices. When counting policy manager licenses, exclude the additional 50 business partner devices. Purchase Onboard licenses. Purchase guest licenses. Purchase Onguard licenses.

An employee authenticates using a corporate laptop and runs the persistent Onguard agent to send a health check back the Policy Manager. Based on the health of the device, a VLAN is assigned to the corporate laptop. Which licenses are consumed in this scenario?. 1 Policy Manager license, 1 Onboard License. 2 Policy Manager licenses, 1 Onguard License. 1 Policy Manager license, 1 Profile License. 2 Policy Manager licenses, 2 Onguard licenses. 1 Policy Manager license, 1 Onguard License.

A customer would like to deploy ClearPass with these requirements: between 2000 to 3000 corporate users need to authenticate daily using EAP-TLS should allow for up to 1000 employee devices to be Onboarded should allow up to 100 guest users each day to authenticate using the web login feature What is the license mix that customer will need to purchase?. CP-HW-2k, 1000 Onboard, 100 Guest. CP-HW-500, 1000 Onboard, 100 Gues. CP-HW-5k, 2500 Enterprise. CP-HW-5k, 1000 Enterprise. CP-HW-5k, 100 Onboard, 100 Guest.

Refer to the exhibit. Based on the ClearPass and Aruba Controller configuration settings for Onboarding shown, which statement accurately describes an employee’s new personal device connecting to the Onboarding network? (Select two.). Post-Onboarding, the device will be assigned the BYOD-Provision firewall role in the Aruba Controller. Pre-Onboarding, the device will be redirected to the ‘Onboarding Page’ Captive Portal. The BYOD-Provision role is a ClearPass internal role and exists in ClearPass. The device will not be redirected to any Onboarding page. Pre-Onboarding, the device will be assigned the BYOD-Provision firewall role in the Aruba Controller.

Which authentication protocols can be used for authenticating Windows clients that are Onboarded? (Select two.). EAP-GTC. PAP. EAP-TLS. CHAP. PEAP with MSCHAPv2.

Which devices support Apple over-the-air provisioning? (Select two.). IOS 5. Laptop running Mac OS X 10.8. Laptop running Mac OS X 10.6. Android 2.2. Windows XP.

An Android device goes through the single-SSID Onboarding process and successfully connects using EAP-TLS to the secure network. What is the order in which services are triggered?. Onboard Authorization, Onboard Provisioning, Onboard Authorization. Onboard Provisioning, Onboard Pre-Auth, Onboard Authorization, Onboard Provisioning. Onboard Provisioning, Onboard Authorization, Onboard Pre-Auth. Onboard Provisioning, Onboard Authorization, Onboard Provisioning. Onboard Provisioning, Onboard Pre-Auth, Onboard Authorization.

What is the certificate format PKCS #7, or .p7b, used for?. Certificate Signing Request. Binary encoded X.509 certificate. Binary encoded X.509 certificate with public key. Certificate with an encrypted private key. Certificate chain.

Refer to the exhibit. Based on the configuration for ‘maximum devices’ shown, which statement accurately describes its settings?. The user cannot Onboard any devices. It limits the total number of devices that can be provisioned by ClearPass. It limits the total number of Onboarded devices connected to the network. It limits the number of devices that a single user can Onboard. It limits the number of devices that a single user can connect to the network.

Refer to the exhibit. Based on the Enforcement Policy configuration shown, which Enforcement Profile will an employee receive when connecting an IOS device to the network or the first time using EAP-PEAP?. Deny Access Profile. Onboard Device Repository. Cannot be determined. Onboard Post-Provisioning – Aruba. Onboard Pre-Provisioning – Aruba.

Which device type supports Exchange ActiveSync configuration with Onboard?. Linux laptop. Mac OS X device. Apple iOS device. Windows laptop. Android device.

Refer to the exhibit. An employee connects a corporate laptop to the network and authenticates for the first time using EAP-TLS. Based on the Enforcement Policy configuration shown, which Enforcement Profile will be sent?. Onboard Post-Provisioning – Aruba. Onboard Pre-Provisioning – Aruba. Deny Access Profile. Onboard Device Repository.

Refer to the exhibit. What is the purpose of the ‘Clock Skew Allowance’ setting? (Select two.). to ensure server certificate validation does not fail due to client clock sync issues. to set start time in client certificate to a few minutes before current time. to adjust clock time on client device to a few minutes before current time. to ensure client certificate validation does not fail due to client clock sync issues. to set expiry time in client certificate to a few minutes longer than the default setting.

Refer to the exhibit. Based on the information shown, what will be the outcome when the administrator chooses “Deny Access to this Device? (Select two.). EAP-TLS Authentication will be unaffected. The user can Onboard their device again. A new device certificate will be automatically pushed out to the device. The user cannot Onboard their device again. EAP-TLS Authentication will fail.

Refer to the exhibit. Based on the configuration for the client’s certificate private key as shown, which statements accurately describe the settings? (Select two.). The private key is stored in the ClearPass server. The private key is stored in the user device. The private key for TLS client certificates is not created. More bits in the private key will increase security. More bits in the private key will reduce security.

What does Authorization allow users to do in a Policy Service?. To use attributes in databases in role mapping and Enforcement. To use attributes stored in databases in Enforcement only, but not role mapping. To use attributes stored in external databases for Enforcement, but not internal databases. To use attributes stored in databases in role mapping only, but not Enforcement. To use attributes sored in internal databases for Enforcement, but not external databases.

Which components of a ClearPass is mandatory?. Authorization Source. Profiler. Role Mapping Policy. Enforcement. Posture.

Use the arrows to sort the steps to request a Policy Service on the left into the order they are performed on the right. ClearPass test the request against Service Rules to select a Policy Server. Clearpass applies the Enforcement Policy. ClearPass sends de Enforcement profiles attributes to the NAD. NAD forwards authentication request to ClearPass.

Refer to the exhibit. Under which circumstances will ClearPass select the Policy Service named ‘Test device group’?. when the NAD belongs to an Airware device group HQ. when the ClearPass IP address is part of the device group HQ. when the Aruba access point that the client is associated to is part of the device group HQ. when an end user IP address is part of the device group HQ. when the IP address of the NAD is part of the device group HQ.

Refer to the exhibit. An AD user’s department attribute value is configured as “Product Management”. The user connects on Monday to a NAD that belongs to the Device Group HQ. Which role is assigned to the user in ClearPass?. HR Local. [Guest]. [Employee]. Linux User. Executive.

Refer to the exhibit. The ClearPass Event Viewer displays an error when a user authenticates with EAP-TLS to ClearPass through an Aruba Controller Wireless Network. What is the cause of this error?. The controller’s shared secret used during the certificate exchange is incorrect. The NAS source interface IP is incorrect. The client sent an incorrect shared secret for the 802.1X authentication. The controller used an incorrect shared secret for the RADIUS authentication. The client’s shared secret used during the certificate exchange is incorrect.

Which types of files are stored in the Local Shared Folders database in ClearPass? (Select two.). Software image. Backup files. Log files. Device fingerprint dictionaries. Posture dictionaries.

Refer to the exhibit. What information can be drawn from the audit row detail shown? (Select two.). radius01 was deleted from the list of authentication sources. The policy service was moved to position number 4. radius01 was moved to position number 4. The policy service was moved to position number 3. raduis01 was added as an authentication source.

Under which circumstances is it necessary to use an SNMP based Enforcement profile to send a VLAN?. when a VLAN must be assigned to a wired user on an Aruba Mobility Controller. when a VLAN must be assigned to a wireless user on an Aruba Mobility Controller. when a VLAN must be assigned to a wired user on a third party wired switch that does not support RADIUS return attributes. when a VLAN must be assigned to a wired user on an Aruba Mobility Access Switch. when a VLAN must be assigned to a wired user on a third party wired switch that does not support RADIUS accounting.

What must be configured to enable RADIUS authentication with ClearPass on a network access device (NAD)? (Select two.). the ClearPass server must have the network device added as a valid NAD. the ClearPass server certificate must be installed on the NAD. a matching shared secret must be configured on both the ClearPass server and NAD. a NTP server needs to be set up on the NAD. a bind username and bind password must be provided.

Refer to the exhibit. An administrator configured a service and tested authentication, but was unable to complete authentication successfully. The administrator performs a Search using insight and the information displays as shown. What is a possible reason for the ErrorCode ‘Failed to classify request to service’ shown?. The user failed authentication due to an incorrect password. ClearPass could not match the authentication request to a service, but the user passed authentication. ClearPass service authentication sources were not configured correctly. The NAD did not send the authentication request. ClearPass service rules were not configured correctly.

What is the purpose of RADIUS CoA (RFC 3576)?. to force the client to re-authenticate upon roaming to a new Controller. to apply firewall policies based on authentication credentials. to validate a host MAC address against a whitelist or a blacklist. to authenticate users or devices before granting them access to a network. to transmit messages to the NAD/NAS to modify a user’s session status.

Refer to the exhibit. Which statement accurately reflects the status of the Policy Simulation test figure shown?. The test verifies that a client with username test1 can authenticate using EAP-PEAP. Role mapping simulation verifies if the remote lab AD has the ClearPass server certificate. Role mapping simulation verifies that the client certificate is valid during EAP-TLS authentication. The simulation test result shows the firewall roles assigned to the client by the Aruba Controller. The roles assigned in the results tab are based on rules matched in the AD Role Mapping Policy.

What is the purpose of the Audit Viewer in the Monitoring section of ClearPass Policy Manager?. to audit client authentications. to display changes made to the ClearPass configuration. to display the entire configuration of the ClearPass Policy Manager. to audit the network for PCI compliance. to display system events like high CPU usage.

Refer to the exhibit. Based on the configuration of a Windows 802.1X supplicant shown, what will be the outcome of selecting ‘Validate server certificate’?. The server and client will perform an HTTPS SSL certificate exchange. The client will verify the server certificate against a trusted CA. The client will send its private key to the server for verification. The server will send its private key to the client for verification. The client will send its certificate to the server for verification.

Which settings need to be validated for a successful EAP-TLS authentication? (Select two.). Username and Password. Pre-shared key. WPA2-PSK. Server Certificate. Client Certificate.

Refer to the exhibit. Which types of records will the report shown display?. all RADIUS authentications from the 10.8.10.100 NAD to ClearPass. all failed RADIUS authentications through ClearPass. only Windows devices that have authenticated through the 10.8.10.100 NAD. all successful RADIUS authentications through ClearPass. all successful RADIUS authentications from the 10.8.10.100 NAD to ClearPass.

Based on the Policy configuration shown, which VLAN will be assigned when a user with ClearPass role Engineer authenticates to the network successfully using connection protocol WEBAUTH?. Deny Access. Employee VLAN. Internet VLAN. Full Access VLAN.

Which statement accurately describes configuration of Data and Management ports on the ClearPass appliance? (Select two.). Configuration of the management port is optional. Configuration of the management port is mandatory. Configuration of the data port is mandatory. Configuration of the data port is optional. Static IP addresses are only allowed on the management port, not the data port.

What is a benefit of ClearPass Onguard?. It enables organizations to run advanced endpoint posture assessments. It allows a receptionist in a hotel to create accounts for guest users. It allows employees to self-provision their personal devices on the corporate network. It offers an easy way for users to self-configure their devices to support 802.1X authentication on wired and wireless networks. It allows employees to create temporary accounts for Wi-Fi access.

A guest self-registered through a Publisher’s Register page. Which statement accurately describes how the guest’s account will be stored?. It will be stored in the Publisher’s guest user repository and the Subscriber’s Onboard user repository. It will be stored in the Publisher’s local user repository and the Subscriber’s guest user repository. It will be stored in the Publisher’s guest user repository permanently, but only for 14 days in the Subscriber’s guest user repository,. It will be stored in both the Publisher’s guest user repository and the Subscriber’s guest user repository. It will be stored in the Publisher’s guest user repository, but not the Subscriber’s.

Which IP address should be set as the DHCP relay on an Aruba Controller for device fingerprinting on ClearPass?. DHCP server IP. Active Directory IP. Switch IP. Microsoft NPS server IP. ClearPass server IP.

Which collectors can be used for device profiling? (Select two.). Username and Password. ActiveSync Plugin. Client’s role on the controller. Onguard agent. Active Directory Attributes.

Which checks are made with Onguard posture evaluation in ClearPass? (Select three.). Registry keys. EAP TLS certificate validity. Client role check. Peer-to-peer application checks. Operating System version.

Why is a terminate session enforcement profile used during posture checks with 802.1x authentication?. To send a RADIUS CoA message from the ClearPass server to the client. To disconnect the user for 30 seconds when they are in an unhealthy posture state. To blacklist the user when they are in an unhealthy posture state. To force the user to re-authenticate and run through the service flow again. To remediate the client applications and firewall do that updates can be installed.

Refer to the exhibit. Based on the Enforcement Policy configuration shown, when a user with Role Engineer connects to the network and the posture token assigned is Unknown, which Enforcement Profile will be applied?. EMPLOYEE_VLAN. RestrictedACL. Deny Access Profile. HR VLAN. Remote Employee ACL.

A client’s authentication is failing and there are no entries in the ClearPass Access tracker. What is a possible reason for the authentication failure?. The user account has expired. The client used a wrong password. The shared secret between the NAD and ClearPass does not match. The user’s certificate is invalid. The user is not found in the database.

Refer to the exhibit. Based on the information shown on a client’s laptop, what will happen next?. The web login page will be displayed. The client will send a NAS authentication request to ClearPass. ClearPass will send a NAS authentication request to the NAD. the NAD will send an authentication request to ClearPass. The user will be presented with a self-registration receipt.

What does a Windows client need for it to perform EAS-PEAP successfully when ‘Validate server Certificate’ is not enabled?. Pre-shared key. Client Certificate. WPA2-PSK. Username and Password. Server Certificate.

Refer to the exhibit. What can be concluded from the Access Tracker output shown?. The client used incorrect credentials to authenticate to the network. ClearPass does not have a service enabled for MAC authentication. The client MAC address is not present in the Endpoints table in the CrearPass database. The RADIUS client on the Windows server failed to categorize the service correctly. The client wireless profile is incorrectly setup.

Refer to exhibit Based on the Policy configuration shown, which VLAN will be assigned when a user with ClearPass role Engineer authenticates to the network successfully on Saturday using connection protocol WEBAUTH?. Full Access VLAN. Employee VLAN. Internet VLAN. Deny Access.

If the “Alerts” tab in an access tracker entry shows the following error message: “Access denied by policy”, what could be a possible cause for authentication failure?. Configuration of the Enforcement Policy. An error in the role mapping policy. Failure to select an appropriate authentication method for the authentication request. Implementation of a firewall policy on ClearPass. Failure to find an appropriate service to process the authentication request.

Refer to the exhibit An AD user’s department attribute is configured as “HR”. The user connects on Monday using an Android phone to an Aruba Controller that belongs to the Device Group Remote NAD. Which roles are assigned to the user in ClearPass? (Select two.). Executive. iOS Device. Vendor. Remote Employee. HR Local.

When is the RADIUS server certificate used? (Select two.). During dual SSID onboarding, when the client connects to the Guest network. During EAP-PEAP authentication in single SSID onboarding. During post-Onboard EAP-TLS authentication, when the client verifies the server certificate. During Onboard Web Login Pre-Auth, when the client loads the Onboarding web page. During post-Onboard EAP-TLS authentication, when the server verifies the client certificate.

Refer to the exhibit Based on the configuration of the Enforcement Profiles in the Onboard Authorization service shown, which Onboarding action will occur?. The device will be disconnected from the network after Onboarding so that an EAP-TLS authentication is not performed. The device will be disconnected from and reconnected to the network after Onboarding is completed. The device’s onboard authorization request will be denied. The device will be disconnected after post-Onboarding EAP-TLS authentication, so a second EAPTLS authentication is performed. After logging in on the Onboard web login page, the device will be disconnected form and reconnected to the network before Onboard begins.

In a single SSID Onboarding, which method can be used in the Enforcement Policy to distinguish between a provisioned device and a device that has not gone through the Onboard workflow?. Active Directory Attributes. Network Access Device used. Endpoint OS Category. Onguard Agent used. Authentication Method used.

An organization implements dual SSID Onboarding. The administrator used the Onboard service template to create services for dual SSID Onboarding. Which statement accurately describes the outcome?. The Onboard Provisioning service is triggered when the user connects to the provisioning SSID to Onboard their device. The Onboard Authorization service is triggered when the user connects to the secure SSID. The Onboard Authorization service is triggered during the Onboarding process. The device connects to the secure SSID for provisioning. The Onboard Authorization service is never triggered.

Refer to the exhibit. Which statements accurately describe the status of the Onboarded devices in the configuration for the network settings shown? (Select two.). They will connect to Employee_Secure SSID after provisioning. . They will connect to Employee_Secure SSID for provisioning their devices. They will use WPA2-PSK with AES when connecting to the SSID. They will connect to secure_emp SSID after provisioning. They will perform 802.1X authentication when connecting to the SSID.

Which use cases will require a ClearPass Guest application license? (Select two.). Guest device fingerprinting. Guest endpoint health assessment. Sponsor based guest user access. Guest user self-registration for access. Guest personal device onboarding.

A customer would like to deploy ClearPass with these requirements: -2000 devices need to be Onboarded -2000 corporate devices need to run posture checks daily -500 guest users need to authenticate each day using the web login feature What is the license mix that customer will need to purchase?. CP-HW-5k, 2500 ClearPass Enterpris. CP-HW-25k, 4500 ClearPass Enterprise. CP-HW-500, 2500 ClearPass Enterprise. CP-HW-25k, 4000 ClearPass Enterprise. CP-HW-5k, 4500 ClearPass Enterprise.

Refer to the exhibit. Based on the Translation Rule configuration shown, what will be the outcome?. An AD user from group Administrators will be assigned the operator profile of IT Administrators. All ClearPass Policy Manager admin users who are members of the Administrators AD group will be assigned the TACACS profile of IT Administrators. All active directory users will be assigned the operator profile of IT Administrators. A user from AD group MatchAdmin will be assigned the operator profile of IT Administrators.

Refer to the exhibit Based on the Aruba TACACS+ dictionary shown, how is the Aruba-Role attribute used?. The Aruba-Admin-Role on the controller is applies to users using TACACS+ to login to the Policy Manager. To assign different privileges to clients during 802.1X authentication. To assign different privileges to administrators logging into an Aruba NAD. It is used by ClearPass to assign TIPS roles to clients during 802.1X authentication. To assign different privileges to administrators logging into ClearPass.

In which ways can ClearPass derive client roles during policy service processing? (Select two.). From the attributes configured in Active Directory. From the server derivation rule in the Aruba Controller server group for the client. From the Aruba Network Access Device. From the attributes configured in a Network Access Device. Through a role mapping policy.

Refer to the exhibit An administrator logs in to the Guest module in ClearPass and ‘Manage Accounts’ displays as shown. When a user with username donald@disney.com attempts to access the Web Login page, what will be the outcome?. The user will be able to log in and authenticate successfully but will then be immediate disconnected. The user will be able to log in for the next 4.9. days, but then will no longer be able to log in. The user will not be able to log in and authenticate. The user will be able to log in and authenticate successfully, but will then get a quarantine role. The user will not be able to access the Web Login page.

Refer to the exhibit An Enforcement Profile has been created in the Policy Manager as shown. Which action will ClearPass take based on the Enforcement Profile?. It will send the Session-Timeout attribute in the RADIUS Access-Request packet to the NAD and the NAD will end the user’s session after 600 seconds. It will send the Session-Timeout attribute in the RADIUS Access-Accept packet to the User and the user’s session will be terminated after 600 seconds. It will count down 600 seconds and send a RADUIS CoA message to the NAD to end the user’s session after this time is up. It will count down 600 seconds and send a RADUIUS CoA message to the user to end the user’s session after this time is up. It will send the session –Timeout attribute in the RADIUS Access-Accept packet to the NAD and the NAD will end the user’s session after 600 seconds.

Use this form to make changes to the RADIUS Web Login Guest Network. A Web Login page is configured in Clear Pass Guest as shown. What is the purpose of the Pre-Auth Check?. To authenticate users after the NAD sends an authentication request to ClerPass. To authenticate users before the client sends the credentials to the NAD. To authenticate users when they are roaming from one NAD to another. To authenticate users before they launch the Web Login Page. To replace the need for the NAD to send an authentication request to ClearPass.

Refer to the exhibit. Based on the guest Self-Registration with Sponsor Approval workflow shown, at which stage does the sponsor approve the user’s request?. After the RADIUS Access-Request. After the NAS login, but before the RADIUS Access-Request. Before the user can submit the registration form. After the RADIUS Access-Response. After the receipt page is displayed, before the NAS login.

What is the purpose of ClearPass Onboard?. to provide MAC authentication for devices that don’t support 802.1x. to run health checks on end user devices. to provision personal devices to securely connect to the network. to configure self-registration pages for guest users. to provide guest access for visitors to connect to the network.

Refer to the exhibit Based on the configuration of a Windows 802.1X supplicant shown, what will be the outcome when ‘Automatically use my Windows logon name and password’ are selected?. The client will use machine authentication. The client’s Windows login username and password will be sent inside a certificate to the Active Directory server. The client’s Windows login username and password will be sent to the Authentication server. The client will need to re-authenticate every time they connect to the network. The client will prompt the user to enter the logon username and password.

A bank would like to deploy ClearPass Guest with web login authentication so that their customers can selfregister on the network to get network access when they have meetings with bank employees. However, they’re concerned about security. What is true? (Choose three.). If HTTPS is used for the web login page, after authentication is completed guest Internet traffic will all be encrypted as well. During web login authentication, if HTTPS is used for the web login page, guest credentials will be encrypted. After authentication, an IPSEC VPN on the guest’s client can be used to encrypt Internet traffic. HTTPS should never be used for Web Login Page authentication. If HTTPS is used for the web login page, after authentication is completed some guest Internet traffic may be unencrypted.

Which statement is true about the databases in ClearPass?. Entries in the guest user database do not expire. A Static host list can only contain a list of IP addresses. Entries in the guest user database can be deleted. Entries in the local user database cannot be modified. The endpoints database can only be populated by manually adding MAC addresses to the table.

Which is a valid policy simul-ation types in ClearPass? (Choose three.). Enforcement Policy. Posture token derivation. Role Mapping. Endpoint Profiler. Chained simulation.

Which statement is true? (Choose two.). Mobile device Management is the result of Onboarding. Third party Mobile Device Management solutions can be integrated with ClearPass. Mobile Device Management is the authentication that happens before Onboarding. Mobile Device Management is an application container that is used to provision work applications. Mobile Device Management is used to control device functions post-Onboarding.

Refer to the exhibit. What does the Cache Timeout Value refer to?. The amount of time the Policy Manager caches the user credentials stored in the Active Directory. The amount of time the Policy Manager waits for a response from the Active Directory before checking the backup authentication source. The amount of time the Policy Manager caches the user attributes fetched from Active Directory. The amount of time the Policy Manager waits for response from the Active Directory before sending a timeout message to the Network Access Device. The amount of time the Policy Manager caches the user\s client certificate.

Refer to the exhibit. Based on the Local User repository in ClearPass shown, which Aruba firewall role will be assigned to “mike” when this user authenticates Aruba Controller?. We can’t know this from the screenshot above. mike. Employee. john.

Refer to the exhibit. Based on the Posture Policy configuration shown, above, which statement is true?. This Posture Policy can only be applied to an 802.1x wired service not 802.1x wireless. This Posture Policy checks the health status of devices running Windows, Linux and Mac OS X. This Posture Policy can use either the persistent or dissolvable Onguard agent to obtain the statement of health. This Posture Policy checks for presence of a firewall application in Windows devices. This Posture Policy checks with a Windows NPS server for posture tokens.

Which statement is true about the configuration of a generic LDAP server as an External Authentication server in ClearPass? (Choose three.). Generic LDAP Browser can be used to search the Base DN. An administrator can customize the selection of attributes fetched from an LDAP server. The bind DN can be in the administrator@domain format. A maximum of one generic LDAP server can be configured in ClearPass. A LDAP Browser can be used to search the Base DN.

During a web login authentication, what is expected to happen as part of the Automated NAS login?. NAD sends TACACS+ request to ClearPass. ClearPass sends TACACS+ request to NAD. Client device sends RADIUS request to NAD. NAD sends RADIUS request to ClearPass. ClearPass sends RADIUS request to NAD.

What does the Posture Token QUARANTINE imply?. The client is compliant. However, there is an update available to remediate the client to HEALTHY state. The posture of the client is unknown. The client is infected and is a threat to other systems in the network. The client is out of compliance, but has HEALTHY state. The client is out of compliance.

Refer to the exhibit. Which statements accurately describe the status of the Onboarded devices in the configuration for the network settings shown? (Select two.). They will connect to Employee_Secure SSID after provisioning. They will connect to Employee_Secure SSID for provisioning their devices. They will use WPA2-PSK with AES when connecting to the SSID. They will connect to secure_emp SSID after provisioning. They will perform 802.1X authentication when connecting to the SSID.