HP HPE6-A81 Exam Questions
Questions for the HPE6-A81 were updated on : Jul 20 ,2024
Page 1 out of 4. Viewing questions 1-15 out of 60
Question 1
You art deploying Cleat Pass Policy Manager with Guest functionality for a customer with multiple
Aruba Networks Mobility Controllers. The customer wants to avoid SSL errors during guest access but
due to company security policy cannot use a wildcard certificate on ClearPass or the Controllers.
What is the most efficient way to configure the customer's guest solution? (Select two.)
- A. Install the same public certificate on all Controllers with the common name "controller.{company domain)
- B. Build multiple Web Login pages with vendor settings configured for each controller
- C. Build one Web Login page with vendor settings for captiveportal-controller (company domain)
- D. Build one Web Login page with vendor settings for controller (company domain)
- E. Install multiple public certificates with a different Common Name on each controller
Answer:
DE
Question 2
Refer to the exhibit.
A customer has configured Onboard in a cluster with two nodes. All devices were onboarded in the
network through node1 but those clients fail to authenticate through node2 with the error shown
What steps would you suggest to make provisioning and authentication work across the entire
cluster? (Select three)
- A. Configure the Network Settings in Onboard to trust the Policy Manager EAP certificate.
- B. Have all of the BYOO clients disconnect and reconnect to the network.
- C. Configure the Onboard Root CA to trust the Policy Manager EAP certificate root.
- D. Make sure that the EAP certificates on both nodes are issued by one common root Certificate Authority (CA).
Answer:
BCD
Question 3
Refer to the exhibit.
A customer with multiple Aruba Controllers has just installed a new certificate for
"'.customerdomain.com- on all Aruba Controllers While testing the existing guest Self-Registration
page the customer noticed that the logins are failing While troubleshooting they are finding no
entries in the Event Viewer or Access Tracker for the tests Suspecting that the Aruba Controllers may
not be properly posting the credentials from the guest browser, they open the NAS Vendor Settings
for the Guest Self-Registration Page.
- A. Add PTR records on the DNS server for "securelogin arubanetworks.com".
- B. Change the "Secure Login' field to "Use Vendor Default".
- C. Change the 'IP Address field to" securelogin.customerdomain.com
- D. Change the "IP Address field to "captiveportal-login.customerdomain.com".
Answer:
D
Question 4
Refer to the exhibit.
What could be causing the error message received on the OnGuard client?
- A. The Service Selection Rules for the service are not configured correctly
- B. The Health-Check service does not have Posture Compliance option enabled
- C. The client's OnGuard Agent has not been configured with the correct Policy Manager Zone.
- D. There is a firewall policy not allowing the OnGuard Agent to connect to ClearPass
Answer:
A
Question 5
Refer to the exhibit.
A year ago. your customer deployed an Aruba ClearPass Policy Manager Server for a Guest SSID
hosted in an IAP Cluster The customer just created a new Web Login Page for the Guest SSiD Even
though the previous Web Login page worked test with the new Web Login Page are failing and the
customer has forwarded you the above screenshots.
What recommendation would you give the customer to fix the issue?
- A. The customer should reset the password for the username accxCdlexam.com using Guest Manage Accounts.
- B. The service type configured is not correct. The Guest authentication should be an Application authentication type of service.
- C. The Address filed under the WebLogin Vendor settings is not configured correctly. It should be set to instant, Aruba networks com,
- D. The WebLogin Pre-Auth Check is set to Aruba Application Authentication which requires a separate application service on the policy manager
Answer:
C
Question 6
A customer has deployed an OnGuard Solution to all the corporate devices using a group policy result
to push the OnGuard Agtnts. The network administrator is complaining that soma of the agents are
communicating to the ClearPass server that is located in a DMZ. outside the firewall The network
administrator wants all of the agents System Health Validation traffic to stay inside the Management
subnets.
What can the ClearPass administrator do to move the traffic only to the ClearPass Management
Ports?
- A. Select the correct OnGuard Agent installer, and use the one configured for Management Port for the clients.
- B. Filter TCP port 6658 on the firewall, forcing the OnGuard agent to use the ClearPass Management port.
- C. Configure a Policy Manager Zone mapping so the OnGuard agent will use the Management Port IP.
- D. Edit the agent.conf file being deployed to the clients to use the ClearPass Management Port for SHV updates
Answer:
B
Question 7
Refer to the exhibit.
The users connecting to a wireless SSIO "secure-HS-5007" were being processed by an incorrect
802.1 X service created for VIP access and the user gets deny access. The customer has sent you the
screenshot to get your support to resolve the issue What changes will you suggest to fix it?
- A. To the HS_Building 802.1 X service, add another service rule condition with VIP access Aruba- Essid-Name and leave it in same position
- B. In the HS_Building 802.1X service, remove the service rule condition with Aruba controller location name and leave it in same position
- C. Delete the HSBuilding 802 IX service, odd VIP access Aruba-Essid-Name as fourth condition to WSBuilding Aruba 802 1X service
- D. In the HSBuilding 802. IXservice. change the Authentication method for AMCAuth for VIP access and leave it in same position
Answer:
B
Question 8
A customer has two different geographical sites deployed with two ClearPass servers in each site.
Site A has the Publisher (CPPM1) and a subscriber (CPPM2) and Site B has two subscribers (CPPM3 S
CPPM4) All wired and wireless authentication requests from the respective sites are handled by
respective CPPMs deployed in the sites When both the CPPM servers in Site B are lost, the
authentications from Site B is handled by Site A subscriber (CPPM2). To control the Multi-Master
Cache flush and reduce the amount of inter-site traffic, the customer also created a new Policy
Manager Zone (Zone1) The Site B CPPM3 & CPPM4 are part of Zone! and Site A CPPM2 is also
mapped to Zone1 as it will act as the backup RADIUS server for Site B The corporate laptops are
installed with Persistent agent to run the OnGuard check and the OnGuard settings are also mapped
to the Zones The Site A corporate user subnets are mapped to default zone and the Site 6 corporate
user subnets are mapped to Zone1. The customer has the following issue in the setup: The corporate
clients from Site A authenticating against the CPPM2 as their Primary RADIUS server assigns
Quarantine enforcement profile even though the user s health status is Healthy.
What is the cause of this issue?
- A. Multi-master cache also contains the roles and posture of the associated and unassociated clients and is shared with all members part of that Policy Manager Zone. CPPM2 belongs to Zone1 and the OnGuard setting for Site A is part of the default zone and the system health validation information is sent to one of the nodes that are part of its home zone As Posture cache for Site A hi not available with CPPMZ. it fails to apply the enforcement profile based on correct health status.
- B. Multi-master cache also contains the roles and posture of the connected clients and is shared only with the members part of that Policy Manager Zone. CPPM2 belongs to Zone1 and the OnGuard setting for Site A is part of the default zone and the OnGuard system health validation information is sent to one of the nodes that are part of its home zone only. As Posture cache for Site A is not available with CPPM2. it fails to apply the enforcement profile based on correct health status.
- C. Multi-master cache also contains the roles and posture of the connected clients and is shared across all members part of the cluster. The OnGuard setting for Site A is part of only the default zone and the system health validation information is sent to one of the nodes that are part of its home zone only As the OnGuard setting of the Site A corporate user subset is not mapped with default as well as Zone1. CPPM2 fails to apply the enforcement profile based on correct health status.
- D. Multi-master cache also contains the roles and posture of the connected clients and is shared across all members part of the cluster. The OnGuard setting for Site A is part of only the default zone and the OnGuard system health validation information is sent to one of the nodes that is part of its home zone only. As the CPPM2 is also not mapped to the default zone as well as Zone1, CPPM2 fails to apply the enforcement profile based on correct health status.
Answer:
C
Question 9
You have designed a ClearPass solution for an Information Technology Business Park with 50,377
concurrent sessions including the visitors. The deployment includes eight ClearPass servers handling
RADIUS authentication. Guest Self-Registration. Onboard and OnGuard. CPPM1 is acting as Publisher.
CPPM2 to CPPM8 are added as subscriber nodes CPPM4 is the designated Standby Publisher. Servers
CPPM2 and CPPM3 will be handling the Guest and Onboard HTTPS traffic. On a few devices,
Corporate users will perform username and password based authentication with Active Directory
accounts and on few devices, they will be using private CA signed TLS certificates to do the
authentication The customer has three Active Directories (AD1, AD2 and A03) part of Multi-Domain
Forest. To provide authentication redundancy, the customer has configured multiple Virtual IP
settings between ClearPass servers in a cluster.
On all the Network Access Devices (NAD), the primary authentication server is configured as the VIP
IP address and the secondary authentication server rs configured as CPPM1 MGMT IP address Based
on the information provided, which ClearPass nodes will you join to the AD domain
- A. Join CPPM1. CPPM4 to CPPM7 servers to the AD root domain
- B. Join CPPM2 to CPPM7 ClearPass servers to the AD root domain.
- C. Join all the eight ClearPass servers to AD1, AD2 and AD3 domains.
- D. Join CPPM1. CPPM4 to CPPM8 to the AD1. AD2 and AD3 domains.
Answer:
D
Question 10
Refer to the exhibit.
What enforcement prof lit will be assigned to the Windows 10 MDH enabled devices if it completes
user
authentication
and
is
already
profiled
by
ClearPess?
- A. Cisco Full A. Access VLAN
- B. Default - Deny Access Profile
- C. Cisco Redirect ACL for profiling
- D. Cisco Redirect URL - Service Unavailable
Answer:
B
Question 11
Refer to the exhibit.
You have integrated the Cisco switch with ClearPass to do MAC-Auth for Cisco IP Phones. The phones
connect to the network successfully but when you try to change the status of the device from the
access tracker, you see only the ArubaOS Radius terminate session options and not the Cisco vendor
terminate session options. What will you check to fix this issue?
- A. Verify if the ClearPass supports RADIUS Dynamic Authorization for the Cisco IP Phones doing MAC.AUTH.
- B. Verify if the Cisco IP Phone is actively connected to the switch to get the Cisco CoA options from ClearPass.
- C. Verify if the Enable RADIUS Dynamic Authorization option is checked for the Cisco switch added under the network devices.
- D. Verify that Cisco is chosen as the vendor name while adding the Cisco Switch under network devices.
Answer:
D
Question 12
Refer to the exhibit.
What enforcement profile will be assigned to a client who has successfully completed the user and
machine authentication with UNKNOWN posture token?
- A. Redirect to Aruba OnBoard Portal
- B. Redirect to Aruba Quarantine Profile
- C. Redirect to Aruba Dissolvable_page Profile
- D. Deny Access Profile
Answer:
C
Question 13
Refer to the exhibit.
You have configured an Onboard portal for single SSID provision. During testing you notice that the
QuickConnect Application did not display the "Connect" button, only the finish button. To get
connected the test user had to manually connect to the secure-HS-5007 SSID but was prompted for a
username and password. Using the screenshots as a reference, how would you fix this issue?
- A. Check the network settings for the correct SSID name spelling.
- B. Install a public signed HTTPS web server certificate on the ClearPass server
- C. Change the network settings to use EAP-TLS for the authentication protocol.
- D. Configure the SSID to support both EAP-PEAP and EAP-TLS authentication method
Answer:
B
Question 14
Which statements are true about that integration between ClearPass Policy Manager and ClearPass
Device Insight? (Select two)
- A. Policy Manager stops using ClearPass Profiler for fingerprinting and uses Device Insight Analyzer instead for endpoint in-depth data analysis.
- B. ClearPass Device Insight updates ClearPass Policy Manager every 60 minutes if it detects a change in device classification like device spoofing.
- C. To provide enhanced profiling and reporting. additional configuration is required to transmit data in both directions between CPPM and Device Insight.
- D. When Device Insight integration mode is enabled. you can still use Update Fingerprint button to Update Endpoints at Configuration > Identity > Endpoints
- E. An attribute named Device Insight Tags art added to the Endpoints that art available to use in service, role-mapping, and enforcement policy Rules
Answer:
CD
Question 15
A customer has acquired another company that has its own Active Directory infrastructure. The 802
1X PEAP authentication works with the customer's original Active Directory servers but the customer
would like to authenticate users from the acquired company as well.
What steps are required, in regards to the Authentication Sources, in order to support this request?
(Select two.)
- A. Create a new Authentication Source, type Active Directory.
- B. Create a new Authentication Source, type Generic LDAP.
- C. Add the new AD server(s) as backup into the existing Authentication Source.
- D. There is no need to join ClearPass to the new AD domain.
- E. Join the ClearPass server(s) to the new AD domain.
Answer:
BD