Hpe6-A15 - Accp

HP HPE6-A15
Aruba Certified ClearPass Professional 6.5

Version: 3.0
HP HPE6-A15 Exam
QUESTION NO: 1
Refer to the exhibit.
An AD user’s department attribute value is configured as “QA”. The user authenticates from a
laptop running MAC OS X.
Which role is assigned to the user in ClearPass?
A.
HR Local
B.
Remote Employee
C.
[Guest]
D.
Executive
E.
IOS Device
Answer: C
Explanation:
None of the Listed Role Name conditions are met.
QUESTION NO: 2
www.braindumps.com 2
HP HPE6-A15 Exam
Based on the Attribute configuration shown, which statement accurately describes the status of
attribute values?
A.
Only the attribute values of department and memberOf can be used in role mapping policies.
B.
The attribute values of department, title, memberOf, telephoneNumber, and mail are directly
applied as ClearPass.
C.
Only the attribute value of company can be used in role mapping policies, not the other attributes.
D.
The attribute values of department and memberOf are directly applied as ClearPass roles.
E.
Only the attribute values of title, telephoneNumber, and mail can be used in role mapping policies.
Answer: D
Explanation:
QUESTION NO: 3
Which components can use Active Directory authorization attributes for the decision-making
process? (Select two.)
A.
Profiling policy
B.
Certificate validation policy
HP HPE6-A15 Exam
C.
Role Mapping policy
D.
Enforcement policy
E.
Posture policy
Answer: C,D
Explanation:
C: Role Mappings Page - Rules Editor Page Parameters
D: Enforcement Policy Attributes tab Parameters
References:
http://www.arubanetworks.com/techdocs/ClearPass/Aruba_CPPMOnlineHelp/Content/CPPM_Use
rGuide/identity/RoleMappingPolicies.html
rGuide/PolicySim/PS_Enforcement_Policy.htm
HP HPE6-A15 Exam
QUESTION NO: 4
Based on the Authentication sources configuration shown, which statement accurately describes
the outcome if the user is not found?
A.
If the user is not found in the remotelab AD but is present in the local user repository, a reject
message is sent back to the NAD.
B.
If the user is not found in the local user repository but is present in the remotelab AD, a reject
message is sent back to the NAD.
C.
If the user is not found in the local user repository a reject message is sent back to the NAD.
D.
If the user is not found in the local user repository and remotelab AD, a reject message is sent
back to the NAD.
E.
If the user is not found in the local user repository a timeout message is sent back to the NAD.
Answer: D
Explanation:
Policy Manager looks for the device or user by executing the first filter associated with the
authentication source.
After the device or user is found, Policy Manager then authenticates this entity against this
authentication
source. The flow is outlined below:
* On successful authentication, Policy Manager moves on to the next stage of policy evaluation,
HP HPE6-A15 Exam
which
collects role mapping attributes from the authorization sources.
* Where no authentication source is specified (for example, for unmanageable devices), Policy
Manager
passes the request to the next configured policy component for this service.
* If Policy Manager does not find the connecting entity in any of the configured authentication
sources, it
rejects the request.
References: ClearPass Policy Manager 6.5 User Guide (October 2015), page 134
https://community.arubanetworks.com/aruba/attachments/aruba/SoftwareUserReferenceGuides/5
2/1/ClearPass%20Policy%20Manager%206.5%20User%20Guide.pdf
QUESTION NO: 5
Which authorization servers are supported by ClearPass? (Select two.)
A.
Aruba Controller
B.
LDAP server
C.
Cisco Controller
D.
Active Directory
E.
Aruba Mobility Access Switch
Answer: B,D
Explanation:
Authentication Sources can be one or more instances of the following examples:
* Active Directory
* LDAP Directory
HP HPE6-A15 Exam
* SQL DB
* Token Server
* Policy Manager local DB
QUESTION NO: 6
Which CLI command is used to upgrade the image of a ClearPass server?
A.
Image update
B.
System upgrade
C.
Upgrade image
D.
Reboot
E.
Upgrade software
Answer: B
Explanation:
When logged in as appadmin, you can manually install the Upgrade and Patch binaries imported
via the CLI using the
following commands:
* system update (for patches)
* system upgrade (for upgrades)
HP HPE6-A15 Exam
QUESTION NO: 7
Which steps are required to use ClearPass as a TACACS+ Authentication server for a network
device? (Select two.)
A.
Configure a TACACS Enforcement Profile on ClearPass for the desired privilege level.
B.
Configure a RADIUS Enforcement Profile on ClearPass for the desired privilege level.
C.
Configure ClearPass as an Authentication server on the network device.
D.
Configure ClearPass roles on the network device.
E.
Enable RADIUS accounting on the NAD.
Answer: A,C
Explanation:
You need to make sure you modify your policy (Configuration » Enforcement » Policies » Edit -
[Admin Network Login Policy]) and add your AD group settings in to the corresponding privilege
level.
QUESTION NO: 8
What is the purpose of Operator Profiles?
A.
to enforce role based access control for Aruba Controllers
B.
to enforce role based access control for ClearPass Policy Manager admin users
HP HPE6-A15 Exam
C.
to enforce role based access control for ClearPass Guest Admin users
D.
to assign ClearPass roles to guest users
E.
to map AD attributes to admin privilege levels in ClearPass Guest
Answer: C
Explanation:
An operator profile determines what actions an operator is permitted to take when using
ClearPass Guest.
References:
http://www.arubanetworks.com/techdocs/ClearPass/CPGuest_UG_HTML_6.5/Content/OperatorLo
gins/OperatorProfiles.htm
QUESTION NO: 9
In the Aruba RADIUS dictionary shown, what is the purpose of the RADIUS attributes?
HP HPE6-A15 Exam
A.
to gather and send Aruba NAD information to ClearPass
B.
to gather information about Aruba NADs for ClearPass
C.
to send information via RADIUS packets to Aruba NADs
D.
to send information via RADIUS packets to clients
E.
to send CoA packets from ClearPass to the Aruba NAD
Answer: C
Explanation:
QUESTION NO: 10
Based on the Guest Role Mapping Policy shown, what is the purpose of the Role Mapping Policy?
A.
to display a role name on the Self-registration receipt page
B.
to send a firewall role back to the controller based on the Guest User’s Role ID
C.
to assign Controller roles to guests
D.
HP HPE6-A15 Exam
to assign three roles of [Contractor], [Guest] and [Employee] to every guest user
E.
to create additional account roles for guest administrators to assign to guest accounts
Answer: C
Explanation:
QUESTION NO: 11
A customer wants all guests who access a company’s guest network to have their accounts
approved by the receptionist, before they are given access to the network.
How should the network administrator set this up in ClearPass? (Select two.)
A.
Enable sponsor approval confirmation in Receipt actions.
B.
Configure SMTP messaging in the Policy Manager.
C.
Configure a MAC caching service in the Policy Manager.
D.
Configure a MAC auth service in the Policy Manager.
E.
Enable sponsor approval in the captive portal authentication profile on the NAD.
Answer: A,D
Explanation:
A: Sponsored self-registration is a means to allow guests to self-register, but not give them full
access until a sponsor (could even be a central help desk) has approved the request. When the
registration form is completed by the guest/user, an on screen message is displayed for the guest
stating the account requires approval.
Guests are disabled upon registration and need to wait on the receipt page for the confirmation
until the login button gets enabled.
HP HPE6-A15 Exam
D. Device Mac Authentication is designed for authenticating guest devices based on their MAC
address.
QUESTION NO: 12
When configuring a Web Login Page in ClearPass Guest, the information shown is displayed.
What is the page name field used for?
A.
for forming the Web Login Page URL
B.
HP HPE6-A15 Exam
for Administrators to access the PHP page, but not guests
C.
for Administrators to reference the page only
D.
for forming the Web Login Page URL where Administrators add guest users
E.
for informing the Web Login Page URL and the page name that guests must configure on their
laptop wireless supplicant.
Answer: A
Explanation:
The Page Name is an identifier page name that will appear in the URL -- for example,
"/guest/page_name.php".
References:
http://www.arubanetworks.com/techdocs/ClearPass/CPGuest_UG_HTML_6.5/Content/Configurati
on/CreateEditWebLogin.htm
QUESTION NO: 13
HP HPE6-A15 Exam
When configuring a Web Login Page in ClearPass Guest, the information shown is displayed.
What is the Address field value ‘securelogin.arubanetworks.com’ used for?
A.
for ClearPass to send a TACACS+ request to the NAD
B.
for appending to the Web Login URL, before the page name
C.
for the client to POST the user credentials to the NAD
D.
for ClearPass to send a RADIUS request to the NAD
E.
for appending to the Web Login URL, after the page name.
Answer: C
Explanation:
HP HPE6-A15 Exam
QUESTION NO: 14
A guest connects to the Guest SSID and authenticates successfully using the guest.php web login
page.
Based on the MAC Caching service information shown, which statement about the guests’ MAC
address is accurate?
A.
It will be visible in the Guest User Repository with Unknown Status
B.
It will be deleted from the Endpoint table.
C.
It will be visible in the Guest User Repository with Known Status.
D.
It will be visible in the Endpoints table with Known Status.
E.
It will be visible in the Endpoints table with Unknown Status.
Answer: D
Explanation:
QUESTION NO: 15
HP HPE6-A15 Exam
A university wants to deploy ClearPass with the Guest module. The university has two types that
need to use web login authentication. The first type of users are students whose accounts are in
an Active Directory server. The second type of users are friends of students who need to self-
register to access the network.
How should the service be set up in the Policy Manager for this network?
A.
Guest User Repository and Active Directory server both as authentication sources
B.
Active Directory server as the authentication source, and Guest User Repository as the
authorization source
C.
Guest User Repository as the authentication source, and Guest User Repository and Active
Directory server as authorization sources
D.
Either the Guest User Repository or Active Directory server should be the single authentication
source
E.
Guest User Repository as the authentication source and the Active Directory server as the
authorization source
Answer: A
Explanation:
QUESTION NO: 16
An administrator enabled the Pre-auth check for their guest self-registration.
At what stage in the registration process in this check performed?
A.
after the user clicks the login button and after the NAD sends an authentication request
B.
after the user self-registers but before the user logs in
C.
HP HPE6-A15 Exam
after the user clicks the login button but before the NAD sends an authentication request
D.
when a user is re-authenticating to the network
E.
before the user self-registers
Answer: C
Explanation:
The Onboard template is designed for configuration that allows to perform checks before allowing
Onboard provisioning for Bring Your Own Device (BYOD) use-cases. This service creates an
Onboard Pre-Auth service to check the user's credentials before starting the device provisioning
process. This also creates an authorization service that checks whether a user's device can be
provisioned using Onboard.
QUESTION NO: 17
HP HPE6-A15 Exam
Based on the guest Self-Registration with Sponsor Approval workflow shown, at which stage is an
email request sent to the sponsor?
A.
after ‘Guest Role (7)’
B.
after ‘Login Message page (5)’
C.
after ‘Submit form (3)’
D.
after ‘Automated NAS login (6)’
E.
after ‘Redirects (1)’
Answer: C
Explanation:
There's the Self Service part of provisioning one's information.
Then the sponsor/operator part to confirm that guest is valid.
Then the enablement via the sponsor/operator clicking 'confirm'.
References: https://community.arubanetworks.com/t5/Security/Guest-Captive-Portal-sponsor-
HP HPE6-A15 Exam
approval-architecture/td-p/267625
QUESTION NO: 18
A user logged in to the Self-Service Portal as shown.
What do the traffic received and sent statistics present?
A.
the total amount of the traffic the quest transmitted, as seen through RADIUS CoA packets from
the client to ClearPass
HP HPE6-A15 Exam
B.
the total amount of traffic the guest transmitted, as seen through RADIUS accounting messages
sent from the NAD to ClearPass
C.
the total amount of traffic the guest transmitted, as seen through RADIUS CoA packets from the
NAD to ClearPass
D.
the total amount of traffic the guest transmitted after account expiration, as seen through RADIUS
accounting messages sent from the NAD to ClearPass
E.
the total amount of traffic the NAD transmitted to ClearPass, as seen through RADIUS accounting
messages from the NAD to ClearPass.
Answer: B
Explanation:
QUESTION NO: 19
Based on the configuration of the create_user form shown, which statement accurately describes
the status?
HP HPE6-A15 Exam
A.
The email field will be visible to guest users when they access the web login page.
B.
The visitor_company field will be visible to operators creating the account.
C.
The visitor_company field will be visible to the guest users when they access the web login page.
D.
The visitor_phone field will be visible to the guest users in the web login page.
E.
The visitor_phone field will be visible to operators creating the account.
Answer: A
Explanation:
References: https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/expire-
timezone-field-is-not-showing-up-on-the-create-user-form/ta-p/250230
QUESTION NO: 20
HP HPE6-A15 Exam
Based on the information shown, which field in the Captive Portal Authentication profile should be
changed so that guest users are redirected to a page on ClearPass when they connect to the
Guest SSID?
A.
both Login and Welcome Page
B.
Default Role
C.
Welcome Page
D.
Default Guest Role
E.
Login Page
Answer: E
Explanation:
The Login page is the URL of the page that appears for the user logon. This can be set to any
URL.
The Welcome page is the URL of the page that appears after logon and before redirection to the
web URL. This can be set to any URL.
References:
http://www.arubanetworks.com/techdocs/ArubaOS_63_Web_Help/Content/ArubaFrameStyles/Ca
ptive_Portal/Captive_Portal_Authentic.htm
QUESTION NO: 21
A hotel chain deployed ClearPass Guest. When hotel guests connect to the Guest SSID, launch a
web browser and enter the address www.google.com, they are unable to immediately see the web
login page.
What are the likely causes of this? (Select two.)
A.
The ClearPass server has a trusted server certificate issued by Verisign.
HP HPE6-A15 Exam
B.
The ClearPass server has an untrusted server certificate issued by the internal Microsoft
Certificate server.
C.
The ClearPass server does not recognize the client’s certificate.
D.
The DNS server is not replying with an IP address for www.google.com.
Answer: B,D
Explanation:
You would need a publicly signed certificate.
References: http://community.arubanetworks.com/t5/Security/Clearpass-Guest-certificate-error-
for-guest-visitors/td-p/221992
QUESTION NO: 22
An Enforcement Profile has been created in the Policy Manager as shown.
Which action will ClearPass take based on the Enforcement Profile?
A.
it will count down 600 seconds and send a RADIUS CoA message to the NAD to end the user’s
session after this time is up
B.
it will send the Session-Timeout attribute in the RADIUS Access-Request packet to the NAD and
the NAD will end the user’s session after 600 seconds
C.
it will count down 600 seconds and send a RADIUS CoA message to the user to end the user’s
HP HPE6-A15 Exam
session after this time is up
D.
it will send the Session-Timeout attribute in the RADIUS Access-Request packet to the user and
the user’s session will be terminated after 600 seconds
Answer: D
Explanation:
Session Timeout (in seconds) - Configure the agent session timeout interval to re-evaluate the
system health again. OnGuard triggers auto-remediation using this value to enable or disable AV-
RTP status check on endpoint. Agent re-authentication is determined based on session-time out
value. You can specify the session timeout interval from 60 – 600 seconds. Setting the lower value
for session timeout interval results numerous authentication requests in Access Tracker page. The
default value is 0.
References:
rGuide/Enforce/EPAgent_Enforcement.htm
QUESTION NO: 23
Based on the information shown, what is the purpose of using [Time Source] for authorization?
A.
to check whether the MAC address status is unknown in the endpoints table
B.
to check whether the MAC address is in the MAC Caching repository
C.
HP HPE6-A15 Exam
to check how long it has been since the last web login authentication
D.
to check whether the MAC address status is known in the endpoint table.
Answer: D
Explanation:
QUESTION NO: 24
A customer with an Aruba Controller wants it to work with ClearPass Guest.
How should the customer configure ClearPass as an authentication server in the controller so that
guests are able to authenticate successfully?
A.
Add ClearPass as a RADIUS CoA server.
B.
Add ClearPass as a RADIUS authentication server.
C.
Add ClearPass as a TACACS+ authentication server.
D.
Add ClearPass as an HTTPS authentication server.
Answer: B
Explanation:
5. Configuring the Aruba Controller
5.1 Add Clearpass as RADIUS Server
Navigate to Configuration > SECURITY > Authentication > Servers
Click on RADIUS Server and enter the Name of your Clearpass Server: myClearpass
Click Add
Click on myClearpass in the Server List
HP HPE6-A15 Exam
Etc.
References: https://community.arubanetworks.com/t5/Security/Step-by-Step-Controller-CPPM-6-
5-Captive-Portal-authentication/td-p/229740
QUESTION NO: 25
Based on the Enforcement Policy configuration shown, when a user with Role Remote Worker
connects to the network and the posture token assigned is quarantine, which Enforcement Profile
will be applied?
A.
RestrictedACL
B.
Remote Employee ACL
C.
[Deny Access Profile]
D.
EMPLOYEE_VLAN
E.
HR VLAN
Answer: B
HP HPE6-A15 Exam
Explanation:
The first rule will match, and the Remote Employee ACL will be used.
QUESTION NO: 26
Based on the Access Tracker output for the user shown, which statement describes the status?
A.
The Aruba Terminate Session enforcement profile as applied because the posture check failed.
B.
A Healthy Posture Token was sent to the Policy Manager.
C.
A RADIUS-Access-Accept message is sent back to the Network Access Device.
D.
HP HPE6-A15 Exam
The authentication method used is EAP-PEAP.
E.
A NAP agent was used to obtain the posture token for the user.
Answer: B
Explanation:
We see System Posture Status: HEALTHY(0)
End systems that pass all SHV tests receive a Healthy Posture Token, if they fail a single test they
receive a Quarantine Posture Token.
References: CLEARPASS ONGUARD CONFIGURATION GUIDE (July 2015), page 13
https://community.arubanetworks.com/aruba/attachments/aruba/aaa-nac-guest-access-
byod/21122/1/OnGuard%20config%20Tech%20Note%20v1.pdf
QUESTION NO: 27
Why can the Onguard posture check not be performed during 802.1x authentication?
A.
Health Checks cannot be used with 802.1x.
B.
Onguard uses RADIUS, so an additional service must be created.
C.
Onguard uses HTTPS, so an additional service must be created.
D.
Onguard uses TACACS, so an additional service must be created.
E.
802.1x is already secure, so Onguard is not needed.
Answer: C
Explanation:
OnGuard uses HTTPS to send posture information to the ClearPass appliance. For OnGuard to
use HTTPS, it must have access to the network. If a customer requires 802.1x authentication on
HP HPE6-A15 Exam
the wired switch, a separate 802.1x authentication must be used prior to the OnGuard posture
check. In this example, an 802.1x PEAP-EAP-MSCHAPv2 authentication is completed first. A
separate WebAuth service must be setup with posture checks to use the OnGuard agent.
References: MAC Authentication and OnGuard Posture Enforcement using Dell WSeries
ClearPass and Dell Networking Switches (August 2013), page 21
QUESTION NO: 28
Based on the Enforcement Profile configuration shown, which statement accurately describes
what is sent?
A.
A limited access VLAN value is sent to the Network Access Device.
B.
An unhealthy role value is sent to the Network Access Device.
C.
A message is sent to the Onguard Agent on the client device.
D.
A RADIUS CoA message is sent to bounce the client.
E.
A RADIUS access-accept message is sent to the Controller
Answer: C
HP HPE6-A15 Exam
Explanation:
The OnGuard Agent enforcement policy retrieves the posture token. If the token is HEALTHY it
returns a healthy message to the agent and bounces the session. If the token is UNHEALTHY it
returns an unhealthy message to the agent and bounces the session.
References: CLEARPASS ONGUARD CONFIGURATION GUIDE (July 2015), page 27
QUESTION NO: 29
A ClearPass administrator wants to make Enforcement decisions during 802.1x authentication

based on a client’s Onguard posture token.
Which Enforcement profile should be used on the health check service?
A.
RADIUS CoA
B.
Quarantine VLAN
C.
Full Access VLAN
D.
RADIUS Accept
E.
RADIUS Reject
Answer: A
Explanation:
The Health Check Service requires a profile to terminate the session so that the RADIUS 802.1X
authentication Service can use the posture token in a new authentication routine. The terminate
session profile will utilize the Change of Authorization feature to force a re-authentication.
See step 6) below.
Navigate to the list of Enforcement Profiles by selecting, Configuration > Enforcement > Profiles.
2. Click the + Add link in the upper right hand corner.

HP HPE6-A15 Exam
3. From the Template dropdown menu, choose RADIUS Change of Authorization (CoA).
4. Name the policy.
This example uses Dell Terminate Session as the profile name.
5. Leave all the other settings as default, and click Next > to move to the Attributes tab.
6. On the dropdown menu for Select RADIUS CoA Template, choose IETF-Terminate-Session-
IETF.
7. Click Next > and review the Summary tab (Figure 22).
8. Click Save.
References: ClearPass NAC and Posture Assessment for
Campus Networks Configuring ClearPass OnGuard, Switching, and Wireless (v1.0) (September
2015), page 22
http://en.community.dell.com/cfs-file/__key/telligent-evolution-components-attachments/13-4629-
00-00-20-44-16-18/ClearPass-NAC-and-Posture-Assessment-for-Campus-
Networks.pdf?forcedownload=true
QUESTION NO: 30
Based on the Endpoint information shown, which collectors were used to profile the device as
Apple iPad? (Select two.)
A.
HTTP User-Agent
HP HPE6-A15 Exam
B.
SNMP
C.
DHCP fingerprinting
D.
SmartDevice
E.
Onguard Agent
Answer: A,C
Explanation:
HTTP User-Agent
In some cases, DHCP fingerprints alone cannot fully classify a device. A common example is the
Apple family of smart devices; DHCP fingerprints cannot distinguish between an Apple iPad and
an iPhone. In these scenarios, User-Agent strings sent by browsers in the HTTP protocol are
useful to further refine classification results.
User-Agent strings are collected from:
* ClearPass Guest
* ClearPass Onboard
* Aruba controller through IF-MAP interface
Note: Collectors are network elements that provide data to profile endpoints.
The following collectors send endpoint attributes to Profile:
* DHCP
DHCP snooping
Span ports
* ClearPass Onboard
* HTTP User-Agent
*MAC OUI – Acquired via various auth mechanisms such as 802.1X, MAC auth, etc.
* ActiveSync plugin
* CPPM OnGuard
*SNMP
HP HPE6-A15 Exam
* Subnet Scanner
* IF-MAP
* Cisco Device Sensor (Radius Accounting)
* MDM
References: Tech Note: ClearPass Profiling (2014), page 11
https://community.arubanetworks.com/aruba/attachments/aruba/ForoenEspanol/653/1/ClearPass
%20Profiling%20TechNote.pdf
QUESTION NO: 31
A user who is tagged with the ClearPass roles of Role_Engineer and developer, but not testqa,
connects to the network with a corporate Windows laptop.
Which Enforcement Profile is applied?
A.
WIRELESS_GUEST_NETWORK
B.
WIRELESS_CAPTIVE_NETWORK
C.
WIRELESS_HANDHELD_NETWORK
D.
Deny Access
HP HPE6-A15 Exam
E.
WIRELESS_EMPLOYEE_NETWORK
Answer: E
Explanation:
MATCHES_ANY: For list data types, true if any of the run-time values in the list match one of the
configured values.
Example: Tips:Role MATCHES_ANY HR,ENG,FINANCE
References:
rGuide/Rules/Operators.htm
QUESTION NO: 32
An SNMP probe is sent from ClearPass to a network access device, but ClearPass is unable to
obtain profiling information.
What are likely causes? (Select three.)
A.
Only SNMP read has been configured but SNMP write is needed for profiling information.
B.
An external firewall is blocking SNMP traffic.
C.
SNMP is not enabled on the NAD.
D.
SNMP community string in the ClearPass and NAD configuration is mismatched.
E.
SNMP probing is not supported between ClearPass and NADs.
Answer: B,C,D
Explanation:
Verify firewall port 162 (default) is open between AMP and the controller.
HP HPE6-A15 Exam
SNMP must be enabled on the NAD.
The community string that ClearPass is using to access the NAD might be wrong.
References: https://community.arubanetworks.com/t5/Monitoring-Management-Location/SNMP-
Get-Failed-quot-error-message/ta-p/169774
QUESTION NO: 33
Which database in the Policy Manager contains the device attributes derived by profiling?
A.
Endpoints Repository
B.
Client Repository
C.
Local Users Repository
D.
Onboard Devices Repository
E.
Guest User Repository
Answer: A
Explanation:
Configure [Endpoints Repository] as Authorization Source. Endpoint profile attributes
derived by Profile are available through the ‘[Endpoint Repository]’ authorization source.
These attributes can be used in role-mapping or enforcement policies to control network
access. Available attributes are:
References: ClearPass Profiling TechNote (2014), page 29
HP HPE6-A15 Exam
QUESTION NO: 34
When a third party Mobile Device Management server is integrated with ClearPass, where is the
endpoint information from the MDM server stored in ClearPass?
A.
Endpoints repository
B.
Onboard Device repository
C.
MDM repository
D.
Guest User repository
E.
Local User repository
Answer: A
Explanation:
A service running in CPPM periodically polls MDM servers using their exposed APIs. Device
attributes obtained from MDM are added as endpoint tags. Profiler related attributes are send to
profiler which uses these attributes to derive final profile.
References: ClearPass Profiling TechNote (2014), page 23
QUESTION NO: 35
HP HPE6-A15 Exam
Based on the network topology diagram shown, how many clusters are needed for this
deployment?
A.
1
B.
2
C.
3
D.
4
E.
8
Answer: D
Explanation:
References:
http://www.arubanetworks.com/techdocs/ClearPass/Aruba_DeployGd_HTML/Content/5%20Cluste
r%20Deployment/Design_guidelines.htm
QUESTION NO: 36
HP HPE6-A15 Exam
Which statements accurately describe the cp82 ClearPass node? (Select two.)
A.
It becomes the Publisher when the primary Publisher fails.
B.
It operates as a Publisher in the same cluster as the primary Publisher when the primary is active.
C.
It operates as a Publisher in a separate cluster when the Publisher is active.
D.
It operates as a Subscriber when the Publisher is active.
E.
It stays as a Subscriber when the Publisher fails.
Answer: A,D
Explanation:
ClearPass Policy Manager allows you to designate one of the subscriber nodes in a cluster to be
the Standby Publisher, thereby providing for that subscriber node to be automatically promoted to
active Publisher status in the event that the Publisher goes out of service. This ensures that any
service degradation is limited to an absolute minimum.
When a Publisher failure is detected, the designated subscriber node is promoted to active
Publisher status.
References:
r%20Deployment/Standby_publisher.htm
QUESTION NO: 37
HP HPE6-A15 Exam
A customer wants to enable Publisher redundancy.
Based on the network topology diagram shown, which node should the network administrator
configure as the standby Publisher for the Publisher in the main data center?
A.
Subscriber in the main data center
B.
Publisher in the regional office
C.
Any of the other three Publishers
D.
Publisher in the mid-size branch
E.
Publisher in the DMZ
Answer: A
Explanation:
ClearPass Policy Manager allows you to designate one of the subscriber nodes in a cluster to be
the Standby Publisher, thereby providing for that subscriber node to be automatically promoted to
active Publisher status in the event that the Publisher goes out of service. This ensures that any
service degradation is limited to an absolute minimum.
References:
r%20Deployment/Standby_publisher.htm
HP HPE6-A15 Exam
QUESTION NO: 38
A customer wants to implement Virtual IP redundancy, such that in case of a ClearPass server
outage, 802.1x authentications will not be interrupted. The administrator has enabled a single
Virtual IP address on two ClearPass servers.
Which statements accurately describe next steps? (Select two.)
A.
The NAD should be configured with the primary node IP address for RADIUS authentication on
the 802.1x network.
B.
A new Virtual IP address should be created for each NAD.
C.
Both the primary and secondary nodes will respond to authentication requests sent to the Virtual
IP address when the primary node is active.
D.
The primary node will respond to authentication requests sent to the Virtual IP address when the
primary node is active.
E.
The NAD should be configured with the Virtual IP address for RADIUS authentications on the
802.1x network.
Answer: D,E
Explanation:
In an Aruba network, APs are controlled by a controller. The APs tunnel all data to the controller
for processing, including encryption/decryption and bridging/forwarding data. Local controller
redundancy provides APs with failover to a backup controller if a controller becomes unavailable.
Local controller redundancy is provided by running VRRP between a pair of controllers. The APs
are then configured to connect to the “virtual-IP” configured for the VRRP instance.
References:
http://www.arubanetworks.com/techdocs/ArubaOS_64x_WebHelp/Content/ArubaFrameStyles/VR
RP/Redundancy_Parameters.htm
HP HPE6-A15 Exam
QUESTION NO: 39
ClearPass and a wired switch are configured for 802.1x authentication with RADIUS CoA (RFC
3576) on UDP port 3799. This port has been blocked by a firewall between the wired switch and
ClearPass.
What will be the outcome of this state?
A.
RADIUS Authentications will fail because the wired switch will not be able to reach the ClearPass
server.
B.
During RADIUS Authentication, certificate exchange between the wired switch and ClearPass will
fail.
C.
RADIUS Authentications will timeout because the wired switch will not be able to reach the
ClearPass server.
D.
RADIUS Authentication will succeed, but Post-Authentication Disconnect-Requests from
ClearPass to the wired switch will not be delivered.
E.
RADIUS Authentication will succeed, but RADIUS Access-Accept messages from ClearPass to
the wired switch for Change of Role will not be delivered.
Answer: D
Explanation:
QUESTION NO: 40
Which statement accurately describes configuration of Data and Management ports on the
ClearPass appliance? (Select two.)
A.
Static IP addresses are only allowed on the management port.
B.
Configuration of the data port is mandatory.
HP HPE6-A15 Exam
C.
Configuration on the management port is mandatory.
D.
Configuration of the data port if optional.
E.
Configuration of the management port is optional.
Answer: C,D
Explanation:
The Management port (ethernet 0) provides access for cluster administration and appliance
maintenance using the WebUI, CLI, or internal cluster communication. This configuration is
mandatory.
The configuration of the data port is optional. If this port is not configured, requests are redirected
to the Management port.
References:
http://www.arubanetworks.com/techdocs/ClearPass/Aruba_DeployGd_HTML/Content/1%20About
%20ClearPass/Hardware_Appliance.htm
QUESTION NO: 41
Which licenses are included in the built-in Starter kit for ClearPass?
A.
10 ClearPass Guest licenses, 10 ClearPass Onguard licenses and 10 ClearPass Onboard
licenses
B.
25 ClearPass Profiler licenses
C.
25 ClearPass Enterprise licenses
D.
10 ClearPass Enterprise licenses
E.
25 ClearPass Redundancy licenses
HP HPE6-A15 Exam
Answer: C
Explanation:
All CPPM’s comes bundled with 25 Enterprise application licenses so you can test the functionality
of the Applications as this license can be used for any of them.
References: http://community.arubanetworks.com/t5/Security/ClearPass-licensing-explained-
August-MHC/td-p/195719
QUESTION NO: 42
An employee provisions a personal smart phone using the Onboard process. In addition, the
employee has a corporate laptop provided by IT that connects to the secure network.
How many licenses does the employee consume?
A.
1 Policy Manager license, 2 Guest Licenses
B.
2 Policy Manager licenses, 1 Onboard License
C.
1 Policy Manager license, 1 Onboard License
D.
1 Policy Manager license, 1 Guest License
E.
2 Policy Manager licenses, 2 Onboard Licenses
Answer: B
Explanation:
QUESTION NO: 43
A customer would like to deploy ClearPass with these requirements:
HP HPE6-A15 Exam
every day, 100 employees need to authenticate with their corporate laptops using EAP-TLS
every Friday, a meeting with business partners takes place and an additional 50 devices need to
authenticate using Web Login Guest Authentication
What should the customer do regarding licenses? (Select two.)
A.
When counting policy manager licenses, include the additional 50 business partner devices.
B.
When counting policy manager licenses, exclude the additional 50 business partner devices.
C.
Purchase Onboard licenses.
D.
Purchase guest licenses.
E.
Purchase Onguard licenses.
Answer: A,C
Explanation:
QUESTION NO: 44
An employee authenticates using a corporate laptop and runs the persistent Onguard agent to
send a health check back the Policy Manager. Based on the health of the device, a VLAN is
assigned to the corporate laptop.
Which licenses are consumed in this scenario?
A.
1 Policy Manager license, 1 Onboard License
B.
2 Policy Manager licenses, 1 Onguard License
C.
1 Policy Manager license, 1 Profile License
D.
HP HPE6-A15 Exam
2 Policy Manager licenses, 2 Onguard licenses
E.
1 Policy Manager license, 1 Onguard License
Answer: E
Explanation:
QUESTION NO: 45
between 2000 to 3000 corporate users need to authenticate daily using EAP-TLS
should allow for up to 1000 employee devices to be Onboarded
should allow up to 100 guest users each day to authenticate using the web login feature
What is the license mix that customer will need to purchase?
A.
CP-HW-2k, 1000 Onboard, 100 Guest
B.
CP-HW-500, 1000 Onboard, 100 Guest
C.
CP-HW-5k, 2500 Enterprise
D.
CP-HW-5k, 1000 Enterprise
E.
CP-HW-5k, 100 Onboard, 100 Guest
Answer: C
Explanation:
QUESTION NO: 46
HP HPE6-A15 Exam
Based on the ClearPass and Aruba Controller configuration settings for Onboarding shown, which
statement accurately describes an employee’s new personal device connecting to the Onboarding
network? (Select two.)
A.
Post-Onboarding, the device will be assigned the BYOD-Provision firewall role in the Aruba
Controller.
B.
Pre-Onboarding, the device will be redirected to the ‘Onboarding Page’ Captive Portal.
C.
The BYOD-Provision role is a ClearPass internal role and exists in ClearPass.
D.
The device will not be redirected to any Onboarding page.
E.
Pre-Onboarding, the device will be assigned the BYOD-Provision firewall role in the Aruba
Controller.
Answer: B,E
HP HPE6-A15 Exam
Explanation:
You can pre-provision with the Aruba controller firewall role of BYOD-Provision.
From the Firewall policies part of the exhibit, we see that the onboarding page is set to captive
portal.
References: https://community.arubanetworks.com/t5/Security/CP-OnBoard-not-redirecting-to-
portal-on-single-SSID/td-p/284506
QUESTION NO: 47
Which authentication protocols can be used for authenticating Windows clients that are
Onboarded? (Select two.)
A.
EAP-GTC
B.
PAP
C.
EAP-TLS
D.
CHAP
E.
PEAP with MSCHAPv2
Answer: C,E
Explanation:
QUESTION NO: 48
Which devices support Apple over-the-air provisioning? (Select two.)
A.
HP HPE6-A15 Exam
IOS 5
B.
Laptop running Mac OS X 10.8
C.
Laptop running Mac OS X 10.6
D.
Android 2.2
E.
Windows XP
Answer: A,B
Explanation:
Apple over-the-air provisioning is supported by IOS and OSX above version 10.6.
References:
https://community.arubanetworks.com/aruba/attachments/aruba/tkb@tkb/286/1/BYODwithClearPa
ss_Cameron_Esdaile.pdf
QUESTION NO: 49
An Android device goes through the single-SSID Onboarding process and successfully connects
using EAP-TLS to the secure network.
What is the order in which services are triggered?
A.
Onboard Authorization, Onboard Provisioning, Onboard Authorization
B.
Onboard Provisioning, Onboard Pre-Auth, Onboard Authorization, Onboard Provisioning
C.
Onboard Provisioning, Onboard Authorization, Onboard Pre-Auth
D.
Onboard Provisioning, Onboard Authorization, Onboard Provisioning
E.
HP HPE6-A15 Exam
Onboard Provisioning, Onboard Pre-Auth, Onboard Authorization
Answer: D
Explanation:
QUESTION NO: 50
What is the certificate format PKCS #7, or .p7b, used for?
A.
Certificate Signing Request
B.
Binary encoded X.509 certificate
C.
Binary encoded X.509 certificate with public key
D.
Certificate with an encrypted private key
E.
Certificate chain
Answer: E
Explanation:
The PKCS#7 or P7B format is usually stored in Base64 ASCII format and has a file extension of
.p7b or .p7c. P7B certificates contain "-----BEGIN PKCS7-----" and "-----END PKCS7-----"
statements. A P7B file only contains certificates and chain certificates, not the private key. Several
platforms support P7B files including Microsoft Windows and Java Tomcat.
References: https://community.arubanetworks.com/t5/Controller-Based-WLANs/Various-
Certificate-Formats/ta-p/176548
QUESTION NO: 51

HP HPE6-A15 Exam
Based on the configuration for ‘maximum devices’ shown, which statement accurately describes
its settings?
A.
The user cannot Onboard any devices.
B.
It limits the total number of devices that can be provisioned by ClearPass.
C.
It limits the total number of Onboarded devices connected to the network.
D.
It limits the number of devices that a single user can Onboard.
E.
It limits the number of devices that a single user can connect to the network.
Answer: D
Explanation:
QUESTION NO: 52
HP HPE6-A15 Exam
Based on the Enforcement Policy configuration shown, which Enforcement Profile will an
employee receive when connecting an IOS device to the network or the first time using EAP-
PEAP?
A.
Deny Access Profile
B.
Onboard Device Repository
C.
Cannot be determined
D.
Onboard Post-Provisioning – Aruba
E.
Onboard Pre-Provisioning – Aruba
Answer: E
Explanation:
QUESTION NO: 53
Which device type supports Exchange ActiveSync configuration with Onboard?
A.
Linux laptop
B.
Mac OS X device
C.
Apple iOS device
D.
Windows laptop
E.
Android device
Answer: C
HP HPE6-A15 Exam
Explanation:
Exchange ActiveSync configurations you define can be used in configuration profiles to

automatically configure an email account on an iOS device.
References:
http://www.arubanetworks.com/techdocs/ClearPass/6.6/Guest/Content/Onboard/CreateEditActive
Sync.htm
QUESTION NO: 54
An employee connects a corporate laptop to the network and authenticates for the first time using
EAP-TLS.
Based on the Enforcement Policy configuration shown, which Enforcement Profile will be sent?
A.
Onboard Post-Provisioning – Aruba
B.
Onboard Pre-Provisioning – Aruba
C.
Deny Access Profile
D.
Onboard Device Repository
Answer: A
HP HPE6-A15 Exam
Explanation:
QUESTION NO: 55
What is the purpose of the ‘Clock Skew Allowance’ setting? (Select two.)
A.
to ensure server certificate validation does not fail due to client clock sync issues
B.
to set start time in client certificate to a few minutes before current time
C.
to adjust clock time on client device to a few minutes before current time
D.
to ensure client certificate validation does not fail due to client clock sync issues
E.
to set expiry time in client certificate to a few minutes longer than the default setting
Answer: D
Explanation:
Clock Skew Allowance adds a small amount of time to the start and end of the client certificate’s,
not the server certificate's, validity period. This permits a newly issued certificate to be recognized
as valid in a network where not all devices are perfectly synchronized.
References:
http://www.arubanetworks.com/techdocs/ClearPass/6.6/Guest/Content/Onboard/EditingCASetting
s.htm
HP HPE6-A15 Exam
QUESTION NO: 56
Based on the information shown, what will be the outcome when the administrator chooses “Deny
Access to this Device? (Select two.)
A.
EAP-TLS Authentication will be unaffected
B.
The user can Onboard their device again
C.
A new device certificate will be automatically pushed out to the device
D.
The user cannot Onboard their device again
E.
EAP-TLS Authentication will fail
Answer: D,E
Explanation:
The Device Management (View by Device) page lists all devices and lets you manage the devices'
access to the network. For each device, you can allow or deny network access.
When you select the Deny option, a message advises you that any certificates associated with it
will be revoked. The device cannot be re-enrolled as long as access is denied. To re-enroll the
HP HPE6-A15 Exam
device, you must use this field to allow access again.
References:
http://www.arubanetworks.com/techdocs/ClearPass/6.6/Guest/Content/Onboard/DeviceManagem
ent.htm
QUESTION NO: 57
Based on the configuration for the client’s certificate private key as shown, which statements
accurately describe the settings? (Select two.)
A.
The private key is stored in the ClearPass server.
B.
The private key is stored in the user device.
C.
The private key for TLS client certificates is not created.
D.
More bits in the private key will increase security.
E.
More bits in the private key will reduce security.
Answer: B,D
HP HPE6-A15 Exam
Explanation:
QUESTION NO: 58
What does Authorization allow users to do in a Policy Service?
A.
use only attributes stored in external databases for Enforcement, but not internal databases
B.
use attributes stored in databases in role mapping and Enforcement
C.
use only attributes stored in internal databases for Enforcement, but not external databases
D.
use attributes stored in databases in role mapping, but not Enforcement
E.
use attributes stored in databases in Enforcement, but not role mapping
Answer: B
Explanation:
QUESTION NO: 59
Which component of a ClearPass Service is mandatory?
A.
Authorization Source
B.
Profiler
C.
Role Mapping Policy
D.
Enforcement
HP HPE6-A15 Exam
E.
Posture
Answer: D
Explanation:
An enforcement policy is a way to organize enforcement profiles and apply them to users or Policy
Manager roles. Based on the enforcement policy assigned to the role, enforcement profiles are
applied to the service request.
QUESTION NO: 60 DRAG DROP
Use the arrows to sort the steps to request a Policy Service on the left into the order they are
performed on the right.
Answer:
HP HPE6-A15 Exam
Explanation:
QUESTION NO: 61
HP HPE6-A15 Exam
Under which circumstances will ClearPass select the Policy Service named ‘Test device group’?
A.
when the NAD belongs to an Airware device group HQ
B.
when the ClearPass IP address is part of the device group HQ
C.
when the Aruba access point that the client is associated to is part of the device group HQ
D.
when an end user IP address is part of the device group HQ
E.
when the IP address of the NAD is part of the device group HQ
Answer: E
Explanation:
QUESTION NO: 62
HP HPE6-A15 Exam
An AD user’s department attribute value is configured as “Product Management”. The user

connects on Monday to a NAD that belongs to the Device Group HQ.
Which role is assigned to the user in ClearPass?
A.
HR Local
B.
[Guest]
C.
[Employee]
D.
Linux User
E.
Executive
Answer: E
Explanation:
The conditions of the Executive Role is met.
QUESTION NO: 63
HP HPE6-A15 Exam
The ClearPass Event Viewer displays an error when a user authenticates with EAP-TLS to
ClearPass through an Aruba Controller Wireless Network.
What is the cause of this error?
A.
The controller’s shared secret used during the certificate exchange is incorrect.
B.
The NAS source interface IP is incorrect.
C.
The client sent an incorrect shared secret for the 802.1X authentication.
D.
The controller used an incorrect shared secret for the RADIUS authentication.
E.
The client’s shared secret used during the certificate exchange is incorrect.
Answer: D
Explanation:
HP HPE6-A15 Exam
QUESTION NO: 64
Which types of files are stored in the Local Shared Folders database in ClearPass? (Select two.)
A.
Software image
B.
Backup files
C.
Log files
D.
Device fingerprint dictionaries
E.
Posture dictionaries
Answer: B,C
Explanation:
QUESTION NO: 65
HP HPE6-A15 Exam
What information can be drawn from the audit row detail shown? (Select two.)
A.
radius01 was deleted from the list of authentication sources.
B.
The policy service was moved to position number 4.
C.
radius01 was moved to position number 4.
D.
The policy service was moved to position number 3.
E.
raduis01 was added as an authentication source.
Answer: A,B
Explanation:
QUESTION NO: 66
Under which circumstances is it necessary to use an SNMP based Enforcement profile to send a
VLAN?
A.
when a VLAN must be assigned to a wired user on an Aruba Mobility Controller
B.
when a VLAN must be assigned to a wireless user on an Aruba Mobility Controller
C.
when a VLAN must be assigned to a wired user on a third party wired switch that does not support
RADIUS return attributes
D.
when a VLAN must be assigned to a wired user on an Aruba Mobility Access Switch
E.
when a VLAN must be assigned to a wired user on a third party wired switch that does not support
RADIUS accounting
Answer: C
HP HPE6-A15 Exam
Explanation:
QUESTION NO: 67
What must be configured to enable RADIUS authentication with ClearPass on a network access
device (NAD)? (Select two.)
A.
the ClearPass server must have the network device added as a valid NAD
B.
the ClearPass server certificate must be installed on the NAD
C.
a matching shared secret must be configured on both the ClearPass server and NAD
D.
an NTP server needs to be set up on the NAD
E.
a bind username and bind password must be provided
Answer: A,C
Explanation:
QUESTION NO: 68
An administrator configured a service and tested authentication, but was unable to complete
HP HPE6-A15 Exam
authentication successfully. The administrator performs a Search using insight and the information
displays as shown.
What is a possible reason for the ErrorCode ‘Failed to classify request to service’ shown?
A.
The user failed authentication due to an incorrect password.
B.
ClearPass could not match the authentication request to a service, but the user passed
authentication.
C.
ClearPass service authentication sources were not configured correctly.
D.
The NAD did not send the authentication request.
E.
ClearPass service rules were not configured correctly.
Answer: E
Explanation:
QUESTION NO: 69
What is the purpose of RADIUS CoA (RFC 3576)?
A.
to force the client to re-authenticate upon roaming to a new Controller
B.
to apply firewall policies based on authentication credentials
C.
to validate a host MAC address against a whitelist or a blacklist
D.
to authenticate users or devices before granting them access to a network
E.
to transmit messages to the NAD/NAS to modify a user’s session status
HP HPE6-A15 Exam
Answer: E
Explanation:
CoA messages modify session authorization attributes such as data filters.
References: https://tools.ietf.org/html/rfc3576
QUESTION NO: 70
Which statement accurately reflects the status of the Policy Simulation test figure shown?
A.
The test verifies that a client with username test1 can authenticate using EAP-PEAP.
B.
Role mapping simulation verifies if the remote lab AD has the ClearPass server certificate.
C.
Role mapping simulation verifies that theient certificate is valid during EAP-TLS authentication.
D.
The simulation test result shows the firewall roles assigned to the client by the Aruba Controller.
HP HPE6-A15 Exam
E.
The roles assigned in the results tab are based on rules matched in the AD Role Mapping Policy.
Answer: E
Explanation:
QUESTION NO: 71
What is the purpose of the Audit Viewer in the Monitoring section of ClearPass Policy Manager?
A.
to audit client authentications
B.
to display changes made to the ClearPass configuration
C.
to display the entire configuration of the ClearPass Policy Manager
D.
to audit the network for PCI compliance
E.
to display system events like high CPU usage.
Answer: B
Explanation:
QUESTION NO: 72
HP HPE6-A15 Exam
Based on the configuration of a Windows 802.1X supplicant shown, what will be the outcome of
selecting ‘Validate server certificate’?
A.
The server and client will perform an HTTPS SSL certificate exchange.
B.
The client will verify the server certificate against a trusted CA.
C.
The client will send its private key to the server for verification.
HP HPE6-A15 Exam
D.
The server will send its private key to the client for verification.
E.
The client will send its certificate to the server for verification.
Answer: B
Explanation:
QUESTION NO: 73
Which settings need to be validated for a successful EAP-TLS authentication? (Select two.)
A.
Username and Password
B.
Pre-shared key
C.
WPA2-PSK
D.
Server Certificate
E.
Client Certificate
Answer: D,E
Explanation:
When you use EAP with a strong EAP type, such as TLS with smart cards or TLS with certificates,
both the client and the server use certificates to verify their identities to each other. Certificates
must meet specific requirements both on the server and on the client for successful authentication.
References: https://support.microsoft.com/en-us/help/814394/certificate-requirements-when-you-
use-eap-tls-or-peap-with-eap-tls
QUESTION NO: 74
HP HPE6-A15 Exam
Which types of records will the report shown display?
A.
all RADIUS authentications from the 10.8.10.100 NAD to ClearPass
B.
all failed RADIUS authentications through ClearPass
C.
only Windows devices that have authenticated through the 10.8.10.100 NAD
D.
all successful RADIUS authentications through ClearPass
E.
all successful RADIUS authentications from the 10.8.10.100 NAD to ClearPass
Answer: A
Explanation:
QUESTION NO: 75
Based on the Policy configuration shown, which VLAN will be assigned when a user with
HP HPE6-A15 Exam
ClearPass role Engineer authenticates to the network successfully using connection protocol
WEBAUTH?
A.
Deny Access
B.
Employee VLAN
C.
Internet VLAN
D.
Full Access VLAN
Answer: B
Explanation:
QUESTION NO: 76
Based on the configuration of a Windows 802.1X supplicant shown, what will be the outcome
when ‘Automatically use my Windows logon name and password’ are selected?
HP HPE6-A15 Exam
A.
The client will use machine authentication.
B.
The client’s Windows login username and password will be sent inside a certificate to the Active
Directory server.
C.
The client’s Windows login username and password will be sent to the Authentication server.
D.
The client will need to re-authenticate every time they connect to the network.
E.
The client will prompt the user to enter the logon username and password.
HP HPE6-A15 Exam
Answer: C
Explanation:
QUESTION NO: 77
What is a benefit of ClearPass Onguard?
A.
It enables organizations to run advanced endpoint posture assessments.
B.
It allows a receptionist in a hotel to create accounts for guest users.
C.
It allows employees to self-provision their personal devices on the corporate network.
D.
It offers an easy way for users to self-configure their devices to support 802.1X authentication on
wired and wireless networks.
E.
It allows employees to create temporary accounts for Wi-Fi access.
Answer: A
Explanation:
QUESTION NO: 78
A guest self-registered through a Publisher’s Register page.
Which statement accurately describes how the guest’s account will be stored?
A.
It will be stored in the Publisher’s guest user repository and the Subscriber’s Onboard user
repository.
B.
It will be stored in the Publisher’s local user repository and the Subscriber’s guest user repository.
C.
HP HPE6-A15 Exam
It will be stored in the Publisher’s guest user repository permanently, but only for 14 days in the
Subscriber’s guest user repository,
D.
It will be stored in both the Publisher’s guest user repository and the Subscriber’s guest user
repository.
E.
It will be stored in the Publisher’s guest user repository, but not the Subscriber’s.
Answer: D
Explanation:
QUESTION NO: 79
Which IP address should be set as the DHCP relay on an Aruba Controller for device
fingerprinting on ClearPass?
A.
DHCP server IP
B.
Active Directory IP
C.
Switch IP
D.
Microsoft NPS server IP
E.
ClearPass server IP
Answer: E
Explanation:
QUESTION NO: 80
Which collectors can be used for device profiling? (Select two.)
HP HPE6-A15 Exam
A.
B.
ActiveSync Plugin
C.
Client’s role on the controller
D.
Onguard agent
E.
Active Directory Attributes
Answer: B,D
Explanation:
QUESTION NO: 81
Which checks are made with Onguard posture evaluation on ClearPass? (Select three.)
A.
Registry keys
B.
EAP TLS certificate validity
C.
Client role check
D.
Peer-to-peer application checks
E.
Operating System version
Answer: A,D,E
Explanation:
QUESTION NO: 82
HP HPE6-A15 Exam
Why is a terminate session enforcement profile used during posture checks with 802.1x
authentication?
A.
To send a RADIUS CoA message from the ClearPass server to the client
B.
To disconnect the user for 30 seconds when they are in an unhealthy posture state
C.
To blacklist the user when they are in an unhealthy posture state
D.
To force the user to re-authenticate and run through the service flow again
E.
To remediate the client applications and firewall do that updates can be installed
Answer: A
Explanation:
QUESTION NO: 83
Based on the Enforcement Policy configuration shown, when a user with Role Engineer connects
to the network and the posture token assigned is Unknown, which Enforcement Profile will be
applied?
HP HPE6-A15 Exam
A.
EMPLOYEE_VLAN
B.
RestrictedACL
C.
Deny Access Profile
D.
HR VLAN
E.
Remote Employee ACL
Answer: C
Explanation:
QUESTION NO: 84
A client’s authentication is failing and there are no entries in the ClearPass Access tracker.
What is a possible reason for the authentication failure?
A.
The user account has expired.
B.
The client used a wrong password.
C.
The shared secret between the NAD and ClearPass does not match.
D.
The user’s certificate is invalid.
E.
The user is not found in the database.
Answer: C
Explanation:
HP HPE6-A15 Exam
QUESTION NO: 85
Based on the information shown on a client’s laptop, what will happen next?
A.
The web login page will be displayed.
B.
The client will send a NAS authentication request to ClearPass.
C.
ClearPass will send a NAS authentication request to the NAD.
D.
the NAD will send an authentication request to ClearPass.
E.
The user will be presented with a self-registration receipt.
Answer: D
Explanation:
QUESTION NO: 86
What does a Windows client need for it to perform EAS-PEAP successfully when ‘Validate server
Certificate’ is not enabled?
A.
Pre-shared key
B.
HP HPE6-A15 Exam
Client Certificate
C.
WPA2-PSK
D.
E.
Server Certificate
Answer: D
Explanation:
QUESTION NO: 87
What can be concluded from the Access Tracker output shown?
A.
The client used incorrect credentials to authenticate to the network.
B.
ClearPass does not have a service enabled for MAC authentication.
C.
The client MAC address is not present in the Endpoints table in the CrearPass database.
D.
The RADIUS client on the Windows server failed to categorize the service correctly.
E.
HP HPE6-A15 Exam
The client wireless profile is incorrectly setup.
Answer: B
Explanation:
QUESTION NO: 88
Based on the Policy configuration shown, which VLAN will be assigned when a user with
ClearPass role Engineer authenticates to the network successfully on Saturday using connection
protocol WEBAUTH?
A.
Full Access VLAN
B.
Employee VLAN
C.
Internet VLAN
D.
Deny Access
Answer: B
Explanation:
QUESTION NO: 89
The “Alerts” tab in an access tracker entry shows the error message: “Access denied by policy.”
HP HPE6-A15 Exam
What is a possible cause of authentication failure?
A.
Failure to find an appropriate service to process the authentication request
B.
Configuration of the Enforcement Policy
C.
An error in the role mapping policy
D.
Implementation of a firewall policy on ClearPass
E.
Failure to select an appropriate authentication method for the authentication request
Answer: B
Explanation:
QUESTION NO: 90
An AD user’s department attribute is configured as “HR”. The user connects on Monday using an
Android phone to an Aruba Controller that belongs to the Device Group Remote NAD.
Which roles are assigned to the user in ClearPass? (Select two.)

HP HPE6-A15 Exam
A.
Executive
B.
iOS Device
C.
Vendor
D.
Remote Employee
E.
HR Local
Answer: D,E
Explanation:
QUESTION NO: 91
When is the RADIUS server certificate used? (Select two.)
A.
During dual SSID onboarding, when the client connects to the Guest network
B.
During EAP-PEAP authentication in single SSID onboarding
C.
During post-Onboard EAP-TLS authentication, when the client verifies the server certificate
D.
During Onboard Web Login Pre-Auth, when the client loads the Onboarding web page
E.
During post-Onboard EAP-TLS authentication, when the server verifies the client certificate
Answer: C,D
Explanation:
QUESTION NO: 92
HP HPE6-A15 Exam
Based on the configuration of the Enforcement Profiles in the Onboard Authorization service
shown, which Onboarding action will occur?
A.
The device will be disconnected from the network after Onboarding so that an EAP-TLS
authentication is not performed.
B.
The device will be disconnected from and reconnected to the network after Onboarding is
completed.
C.
The device’s onboard authorization request will be denied.
D.
The device will be disconnected after post-Onboarding EAP-TLS authentication, so a second
EAP-TLS authentication is performed.
E.
After logging in on the Onboard web login page, the device will be disconnected form and
reconnected to the network before Onboard begins.
Answer: B
Explanation:
QUESTION NO: 93
In a single SSID Onboarding, which method can be used in the Enforcement Policy to distinguish
between a provisioned device and a device that has not gone through the Onboard workflow?
A.
Active Directory Attributes
HP HPE6-A15 Exam
B.
Network Access Device used
C.
Endpoint OS Category
D.
Onguard Agent used
E.
Authentication Method used
Answer: E
Explanation:
QUESTION NO: 94
An organization implements dual SSID Onboarding. The administrator used the Onboard service
template to create services for dual SSID Onboarding.
Which statement accurately describes the outcome?
A.
The Onboard Provisioning service is triggered when the user connects to the provisioning SSID to
Onboard their device.
B.
The Onboard Authorization service is triggered when the user connects to the secure SSID.
C.
The Onboard Authorization service is triggered during the Onboarding process.
D.
The device connects to the secure SSID for provisioning.
E.
The Onboard Authorization service is never triggered.
Answer: C
Explanation:
HP HPE6-A15 Exam
QUESTION NO: 95
Which statements accurately describe the status of the Onboarded devices in the configuration for
the network settings shown? (Select two.)
A.
They will connect to Employee_Secure SSID after provisioning.
B.
They will connect to Employee_Secure SSID for provisioning their devices.
C.
They will use WPA2-PSK with AES when connecting to the SSID.
D.
They will connect to secure_emp SSID after provisioning.
E.
They will perform 802.1X authentication when connecting to the SSID.
Answer: D,E
Explanation:
QUESTION NO: 96
Which use cases will require a ClearPass Guest application license? (Select two.)
A.
Guest device fingerprinting
HP HPE6-A15 Exam
B.
Guest endpoint health assessment
C.
Sponsor based guest user access
D.
Guest user self-registration for access
E.
Guest personal device onboarding
Answer: C,D
Explanation:
QUESTION NO: 97
-2000 devices need to be Onboarded
-2000 corporate devices need to run posture checks daily
-500 guest users need to authenticate each day using the web login feature
What is the license mix that customer will need to purchase?
A.
CP-HW-5k, 2500 ClearPass Enterprise
B.
C.
CP-HW-500, 2500 ClearPass Enterprise
D.
E.
Answer: B
HP HPE6-A15 Exam
Explanation:
QUESTION NO: 98
Based on the Translation Rule configuration shown, what will be the outcome?
A.
An AD user from group Administrators will be assigned the operator profile of IT Administrators.
B.
All ClearPass Policy Manager admin users who are members of the Administrators AD group will
be assigned the TACACS profile of IT Administrators.
C.
All active directory users will be assigned the operator profile of IT Administrators.
D.
A user from AD group MatchAdmin will be assigned the operator profile of IT Administrators.
Answer: A
Explanation:
QUESTION NO: 99
HP HPE6-A15 Exam
Based on the Aruba TACACS+ dictionary shown, how is the Aruba-Role attribute used?
A.
The Aruba-Admin-Role on the controller is applies to users using TACACS+ to login to the Policy
Manager
B.
To assign different privileges to clients during 802.1X authentication
C.
To assign different privileges to administrators logging into an Aruba NAD
D.
It is used by ClearPass to assign TIPS roles to clients during 802.1X authentication
E.
To assign different privileges to administrators logging into ClearPass
Answer: C
Explanation:
QUESTION NO: 100
In which ways can ClearPass derive client roles during policy service processing? (Select two.)
A.
HP HPE6-A15 Exam
From the attributes configured in Active Directory
B.
From the server derivation rule in the Aruba Controller server group for the client
C.
From the Aruba Network Access Device
D.
From the attributes configured in a Network Access Device
E.
Through a role mapping policy
Answer: A,E
Explanation:
QUESTION NO: 101
An administrator logs in to the Guest module in ClearPass and ‘Manage Accounts’ displays as
shown.
When a user with username donald@disney.com attempts to access the Web Login page, what
will be the outcome?
A.
The user will be able to log in and authenticate successfully but will then be immediate
disconnected.
B.
The user will be able to log in for the next 4.9. days, but then will no longer be able to log in.
HP HPE6-A15 Exam
C.
The user will not be able to log in and authenticate.
D.
The user will be able to log in and authenticate successfully, but will then get a quarantine role.
E.
The user will not be able to access the Web Login page.
Answer: C
Explanation:
QUESTION NO: 102
An Enforcement Profile has been created in the Policy Manager as shown.
Which action will ClearPass take based on the Enforcement Profile?
A.
It will send the Session-Timeout attribute in the RADIUS Access-Request packet to the NAD and
the NAD will end the user’s session after 600 seconds.
B.
It will send the Session-Timeout attribute in the RADIUS Access-Accept packet to the User and
the user’s session will be terminated after 600 seconds.
C.
It will count down 600 seconds and send a RADUIS CoA message to the NAD to end the user’s
session after this time is up.
D.
It will count down 600 seconds and send a RADUIUS CoA message to the user to end the user’s
session after this time is up.
E.
It will send the session –Timeout attribute in the RADIUS Access-Accept packet to the NAD and
the NAD will end the user’s session after 600 seconds.
HP HPE6-A15 Exam
Answer: E
Explanation:
QUESTION NO: 103
Use this form to make changes to the RADIUS Web Login Guest Network.
A Web Login page is configured in Clear Pass Guest as shown.
What is the purpose of the Pre-Auth Check?
A.
To authenticate users after the NAD sends an authentication request to ClerPass
B.
To authenticate users before the client sends the credentials to the NAD
C.
To authenticate users when they are roaming from one NAD to another
D.
To authenticate users before they launch the Web Login Page
E.
To replace the need for the NAD to send an authentication request to ClearPass
Answer: B
Explanation:
HP HPE6-A15 Exam
QUESTION NO: 104
Based on the guest Self-Registration with Sponsor Approval workflow shown, at which stage does
the sponsor approve the user’s request?
A.
After the RADIUS Access-Request
B.
After the NAS login, but before the RADIUS Access-Request
C.
Before the user can submit the registration form
D.
After the RADIUS Access-Response
E.
After the receipt page is displayed, before the NAS login
Answer: E
Explanation:
HP HPE6-A15 Exam
NEW QUESTIONS:
QUESTION NO: 105
What is the purpose of ClearPass Onboard?
A.
to provide MAC authentication for devices that don’t support 802.1x
B.
to run health checks on end user devices
C.
to provision personal devices to securely connect to the network
D.
to configure self-registration pages for guest users
E.
to provide guest access for visitors to connect to the network
Answer: C
Explanation:

Hpe6-A15 - Accp

Uploaded by

Copyright:

Available Formats

Hpe6-A15 - Accp

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Hpe6-A15 - Accp

Uploaded by

Copyright:

Available Formats

HP HPE6-A15

Aruba Certified ClearPass Professional 6.5

Refer to the exhibit.

Which role is assigned to the user in ClearPass?

None of the Listed Role Name conditions are met.

C: Role Mappings Page - Rules Editor Page Parameters

D: Enforcement Policy Attributes tab Parameters

Refer to the exhibit.

source. The flow is outlined below:

collects role mapping attributes from the authorization sources.

rejects the request.

Which authorization servers are supported by ClearPass? (Select two.)

Authentication Sources can be one or more instances of the following examples:

* Policy Manager local DB

Which CLI command is used to upgrade the image of a ClearPass server?

* system update (for patches)

* system upgrade (for upgrades)

What is the purpose of Operator Profiles?

Refer to the exhibit.

Refer to the exhibit.

Refer to the exhibit.

What is the page name field used for?

Refer to the exhibit.

What is the Address field value ‘securelogin.arubanetworks.com’ used for?

Refer to the exhibit.

An administrator enabled the Pre-auth check for their guest self-registration.

At what stage in the registration process in this check performed?

Refer to the exhibit.

There's the Self Service part of provisioning one's information.

Then the sponsor/operator part to confirm that guest is valid.

Then the enablement via the sponsor/operator clicking 'confirm'.

Refer to the exhibit.

A user logged in to the Self-Service Portal as shown.

What do the traffic received and sent statistics present?

Refer to the exhibit.

Refer to the exhibit.

What are the likely causes of this? (Select two.)

You would need a publicly signed certificate.

Refer to the exhibit.

An Enforcement Profile has been created in the Policy Manager as shown.

Which action will ClearPass take based on the Enforcement Profile?

Refer to the exhibit.

A customer with an Aruba Controller wants it to work with ClearPass Guest.

5. Configuring the Aruba Controller

5.1 Add Clearpass as RADIUS Server

Navigate to Configuration > SECURITY > Authentication > Servers

Click on myClearpass in the Server List

Refer to the exhibit.

Refer to the exhibit.

We see System Posture Status: HEALTHY(0)

References: CLEARPASS ONGUARD CONFIGURATION GUIDE (July 2015), page 13

Refer to the exhibit.

References: CLEARPASS ONGUARD CONFIGURATION GUIDE (July 2015), page 27

A ClearPass administrator wants to make Enforcement decisions during 802.1x authentication

Which Enforcement profile should be used on the health check service?

See step 6) below.

2. Click the + Add link in the upper right hand corner.

4. Name the policy.

This example uses Dell Terminate Session as the profile name.