Weekend Special Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: buysanta

Exact2Pass Menu

Question # 4

You have been asked to send RADIUS debug messages from an ArubaOS-CX switch to a central SIEM server at 10.5.15.6. The server is already defined on the switch with this command: logging 10.5.6.12

You enter this command: debug radius all

What is the correct debug destination?

A.

console

B.

file

C.

syslog

D.

buffer

Full Access
Question # 5

What is one of the roles of the network access server (NAS) in the AAA framewonx?

A.

It authenticates legitimate users and uses policies to determine which resources each user is allowed to access.

B.

It negotiates with each user's device to determine which EAP method is used for authentication

C.

It enforces access to network services and sends accounting information to the AAA server

D.

It determines which resources authenticated users are allowed to access and monitors each users session

Full Access
Question # 6

You need to implement a WPA3-Enterprise network that can also support WPA2-Enterprise clients. What is a valid configuration for the WPA3-Enterprise WLAN?

A.

CNSA mode disabled with 256-bit keys

B.

CNSA mode disabled with 128-bit keys

C.

CNSA mode enabled with 256-bit keys

D.

CNSA mode enabled with 128-bit keys

Full Access
Question # 7

A company with 439 employees wants to deploy an open WLAN for guests. The company wants the experience to be as follows:

*Guests select the WLAN and connect without having to enter a password.

*Guests are redirected to a welcome web page and log in.

The company also wants to provide encryption for the network for devices that are capable. Which security options should you implement for the WLAN?

A.

Opportunistic Wireless Encryption (OWE) and WPA3-Personal

B.

WPA3-Personal and MAC-Auth

C.

Captive portal and Opportunistic Wireless Encryption (OWE) in transition mode

D.

Captive portal and WPA3-Personal

Full Access
Question # 8

You have deployed a new Aruba Mobility Controller (MC) and campus APs (CAPs). One of the WLANs enforces 802.IX authentication lo Aruba ClearPass Policy Manager {CPPM) When you test connecting the client to the WLAN. the test falls You check Aruba ClearPass Access Tracker and cannot find a record of the authentication attempt You ping from the MC to CPPM. and the ping is successful.

What is a good next step for troubleshooting?

A.

Renew CPPM's RADIUS/EAP certificate

B.

Reset the user credentials

C.

Check CPPM Event viewer.

D.

Check connectivity between CPPM and a backend directory server

Full Access
Question # 9

A company has an ArubaOS solution. The company wants to prevent users assigned to the "user_group1" role from using gaming and peer-to-peer applications.

What is the recommended approach for these requirements?

A.

Make sure DPI is enabled, and add application rules that deny gaming and peer-to-peer applications to the "user_groupr role.

B.

Create ALGs for the gaming and peer-to-peer applications, and deny the "user_group1" role on the ALGs.

C.

Add access control rules to the "user_group1" role, which deny HTTP/HTTPS traffic to IP addresses associated with gaming and peer-to-peer applications.

D.

Create service aliases for the TCP ports associated with gaming and peer-to-per applications, and use those aliases in access control rules for the "user_group" rules.

Full Access
Question # 10

What is one benefit of a Trusted Platform Module (TPM) on an Aruba AP?

A.

It enables secure boot, which detects if hackers corrupt the OS with malware.

B.

It deploys the AP with enhanced security, which includes disabling the password recovery mechanism.

C.

It allows the AP to run in secure mode, which automatically enables CPsec and disables the console port.

D.

It enables the AP to encrypt and decrypt 802.11 traffic locally, rather than at the MC.

Full Access
Question # 11

What distinguishes a Distributed Denial of Service (DDoS) attack from a traditional Denial or service attack (DoS)?

A.

A DDoS attack originates from external devices, while a DoS attack originates from internal devices

B.

A DDoS attack is launched from multiple devices, while a DoS attack is launched from a single device

C.

A DoS attack targets one server, a DDoS attack targets all the clients that use a server

D.

A DDoS attack targets multiple devices, while a DoS Is designed to Incapacitate only one device

Full Access
Question # 12

You have an Aruba Mobility Controller (MC). for which you are already using Aruba ClearPass Policy Manager (CPPM) to authenticate access to the Web Ul with usernames and passwords You now want to enable managers to use certificates to log in to the Web Ul CPPM will continue to act as the external server to check the names in managers' certificates and tell the MC the managers' correct rote

in addition to enabling certificate authentication. what is a step that you should complete on the MC?

A.

Verify that the MC has the correct certificates, and add RadSec to the RADIUS server configuration for CPPM

B.

install all of the managers' certificates on the MC as OCSP Responder certificates

C.

Verify that the MC trusts CPPM's HTTPS certificate by uploading a trusted CA certificate Also, configure a CPPM username and password on the MC

D.

Create a local admin account mat uses certificates in the account, specify the correct trusted CA certificate and external authentication

Full Access
Question # 13

What is symmetric encryption?

A.

It simultaneously creates ciphertext and a same-size MAC.

B.

It any form of encryption mat ensures that thee ciphertext Is the same length as the plaintext.

C.

It uses the same key to encrypt plaintext as to decrypt ciphertext.

D.

It uses a Key that is double the size of the message which it encrypts.

Full Access
Question # 14

You need to deploy an Aruba instant AP where users can physically reach It. What are two recommended options for enhancing security for management access to the AP? (Select two )

A.

Disable Its console ports

B.

Place a Tamper Evident Label (TELS) over its console port

C.

Disable the Web Ul.

D.

Configure WPA3-Enterpnse security on the AP

E.

install a CA-signed certificate

Full Access
Question # 15

Which is a correct description of a Public Key Infrastructure (PKI)?

A.

A device uses Intermediate Certification Authorities (CAs) to enable it to trust root CAs that are different from the root CA that signed its own certificate.

B.

A user must manually choose to trust intermediate and end-entity certificates, or those certificates must be installed on the device as trusted in advance.

C.

Root Certification Authorities (CAs) primarily sign certificates, and Intermediate Certification Authorities (CAs) primarily validate signatures.

D.

A user must manually choose to trust a root Certification Authority (CA) certificate, or the root CA certificate must be installed on the device as trusted.

Full Access
Question # 16

Why might devices use a Diffie-Hellman exchange?

A.

to agree on a shared secret in a secure manner over an insecure network

B.

to obtain a digital certificate signed by a trusted Certification Authority

C.

to prove knowledge of a passphrase without transmitting the passphrase

D.

to signal that they want to use asymmetric encryption for future communications

Full Access
Question # 17

You have an Aruba Mobility Controller (MC) that is locked in a closet. What is another step that Aruba recommends to protect the MC from unauthorized access?

A.

Use local authentication rather than external authentication to authenticate admins.

B.

Change the password recovery password.

C.

Set the local admin password to a long random value that is unknown or locked up securely.

D.

Disable local authentication of administrators entirely.

Full Access
Question # 18

Refer to the exhibit.

This Aruba Mobility Controller (MC) should authenticate managers who access the Web Ul to ClearPass Policy Manager (CPPM) ClearPass admins have asked you to use RADIUS and explained that the MC should accept managers' roles in Aruba-Admin-Role VSAs

Which setting should you change to follow Aruba best security practices?

A.

Change the local user role to read-only

B.

Clear the MSCHAP check box

C.

Disable local authentication

D.

Change the default role to "guest-provisioning"

Full Access
Question # 19

You are configuring ArubaOS-CX switches to tunnel client traffic to an Aruba Mobility Controller (MC). What should you do to enhance security for control channel communications between the switches and the MC?

A.

Create one UBT zone for control traffic and a second UBT zone for clients.

B.

Configure a long, random PAPI security key that matches on the switches and the MC.

C.

install certificates on the switches, and make sure that CPsec is enabled on the MC

D.

Make sure that the UBT client vlan is assigned to the interface on which the switches reach the MC and only that interface.

Full Access
Question # 20

How can hackers implement a man-in-the-middle (MITM) attack against a wireless client?

A.

The hacker uses a combination of software and hardware to jam the RF band and prevent the client from connecting to any wireless networks.

B.

The hacker runs an NMap scan on the wireless client to find its MAC and IP address. The hacker then connects to another network and spoofs those addresses.

C.

The hacker connects a device to the same wireless network as the client and responds to the client’s ARP requests with the hacker device’s MAC address.

D.

The hacker uses spear-phishing to probe for the IP addresses that the client is attempting to reach. The hacker device then spoofs those IP addresses.

Full Access
Question # 21

What is a use case for implementing RadSec instead of RADIUS?

A.

A university wants to protect communications between the students' devices and the network access server.

B.

A corporation wants to implement EAP-TLS to authenticate wireless users at their main office.

C.

A school district wants to protect messages sent between RADIUS clients and servers over an untrusted network.

D.

A organization wants to strengthen the encryption used to protect RADIUS communications without increasing complexity.

Full Access
Question # 22

What is one practice that can help you to maintain a digital chain or custody In your network?

A.

Enable packet capturing on Instant AP or Moodily Controller (MC) datepath on an ongoing basis

B.

Enable packet capturing on Instant AP or Mobility Controller (MC) control path on an ongoing basis.

C.

Ensure that all network infrastructure devices receive a valid clock using authenticated NTP

D.

Ensure that all network Infrastructure devices use RADIUS rather than TACACS+ to authenticate managers

Full Access
Question # 23

A company has Aruba Mobility Controllers (MCs), Aruba campus APs, and ArubaOS-Switches. The company plans to use ClearPass Policy Manager (CPPM) to classify endpoints by type. This company is using only CPPM and no other ClearPass solutions.

The ClearPass admins tell you that they want to use HTTP User-Agent strings to help classify endpoints.

What should you do as a part of configuring the ArubaOS-Switches to support this requirement?

A.

Create a device fingerprinting policy that includes HTTP, and apply the policy to edge ports.

B.

Create remote mirrors that collect traffic on edge ports, and mirror it to CPPM's IP address.

C.

Configure CPPM as the sFlow collector, and make sure that sFlow is enabled on edge ports.

D.

Connect the switches to CPPM's span ports, and set up mirroring of HTTP traffic on the switches.

Full Access
Question # 24

How does the ArubaOS firewall determine which rules to apply to a specific client's traffic?

A.

The firewall applies every rule that includes the dent's IP address as the source.

B.

The firewall applies the rules in policies associated with the client's wlan

C.

The firewall applies thee rules in policies associated with the client's user role.

D.

The firewall applies every rule that includes the client's IP address as the source or destination.

Full Access
Question # 25

Refer to the exhibit, which shows the current network topology.

You are deploying a new wireless solution with an Aruba Mobility Master (MM). Aruba Mobility Controllers (MCs). and campus APs (CAPs). The solution will Include a WLAN that uses Tunnel for the forwarding mode and Implements WPA3-Enterprise security

What is a guideline for setting up the vlan for wireless devices connected to the WLAN?

A.

Assign the WLAN to a single new VLAN which is dedicated to wireless users

B.

Use wireless user roles to assign the devices to different VLANs in the 100-150 range

C.

Assign the WLAN to a named VLAN which specified 100-150 as the range of IDs.

D.

Use wireless user roles to assign the devices to a range of new vlan IDs.

Full Access
Question # 26

Refer to the exhibit.

You have set up a RADIUS server on an ArubaOS Mobility Controller (MC) when you created a WLAN named "MyEmployees .You now want to enable the MC to accept change of authorization (CoA) messages from this server for wireless sessions on this WLAN.

What Is a part of the setup on the MC?

A.

Create a dynamic authorization, or RFC 3576, server with the 10.5.5.5 address and correct shared secret.

B.

Install the root CA associated with the 10 5.5.5 server's certificate as a Trusted CA certificate.

C.

Configure a ClearPass username and password in the MyEmployees AAA profile.

D.

Enable the dynamic authorization setting in the "clearpass" authentication server settings.

Full Access
Question # 27

What is a correct use case for using the specified certificate file format?

A.

using a PKCS7 file to install a certificate plus and its private key on a device

B.

using a PKCS12 file to install a certificate plus its private key on a device

C.

using a PEM file to install a binary encoded certificate on a device

D.

using a PKCS7 file to install a binary encoded private key on a device

Full Access
Question # 28

A company has added a new user group. Users in the group try to connect to the WLAN and receive errors that the connection has no Internet access. The users cannot reach any resources. The first exhibit shows the record for one of the users who cannot connect. The second exhibit shows the role to which the ArubaOS device assigned the user's client.

What is a likely problem?

A.

The ArubaOS device has a server derivation rule configured on it that has overridden the role sent by CPPM.

B.

The ArubaOS device does not have the correct RADIUS dictionaries installed on it to under-stand the Aruba-User-Role VSA.

C.

The role name that CPPM is sending does not match the role name configured on the Aru-baOS device.

D.

The clients rejected the server authentication on their side because they do not have the root CA for CPPM's RADIUS/EAP certificate.

Full Access
Question # 29

You have a network with ArubaOS-Switches for which Aruba ClearPass Policy Manager (CPPM) is acting as a TACACS+ server to authenticate managers. CPPM assigns the admins a TACACS+ privilege level, either manager or operator. You are now adding ArubaOS-CX switches to the network. ClearPass admins want to use the same CPPM service and policies to authenticate managers on the new switches.

What should you explain?

A.

This approach cannot work because the ArubaOS-CX switches do not accept standard TACACS+ privilege levels.

B.

This approach cannot work because the ArubaOS-CX switches do not support TACACS+.

C.

This approach will work, but will need to be adjusted later if you want to assign managers to the default auditors group.

D.

This approach will work to assign admins to the default "administrators" group, but not to the default "operators" group.

Full Access
Question # 30

You are deploying a new wireless solution with an Aruba Mobility Master (MM). Aruba Mobility Controllers (MCs), and campus APs (CAPs). The solution will include a WLAN that uses Tunnel for the forwarding mode and WPA3-Enterprise for the security option.

You have decided to assign the WLAN to VLAN 301, a new VLAN. A pair of core routing switches will act as the default router for wireless user traffic.

Which links need to carry VLAN 301?

A.

only links in the campus LAN to ensure seamless roaming

B.

only links between MC ports and the core routing switches

C.

only links on the path between APs and the core routing switches

D.

only links on the path between APs and the MC

Full Access
Question # 31

What is a Key feature of me ArubaOS firewall?

A.

The firewall is stateful which means that n can track client sessions and automatically allow return traffic for permitted sessions

B.

The firewall Includes application layer gateways (ALGs). which it uses to filter Web traffic based on the reputation of the destination web site.

C.

The firewall examines all traffic at Layer 2 through Layer 4 and uses source IP addresses as the primary way to determine how to control traffic.

D.

The firewall is designed to fitter traffic primarily based on wireless 802.11 headers, making it ideal for mobility environments

Full Access