Month End Sale - Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70dumps

HPE6-A78 Questions and Answers

Question # 6

What are the roles of 802.1X authenticators and authentication servers?

A.

The authenticator stores the user account database, while the server stores access policies.

B.

The authenticator supports only EAP, while the authentication server supports only RADIUS.

C.

The authenticator is a RADIUS client and the authentication server is a RADIUS server.

D.

The authenticator makes access decisions and the server communicates them to the supplicant.

Full Access
Question # 7

From which solution can ClearPass Policy Manager (CPPM) receive detailed information about client device type OS and status?

A.

ClearPass Onboard

B.

ClearPass Access Tracker

C.

ClearPass OnGuard

D.

ClearPass Guest

Full Access
Question # 8

What is a vulnerability of an unauthenticated Dime-Heliman exchange?

A.

A hacker can replace the public values exchanged by the legitimate peers and launch an MITM attack.

B.

A brute force attack can relatively quickly derive Diffie-Hellman private values if they are able to obtain public values

C.

Diffie-Hellman with elliptic curve values is no longer considered secure in modem networks, based on NIST recommendations.

D.

Participants must agree on a passphrase in advance, which can limit the usefulness of Diffie- Hell man in practical contexts.

Full Access
Question # 9

What is a correct guideline for the management protocols that you should use on ArubaOS-Switches?

A.

Disable Telnet and use TFTP instead.

B.

Disable SSH and use https instead.

C.

Disable Telnet and use SSH instead

D.

Disable HTTPS and use SSH instead

Full Access
Question # 10

Device A is contacting https://arubapedia.arubanetworks.com. The web server sends a certificate chain. What does the browser do as part of validating the web server certificate?

A.

It makes sure that the key in the certificate matches the key that DeviceA uses for HTTPS.

B.

It makes sure the certificate has a DNS SAN that matches arubapedia.arubanetworks.com

C.

It makes sure that the public key in the certificate matches DeviceA's private HTTPS key.

D.

It makes sure that the public key in the certificate matches a private key stored on DeviceA.

Full Access
Question # 11

A user is having trouble connecting to an AP managed by a standalone Mobility Controller (MC). What can you do to get detailed logs and debugs for that user's client?

A.

In the MC CLI, set up a control plane packet capture and filter for the client's IP address.

B.

In the MC CLI, set up a data plane packet capture and filter for the client's MAC address.

C.

In the MC UI’s Traffic Analytics dashboard, look for the client's IP address.

D.

In the MC UI’s Diagnostics > Logs pages, add a "user-debug" log setting for the client's MAC address.

Full Access
Question # 12

What is the purpose of an Enrollment over Secure Transport (EST) server?

A.

It acts as an intermediate Certification Authority (CA) that signs end-entity certificates.

B.

It helps admins to avoid expired certificates with less management effort.

C.

It provides a secure central repository for private keys associated with devices' digital certif-icates.

D.

It provides a more secure alternative to private CAs at less cost than a public CA.

Full Access
Question # 13

What is one way that WPA3-PerSonal enhances security when compared to WPA2-Personal?

A.

WPA3-Perscn3i is more secure against password leaking Because all users nave their own username and password

B.

WPA3-Personai prevents eavesdropping on other users' wireless traffic by a user who knows the passphrase for the WLAN.

C.

WPA3-Personai is more resistant to passphrase cracking Because it requires passphrases to be at least 12 characters

D.

WPA3-Personal is more complicated to deploy because it requires a backend authentication server

Full Access
Question # 14

You are checking the Security Dashboard in the Web Ul for your ArubaOS solution and see that Wireless Intrusion Prevention (WIP) has discovered a rogue radio operating in ad hoc mode with open security. What correctly describes a threat that the radio could pose?

A.

It could open a backdoor into the corporate LAN for unauthorized users.

B.

It is running in a non-standard 802.11 mode and could effectively jam the wireless signal.

C.

It is flooding the air with many wireless frames in a likely attempt at a DoS attack.

D.

It could be attempting to conceal itself from detection by changing its BSSID and SSID frequently.

Full Access
Question # 15

You have a network with AOS-CX switches for which HPE Aruba Networking ClearPass Policy Manager (CPPM) acts as the TACACS+ server. When an admin authenticates, CPPM sends a response with:

    Aruba-Priv-Admin-User = 1

    TACACS+ privilege level = 15What happens to the user?

A.

The user receives auditors access.

B.

The user receives no access.

C.

The user receives administrators access.

D.

The user receives operators access.

Full Access
Question # 16

You have detected a Rogue AP using the Security Dashboard Which two actions should you take in responding to this event? (Select two)

A.

There is no need to locale the AP If you manually contain It.

B.

This is a serious security event, so you should always contain the AP immediately regardless of your company's specific policies.

C.

You should receive permission before containing an AP. as this action could have legal Implications.

D.

For forensic purposes, you should copy out logs with relevant information, such as the time mat the AP was detected and the AP's MAC address.

E.

There is no need to locate the AP If the Aruba solution is properly configured to automatically contain it.

Full Access
Question # 17

What is one practice that can help you to maintain a digital chain or custody In your network?

A.

Enable packet capturing on Instant AP or Moodily Controller (MC) datepath on an ongoing basis

B.

Enable packet capturing on Instant AP or Mobility Controller (MC) control path on an ongoing basis.

C.

Ensure that all network infrastructure devices receive a valid clock using authenticated NTP

D.

Ensure that all network Infrastructure devices use RADIUS rather than TACACS+ to authenticate managers

Full Access
Question # 18

What is a use case for tunneling traffic between an Aruba switch and an AruDa Mobility Controller (MC)?

A.

applying firewall policies and deep packet inspection to wired clients

B.

enhancing the security of communications from the access layer to the core with data encryption

C.

securing the network infrastructure control plane by creating a virtual out-of-band-management network

D.

simplifying network infrastructure management by using the MC to push configurations to the switches

Full Access
Question # 19

What is a guideline for creating certificate signing requests (CSRs) and deploying server Certificates on ArubaOS Mobility Controllers (MCs)?

A.

Create the CSR online using the MC Web Ul if your company requires you to archive the private key.

B.

if you create the CSR and public/private Keypair offline, create a matching private key online on the MC.

C.

Create the CSR and public/private keypair offline If you want to install the same certificate on multiple MCs.

D.

Generate the private key online, but the public key and CSR offline, to install the same certificate on multiple MCs.

Full Access
Question # 20

You need to implement a WPA3-Enterprise network that can also support WPA2-Enterprise clients. What is a valid configuration for the WPA3-Enterprise WLAN?

A.

CNSA mode disabled with 256-bit keys

B.

CNSA mode disabled with 128-bit keys

C.

CNSA mode enabled with 256-bit keys

D.

CNSA mode enabled with 128-bit keys

Full Access
Question # 21

What is one way that Control Plane Security (CPSec) enhances security for the network?

A.

It protects management traffic between APs and Mobility Controllers (MCs) from eavesdropping.

B.

It prevents Denial of Service (DoS) attacks against Mobility Controllers' (MCs') control plane.

C.

It protects wireless clients' traffic, tunneled between APs and Mobility Controllers, from eavesdropping.

D.

It prevents access from unauthorized IP addresses to critical services, such as SSH, on Mobility Controllers (MCs).

Full Access
Question # 22

The monitoring admin has asked you to set up an AOS-CX switch to meet these criteria:

    Send logs to a SIEM Syslog server at 10.4.13.15 at the standard TCP port (514)

    Send a log for all events at the "warning" level or above; do not send logs with a lower level than "warning"The switch did not have any "logging" configuration on it. You then entered this command:AOS-CX(config)# logging 10.4.13.15 tcp vrf defaultWhat should you do to finish configuring to the requirements?

A.

Specify the "warning" severity level for the logging server.

B.

Add logging categories at the global level.

C.

Ask for the Syslog password and configure it on the switch.

D.

Configure logging as a debug destination.

Full Access
Question # 23

What is a correct use case for using the specified certificate file format?

A.

using a PKCS7 file to install a certificate plus and its private key on a device

B.

using a PKCS12 file to install a certificate plus its private key on a device

C.

using a PEM file to install a binary encoded certificate on a device

D.

using a PKCS7 file to install a binary encoded private key on a device

Full Access
Question # 24

What is a correct guideline for the management protocols that you should use on AOS-CX switches?

A.

Make sure that SSH is disabled and use HTTPS instead.

B.

Make sure that Telnet is disabled and use SSH instead.

C.

Make sure that Telnet is disabled and use TFTP instead.

D.

Make sure that HTTPS is disabled and use SSH instead.

Full Access
Question # 25

Which attack is an example or social engineering?

A.

An email Is used to impersonate a Dank and trick users into entering their bank login information on a fake website page.

B.

A hacker eavesdrops on insecure communications, such as Remote Desktop Program (RDP). and discovers login credentials.

C.

A user visits a website and downloads a file that contains a worm, which sell-replicates throughout the network.

D.

An attack exploits an operating system vulnerability and locks out users until they pay the ransom.

Full Access
Question # 26

A company has a WLAN that uses Tunnel forwarding mode and WPA3-Enterprise security, supported by an Aruba Mobility Controller (MC) and campus APs (CAPs). You have been asked to capture packets from a wireless client connected to this WLAN and submit the packets to the security team.

What is a guideline for this capture?

A.

You should use an Air Monitor (AM) to capture the packets in the air.

B.

You should capture the traffic on the MC dataplane to obtain unencrypted traffic.

C.

You should mirror traffic from the switch port that connects to the AP out on a port connected to a packet analyzer.

D.

You should capture the traffic on the AP, so that the capture is as close to the source as possible.

Full Access
Question # 27

What is a guideline for managing local certificates on AOS-CX switches?

A.

Understand that the switch must use the same certificate for all usages, such as its HTTPS server and RadSec client.

B.

Create a self-signed certificate online on the switch because AOS-CX switches do not support CA-signed certificates.

C.

Before installing the local certificate, create a trust anchor (TA) profile with the root CA certificate for the certificate that you will install.

D.

Install an Online Certificate Status Protocol (OCSP) certificate to simplify the process of enrolling and re-enrolling for certificates.

Full Access
Question # 28

What is a difference between radius and TACACS+?

A.

RADIUS combines the authentication and authorization process while TACACS+ separates them.

B.

RADIUS uses TCP for Its connection protocol, while TACACS+ uses UDP tor its connection protocol.

C.

RADIUS encrypts the complete packet, white TACACS+ only offers partial encryption.

D.

RADIUS uses Attribute Value Pairs (AVPs) in its messages, while TACACS+ does not use them.

Full Access
Question # 29

How does the AOS firewall determine which rules to apply to a specific client's traffic?

A.

The firewall applies the rules in policies associated with the client's user role.

B.

The firewall applies every rule that includes the client's IP address as the source.

C.

The firewall applies the rules in policies associated with the client's WLAN.

D.

The firewall applies every rule that includes the client's IP address as the source or destination.

Full Access
Question # 30

A company has an ArubaOS solution. The company wants to prevent users assigned to the "user_group1" role from using gaming and peer-to-peer applications.

What is the recommended approach for these requirements?

A.

Make sure DPI is enabled, and add application rules that deny gaming and peer-to-peer applications to the "user_groupr role.

B.

Create ALGs for the gaming and peer-to-peer applications, and deny the "user_group1" role on the ALGs.

C.

Add access control rules to the "user_group1" role, which deny HTTP/HTTPS traffic to IP addresses associated with gaming and peer-to-peer applications.

D.

Create service aliases for the TCP ports associated with gaming and peer-to-per applications, and use those aliases in access control rules for the "user_group" rules.

Full Access
Question # 31

You have been instructed to look in the ArubaOS Security Dashboard's client list. Your goal is to find clients that belong to the company and have connected to devices that might belong to hackers.

Which client fits this description?

A.

MAC address: d8:50:e6:f3:70:ab; Client Classification: Interfering; AP Classification: Rogue

B.

MAC address: d8:50:e6:f3:6e:c5; Client Classification: Interfering; AP Classification: Neighbor

C.

MAC address: d8:50:e6:f3:6e:60; Client Classification: Interfering; AP Classification: Authorized

D.

MAC address: d8:50:e6:f3:6d:a4; Client Classification: Authorized; AP Classification: Rogue

Full Access
Question # 32

A company is deploying ArubaOS-CX switches to support 135 employees, which will tunnel client traffic to an Aruba Mobility Controller (MC) for the MC to apply firewall policies and deep packet inspection (DPI). This MC will be dedicated to receiving traffic from the ArubaOS-CX switches.

What are the licensing requirements for the MC?

A.

one AP license per-switch

B.

one PEF license per-switch

C.

one PEF license per-switch. and one WCC license per-switch

D.

one AP license per-switch. and one PEF license per-switch

Full Access
Question # 33

What purpose does an initialization vector (IV) serve for encryption?

A.

It helps parties to negotiate the keys and algorithms used to secure data before data transmission.

B.

It makes encryption algorithms more secure by ensuring that same plaintext and key can produce different ciphertext.

C.

It enables programs to convert easily-remembered passphrases to keys of a correct length.

D.

It enables the conversion of asymmetric keys into keys that are suitable for symmetric encryption.

Full Access
Question # 34

A company with 382 employees wants to deploy an open WLAN for guests. The company wants the experience to be as follows:

The company also wants to provide encryption for the network for devices mat are capable, you implement Tor the WLAN?

Which security options should

A.

WPA3-Personal and MAC-Auth

B.

Captive portal and WPA3-Personai

C.

Captive portal and Opportunistic Wireless Encryption (OWE) in transition mode

D.

Opportunistic Wireless Encryption (OWE) and WPA3-Personal

Full Access
Question # 35

You are deploying an Aruba Mobility Controller (MC). What is a best practice for setting up secure management access to the ArubaOS Web UP

A.

Avoid using external manager authentication tor the Web UI.

B.

Change the default 4343 port tor the web UI to TCP 443.

C.

Install a CA-signed certificate to use for the Web UI server certificate.

D.

Make sure to enable HTTPS for the Web UI and select the self-signed certificate Installed in the factory.

Full Access
Question # 36

Refer to the exhibit, which shows the settings on the company’s MCs.

— Mobility Controller

Dashboard General Admin AirWave CPSec Certificates

Configuration

WLANsv Control Plane Security

Roles & PoliciesEnable CP Sec

Access PointsEnable auto cert provisioning:

You have deployed about 100 new Aruba 335-APs. What is required for the APs to become managed?

A.

installing CA-signed certificates on the APs

B.

installing self-signed certificates on the APs

C.

approving the APs as authorized APs on the AP whitelist

D.

configuring a PAPI key that matches on the APs and MCs

Full Access
Question # 37

Which is a correct description of a stage in the Lockheed Martin kill chain?

A.

In the weaponization stage, which occurs after malware has been delivered to a system, the malware executes its function.

B.

In the exploitation and installation phases, malware creates a backdoor into the infected system for the hacker.

C.

In the reconnaissance stage, the hacker assesses the impact of the attack and how much information was exfiltrated.

D.

In the delivery stage, malware collects valuable data and delivers or exfiltrates it to the hacker.

Full Access
Question # 38

Refer to the exhibits.

An admin has created a WLAN that uses the settings shown in the exhibits (and has not otherwise adjusted the settings in the AAA profile). A client connects to the WLAN. Under which circumstances will a client receive the default role assignment?

A.

The client has attempted 802.1X authentication, but the MC could not contact the authentication server.

B.

The client has passed 802.1X authentication, and the authentication server did not send an Aruba-User-Role VSA.

C.

The client has attempted 802.1X authentication, but failed to maintain a reliable connection, leading to a timeout error.

D.

The client has passed 802.1X authentication, and the value in the Aruba-User-Role VSA matches a role on the MC.

Full Access
Question # 39

What is one benefit of a Trusted Platform Module (TPM) on an Aruba AP?

A.

It enables secure boot, which detects if hackers corrupt the OS with malware.

B.

It deploys the AP with enhanced security, which includes disabling the password recovery mechanism.

C.

It allows the AP to run in secure mode, which automatically enables CPsec and disables the console port.

D.

It enables the AP to encrypt and decrypt 802.11 traffic locally, rather than at the MC.

Full Access
Question # 40

You are deploying a new wireless solution with an Aruba Mobility Master (MM). Aruba Mobility Controllers (MCs), and campus APs (CAPs). The solution will include a WLAN that uses Tunnel for the forwarding mode and WPA3-Enterprise for the security option.

You have decided to assign the WLAN to VLAN 301, a new VLAN. A pair of core routing switches will act as the default router for wireless user traffic.

Which links need to carry VLAN 301?

A.

only links in the campus LAN to ensure seamless roaming

B.

only links between MC ports and the core routing switches

C.

only links on the path between APs and the core routing switches

D.

only links on the path between APs and the MC

Full Access
Question # 41

What is one of the policies that a company should define for digital forensics?

A.

which data should be routinely logged, where logs should be forwarded, and which logs should be archived

B.

what are the first steps that a company can take to implement micro-segmentation in their environment

C.

to which resources should various users be allowed access, based on their identity and the identity of their clients

D.

which type of EAP method is most secure for authenticating wired and wireless users with 802.1

Full Access
Question # 42

Why might devices use a Diffie-Hellman exchange?

A.

to agree on a shared secret in a secure manner over an insecure network

B.

to obtain a digital certificate signed by a trusted Certification Authority

C.

to prove knowledge of a passphrase without transmitting the passphrase

D.

to signal that they want to use asymmetric encryption for future communications

Full Access
Question # 43

What is a benefit of Protected Management Frames (PMF). sometimes called Management Frame Protection (MFP)?

A.

PMF helps to protect APs and MCs from unauthorized management access by hackers.

B.

PMF ensures trial traffic between APs and Mobility Controllers (MCs) is encrypted.

C.

PMF prevents hackers from capturing the traffic between APs and Mobility Controllers.

D.

PMF protects clients from DoS attacks based on forged de-authentication frames

Full Access
Question # 44

You have an Aruba Mobility Controller (MC) that is locked in a closet. What is another step that Aruba recommends to protect the MC from unauthorized access?

A.

Use local authentication rather than external authentication to authenticate admins.

B.

Change the password recovery password.

C.

Set the local admin password to a long random value that is unknown or locked up securely.

D.

Disable local authentication of administrators entirely.

Full Access
Question # 45

You configure an ArubaOS-Switch to enforce 802.1X authentication with ClearPass Policy Manager (CPPM) denned as the RADIUS server Clients cannot authenticate You check Aruba ClearPass Access Tracker and cannot find a record of the authentication attempt.

What are two possible problems that have this symptom? (Select two)

A.

users are logging in with the wrong usernames and passwords or invalid certificates.

B.

Clients are configured to use a mismatched EAP method from the one In the CPPM service.

C.

The RADIUS shared secret does not match between the switch and CPPM.

D.

CPPM does not have a network device defined for the switch's IP address.

E.

Clients are not configured to trust the root CA certificate for CPPM's RADIUS/EAP certificate.

Full Access
Question # 46

What is one difference between EAP-Tunneled Layer Security (EAP-TLS) and Protected EAP (PEAP)?

A.

EAP-TLS begins with the establishment of a TLS tunnel, but PEAP does not use a TLS tunnel as part of its process.

B.

EAP-TLS requires the supplicant to authenticate with a certificate, but PEAP allows the supplicant to use a username and password.

C.

EAP-TLS creates a TLS tunnel for transmitting user credentials, while PEAP authenticates the server and supplicant during a TLS handshake.

D.

EAP-TLS creates a TLS tunnel for transmitting user credentials securely, while PEAP protects user credentials with TKIP encryption.

Full Access
Question # 47

What is a reason to set up a packet capture on an Aruba Mobility Controller (MC)?

A.

The company wants to use ClearPass Policy Manager (CPPM) to profile devices and needs to receive HTTP User-Agent strings from the MC.

B.

The security team believes that a wireless endpoint connected to the MC is launching an attack and wants to examine the traffic more closely.

C.

You want the MC to analyze wireless clients' traffic at a lower level, so that the ArubaOS firewall can control the traffic I based on application.

D.

You want the MC to analyze wireless clients' traffic at a lower level, so that the ArubaOS firewall can control Web traffic based on the destination URL.

Full Access
Question # 48

Which correctly describes a way to deploy certificates to end-user devices?

A.

ClearPass Onboard can help to deploy certificates to end-user devices, whether or not they are members of a Windows domain

B.

ClearPass Device Insight can automatically discover end-user devices and deploy the proper certificates to them

C.

ClearPass OnGuard can help to deploy certificates to end-user devices, whether or not they are members of a Windows domain

D.

in a Windows domain, domain group policy objects (GPOs) can automatically install computer, but not user certificates

Full Access
Question # 49

What is one of the roles of the network access server (NAS) in the AAA framewonx?

A.

It authenticates legitimate users and uses policies to determine which resources each user is allowed to access.

B.

It negotiates with each user's device to determine which EAP method is used for authentication

C.

It enforces access to network services and sends accounting information to the AAA server

D.

It determines which resources authenticated users are allowed to access and monitors each users session

Full Access
Question # 50

A user attempts to connect to an SSID configured on an AOS-8 mobility architecture with Mobility Controllers (MCs) and APs. The SSID enforces WPA3-Enterprise security and uses HPE Aruba Networking ClearPass Policy Manager (CPPM) as the authentication server. The WLAN has initial role, logon, and 802.1X default role, guest.

A user attempts to connect to the SSID, and CPPM sends an Access-Accept with an Aruba-User-Role VSA of "contractor," which exists on the MC.

What does the MC do?

A.

Applies the rules in the logon role, then guest role, and the contractor role

B.

Applies the rules in the contractor role

C.

Applies the rules in the contractor role and the logon role

D.

Applies the rules in the contractor role and guest role

Full Access