New Year Sale - Special 70% Discount Offer - Ends in 1d 7h 50m 35s - Coupon code: 70dumps

HPE7-A02 Questions and Answers

Question # 6

A company uses HPE Aruba Networking ClearPass Device Insight (CPDI) (the standalone application option). In the details for a generic device cluster, you see a

recommendation for "Windows 8/10" with 70% accuracy.

What does this mean?

A.

CPDI has detected that these devices match about 70% of the system rule for defining "Windows 8/10" devices.

B.

CPDI has matched these devices against several, conflicting system rules. 70% of those rules are for "Windows 8/10" devices.

C.

CPDI has grouped this cluster with similar classified devices. 70% of those classified devices are "Windows 8/10."

D.

CPDI has used MAC OUI to group these devices together. The average device's MAC address matches 70% of the "Windows 8/10" OUI.

Full Access
Question # 7

You need to set up HPE Aruba Networking ClearPass Policy Manager (CPPM) to provide certificate-based authentication of 802.1X supplicants. How should you upload the root CA certificate for the supplicants’ certificates?

A.

As a ClearPass Server certificate with the RADIUS/EAP usage.

B.

As a ClearPass Server certificate with the Database usage.

C.

As a Trusted CA with the AD/LDAP usage.

D.

As a Trusted CA with the EAP usage.

Full Access
Question # 8

An AOS-CX switch has been configured to implement UBT to a cluster of three HPE Aruba Networking gateways.

How does the switch determine to which gateways to tunnel UBT users' traffic?

A.

The switch tunnels all users' traffic to the gateway configured as the primary gateway in the UBT zone, unless that gateway fails.

B.

The switch tunnels each user's traffic to the particular gateway assigned as that user's active user designed gateway.

C.

The switch load balances client traffic across the primary and standby gateway configured in the UBT zone.

D.

The switch tunnels all users' traffic to the gateway assigned as the switch's active device designated gateway.

Full Access
Question # 9

What is a use case for running periodic subnet scans on devices from HPE Aruba Networking ClearPass Policy Manager (CPPM)?

A.

Using DHCP fingerprints to determine a client's device category and OS

B.

Detecting devices that fail to comply with rules defined in CPPM posture policies

C.

Identifying issues with authenticating and authorizing clients

D.

Using WMI to collect additional information about Windows domain clients

Full Access
Question # 10

You are using Wireshark to view packets captured from HPE Aruba Networking infrastructure, but you’re not sure that the packets are displaying correctly. In which circumstance does it make sense to configure Wireshark to ignore protection bits with the IV for the 802.11 protocol?

A.

When the traffic was captured on the data plane of an HPE Aruba Networking gateway and sent to a remote IP.

B.

When the traffic was mirrored from an AOS-CX switch port connected to an AP.

C.

When the traffic was captured from an AP with HPE Aruba Networking Central.

D.

When the traffic was captured on the control plane of an HPE Aruba Networking MC and sent to a remote IP.

Full Access
Question # 11

A ClearPass Policy Manager (CPPM) service includes these settings:

    Role Mapping Policy:

      Evaluate: Select first

      Rule 1 conditions:

        Authorization:AD:Groups EQUALS Managers

        Authentication:TEAP-Method-1-Status EQUALS Success

        Rule 1 role: manager

Rule 2 conditions:

    Authentication:TEAP-Method-1-Status EQUALS Success

    Rule 2 role: domain-comp

Default role: [Other]

Enforcement Policy:

    Evaluate: Select first

    Rule 1 conditions:

      Tips Role EQUALS manager AND Tips Role EQUALS domain-comp

      Rule 1 profile list: domain-manager

Rule 2 conditions:

    Tips Role EQUALS manager

    Rule 2 profile list: manager-only

Rule 3 conditions:

    Tips Role EQUALS domain-comp

    Rule 3 profile list: domain-only

Default profile: [Deny access]

A client is authenticated by the service. CPPM collects attributes indicating that the user is in the Contractors group, and the client passed both TEAP methods.

Which enforcement policy will be applied?

A.

[Deny Access Profile]

B.

manager-only

C.

domain-manager

D.

domain-only

Full Access
Question # 12

You have downloaded a packet capture that you generated on HPE Aruba Networking Central. When you open the capture in Wireshark, you see the output shown in the

exhibit.

What should you do in Wireshark so that you can better interpret the packets?

A.

Choose to decode UDP port 5555 packets as ARUBA_ERM and set the Aruba ERM Type to 0.

B.

Edit preferences for IEEE 802.11 and chose to ignore the Protection bit with IV.

C.

Apply the following display filter: wlan.fc.type == 1.

D.

Edit the Enabled Protocols and make sure that 802.11, GRE, and Aruba_ERM are enabled.

Full Access
Question # 13

HPE Aruba Networking Central displays an alert about an Infrastructure Attack that was detected. You go to the Security > RAPIDS events and see that the attack was "Detect adhoc using Valid SSID." What is one possible next step?

A.

Make sure that you have tuned the threshold for that check as false positives are common for it.

B.

Make sure that clients have updated drivers, as faulty drivers are a common explanation for this attack type.

C.

Use HPE Aruba Networking Central floorplans or the detecting AP identities to locate the general area for the threat.

D.

Look for the IP address associated with the offender and then check for that IP address among HPE Aruba Networking Central clients.

Full Access
Question # 14

You are setting up HPE Aruba Networking SSE. Which use case requires you to apply a non-default device posture in a rule?

A.

Applying threat inspection to users when they access certain websites

B.

Checking whether a client has antivirus software as a condition for receiving access to resources

C.

Redirecting compromised clients to a remediation server

D.

Integrating with HPE Aruba Networking ClearPass OnGuard

Full Access
Question # 15

A company uses HPE Aruba Networking ClearPass Policy Manager (CPPM) as a TACACS+ server to authenticate managers on its AOS-CX switches. The

company wants CPPM to control which commands managers are allowed to enter. You see there is no field to enter these commands in ClearPass.

How do you start configuring the command list on CPPM?

A.

Add the Shell service to the managers' TACACS+ enforcement profiles.

B.

Edit the TACACS+ settings in the AOS-CX switches' network device entries.

C.

Create an enforcement policy with the TACACS+ type.

D.

Edit the settings for CPPM's default TACACS+ admin roles.

Full Access
Question # 16

A company has HPE Aruba Networking gateways that implement gateway IDS/IPS. Admins sometimes check the Security Dashboard, but they want a faster way

to discover if a gateway starts detecting threats in traffic.

What should they do?

A.

Use Syslog to integrate the gateways with HPE Aruba Networking ClearPass Policy Manager (CPPM) event processing.

B.

Integrate HPE Aruba Networking ClearPass Device Insight (CPDI) with Central and schedule hourly reports.

C.

Set up email notifications using HPE Aruba Networking Central's global alert settings.

D.

Set up Webhooks that are attached to the HPE Aruba Networking Central Threat Dashboard.

Full Access
Question # 17

What is one use case for implementing user-based tunneling (UBT) on AOS-CX switches?

A.

Centralizing the distribution of wired traffic without requiring HPE Aruba Networking gateways

B.

Tunneling traffic directly to a third-party firewall in a client data center

C.

Adding 802.1X while continuing to use the existing VLAN and ACL structure in the Ethernet network

D.

Applying enhanced security features such as deep packet inspection (DPI) to wired traffic

Full Access
Question # 18

A company lacks visibility into the many different types of user and loT devices deployed in its internal network, making it hard for the security team to address

those devices.

Which HPE Aruba Networking solution should you recommend to resolve this issue?

A.

HPE Aruba Networking ClearPass Device Insight (CPDI)

B.

HPE Aruba Networking Network Analytics Engine (NAE)

C.

HPE Aruba Networking Mobility Conductor

D.

HPE Aruba Networking ClearPass OnBoard

Full Access
Question # 19

A company has HPE Aruba Networking gateways that implement gateway IDS/IPS. Admins sometimes check the Security Dashboard, but they want a faster way to discover if a gateway starts detecting threats in traffic.

What should they do?

A.

Set up Webhooks that are attached to the HPE Aruba Networking Central Threat Dashboard.

B.

Use Syslog to integrate the gateways with HPE Aruba Networking ClearPass Policy Manager (CPPM) event processing.

C.

Set up email notifications using HPE Aruba Networking Central's global alert settings.

D.

Integrate HPE Aruba Networking ClearPass Device Insight (CPDI) with Central and schedule hourly reports.

Full Access
Question # 20

A company wants to implement Virtual Network based Tunneling (VNBT) on a particular group of users and assign those users to an overlay network with VNI

3000.

Assume that an AOS-CX switch is already set up to:

. Implement 802.1X to HPE Aruba Networking ClearPass Policy Manager (CPPM)

. Participate in an EVPN VXLAN solution that includes VNI 3000

Which setting should you configure in the users' AOS-CX role to apply VNBT to them when they connect?

A.

Gateway zone set to "3000" with no gateway role set

B.

Gateway zone set to "vni-3000" with no gateway role set

C.

Access VLAN set to the VLAN mapped to VNI 3000

D.

Access VLAN ID set to "3000"

Full Access
Question # 21

You have enabled "rogue AP containment" in the Wireless IPS settings for a company’s HPE Aruba Networking APs. What form of containment does HPE Aruba Networking recommend?

A.

Wireless deauthentication only

B.

Wireless tarpit and wired containment

C.

Wireless tarpit only

D.

Wired containment

Full Access
Question # 22

What is a use case for the HPE Aruba Networking ClearPass OnGuard dissolvable agent?

A.

Continuously monitoring Windows domain clients for compliance

B.

Implementing a one-time compliance scan

C.

Auto-remediating posture issues on clients

D.

Periodically scanning Linux clients for security issues

Full Access
Question # 23

A company has AOS-CX switches and HPE Aruba Networking APs, which run AOS-10 and bridge their SSIDs. Company security policies require 802.1X on all

edge ports, some of which connect to APs.

How should you configure the auth-mode on AOS-CX switches?

A.

Configure all edge ports in device auth-mode.

B.

Leave all edge ports in client auth-mode and configure device auth-mode in the AP role.

C.

Configure all edge ports in client auth-mode.

D.

Leave all edge ports in device auth-mode and configure client auth-mode in the AP role.

Full Access
Question # 24

You are configuring the HPE Aruba Networking ClearPass Device Insight Integration settings on ClearPass Policy Manager (CPPM). For which use case should you set the 'Tag Updates Action" to "apply for all tag updates"?

A.

When the Device Insight integration poll interval is set to a relatively long interval but you still want CPPM to be informed quickly about devices' new tags.

B.

When Device Insight tags are only used to identify dangerous devices, and you want to disconnect those devices without having to set up new rules in enforcement policies.

C.

When CPPM is gathering posture information for CPDI, and you want CPDI to always have access to the most up-to-date information.

D.

When you plan to have CPPM issue CoAs for clients with new tags, but do not want to have to list those specific tags in the Device Integration settings in advance.

Full Access
Question # 25

You are establishing a cluster of HPE Aruba Networking ClearPass servers. (Assume that they are running version 6.9.).

For which type of certificate it is recommended to install a CA-signed certificate on the Subscriber before it joins the cluster?

A.

Database

B.

HTTPS

C.

RADIUS/EAP

D.

RadSec

Full Access
Question # 26

A company has HPE Aruba Networking APs running AOS-10 that connect to AOS-CX switches. The APs will:

    Authenticate as 802.1X supplicants to HPE Aruba Networking ClearPass Policy Manager (CPPM)

    Be assigned to the "APs" role on the switches

    Have their traffic forwarded locally

What information do you need to help you determine the VLAN settings for the "APs" role?

A.

Whether the switches are using local user-roles (LURs) or downloadable user-roles (DURs).

B.

Whether the APs bridge or tunnel traffic on their SSIDs.

C.

Whether the switches have established tunnels with an HPE Aruba Networking gateway.

D.

Whether the APs have static or DHCP-assigned IP addresses.

Full Access
Question # 27

You are helping an organization deploy HPE Aruba Networking SSE. What is one reason to recommend that the company install agents on remote users' devices?

A.

To run posture checks and apply different permissions based on those checks.

B.

To permit admins to manage the HPE Aruba Networking SSE policy rules.

C.

To permit users to access private servers using SSH.

D.

To run threat inspection on clients in a local sandbox rather than in the cloud.

Full Access
Question # 28

All of the switches in the exhibit are AOS-CX switches.

What is the preferred configuration on Switch-2 for preventing rogue OSPF routers in this network?

A.

Disable OSPF entirely on VLANs 10-19.

B.

Configure OSPF authentication on VLANs 10-19 in password mode.

C.

Configure OSPF authentication on Lag 1 in MD5 mode.

D.

Configure passive-interface as the OSPF default and disable OSPF passive on Lag 1.

Full Access
Question # 29

A company has HPE Aruba Networking APs running AOS-10 and managed by HPE Aruba Networking Central. The company also has AOS-CX switches. The

security team wants you to capture traffic from a particular wireless client. You should capture this client's traffic over a 15 minute time period and then send the

traffic to them in a PCAP file.

What should you do?

A.

Go to the client's AP in HPE Aruba Networking Central. Use the "Security" page to run a packet capture.

B.

Access the CLI for the client's AP. Set up a mirroring session between its radio and a management station running Wireshark.

C.

Access the CLI for the client's AP's switch. Set up a mirroring session between the AP's port and a management station running Wireshark.

D.

Go to that client in HPE Aruba Networking Central. Use the "Live Events" page to run a packet capture.

Full Access
Question # 30

A company has AOS-CX switches at the access layer, managed by HPE Aruba Networking Central. You have identified suspicious activity on a wired client. You want to analyze the client's traffic with Wireshark, which you have on your management station.

What should you do?

A.

Access the client's switch's CLI from your management station. Access the switch shell and run a TCP dump on the client port.

B.

Go to the client's switch in HPE Aruba Networking Central. Use the "Security" page to run a packet capture.

C.

Set up a policy that implements a captive portal redirect to your management station. Apply that policy to the client's port.

D.

Set up a mirror session on the client's switch; set the client port as the source and your station IP address as the tunnel destination.

Full Access
Question # 31

A company uses both HPE Aruba Networking ClearPass Policy Manager (CPPM) and HPE Aruba Networking ClearPass Device Insight (CPDI).

What is one way integrating the two solutions can help the company implement Zero Trust Security?

A.

CPPM can provide CPDI with custom device fingerprint definitions in order to enhance the company's total visibility.

B.

CPDI can provide CPPM with extra information about users' identity; CPPM can then use that information to apply the correct identity-based enforcement.

C.

CPPM can inform CPDI that it has assigned a particular Aruba-User-Role to a client; CPDI can then use that information to reclassify the client.

D.

CPDI can use tags to inform CPPM that clients are using prohibited applications; CPPM can then tell the network infrastructure to quarantine those clients.

Full Access
Question # 32

You are setting up policy rules in HPE Aruba Networking SSE. You want to create a single rule that permits users in a particular user group to access multiple applications. What is an easy way to meet this need?

A.

Associate the applications directly with the IdP used to authenticate the users; choose any for the destination in the policy rule.

B.

Apply the same tag to the applications; select the tag as a destination in the policy rule.

C.

Place all the applications in the same connector zone; select that zone as a destination in the policy rule.

D.

Select the applications within a non-default web profile; select that profile in the policy rule.

Full Access
Question # 33

A company needs to enforce 802.1X authentication for its Windows domain computers to HPE Aruba Networking ClearPass Policy Manager (CPPM). The

company needs the computers to authenticate as both machines and users in the same session.

Which authentication method should you set up on CPPM?

A.

TEAP

B.

PEAP MSCHAPv2

C.

EAP-TTLS

D.

EAP-TLS

Full Access
Question # 34

A company is using HPE Aruba Networking Central SD-WAN Orchestrator to establish a hub-spoke VPN between branch gateways (BGWs) at 1444 site and

VPNCs at multiple data centers.

What is part of the configuration that admins need to complete?

A.

At the global level, create default IPsec policies for the SD-WAN Orchestrator to use.

B.

In BGWs' groups, select the VPNCs to which to connect in a DC preference list.

C.

In VPNCs' groups, establish VPN pools to control which branches connect to which VPNCs.

D.

In BGWs' and VPNCs' groups, create default IKE policies for the SD-WAN Orchestrator to use.

Full Access
Question # 35

A company has AOS-CX switches, which authenticate clients to HPE Aruba Networking ClearPass Policy Manager (CPPM). CPPM is set up to receive a variety of information about clients' profile and posture. New information can mean that CPPM should change a client's enforcement profile. What should you set up on the switches to help the solution function correctly?

A.

Enable RADIUS accounting to CPPM, including interim RADIUS accounting.

B.

Configure a RADIUS track that references CPPM's FQDN or IP address.

C.

Enable dynamic authorization, and specify CPPM as a dynamic authorization client.

D.

Re-configure the authentication server on the switch specifying CPPM as a TACACS server.

Full Access
Question # 36

A company wants HPE Aruba Networking ClearPass Policy Manager (CPPM) to respond to Syslog messages from its Palo Alto Next Generation Firewall (NGFW)

by quarantining clients involved in security incidents.

Which step must you complete to enable CPPM to process the Syslogs properly?

A.

Configure the Palo Alto as a context server on CPPM.

B.

Install a Palo Alto Extension through ClearPass Guest.

C.

Enable Insight and ingress event processing on the CPPM server.

D.

Configure CPPM to trust the root CA certificate for the NGFW.

Full Access
Question # 37

A company issues user certificates to domain computers using its Windows CA and the default user certificate template. You have set up HPE Aruba Networking

ClearPass Policy Manager (CPPM) to authenticate 802.1X clients with those certificates. However, during tests, you receive an error that authorization has failed

because the usernames do not exist in the authentication source.

What is one way to fix this issue and enable clients to successfully authenticate with certificates?

A.

Configure rules to strip the domain name from the username.

B.

Change the authentication method list to include both PEAP MSCHAPv2 and EAP-TLS.

C.

Add the ClearPass Onboard local repository to the authentication source list.

D.

Remove EAP-TLS from the authentication method list and add TEAP there instead.

Full Access
Question # 38

HPE Aruba Networking ClearPass Device Insight (CPDI) could not classify some endpoints using system and user rules. Using machine learning, it did assign those endpoints to a cluster and discover a recommendation. In which of these circumstances does CPDI automatically classify the endpoints based on that recommendation?

A.

The recommendation has 96% confidence, and it is based on 13 classified devices.

B.

The recommendation has 98% confidence, and it is based on 5 classified devices.

C.

The recommendation has 93% confidence, and it is based on 36 classified devices.

D.

The recommendation has 100% confidence, and it is based on 4 classified devices.

Full Access
Question # 39

A company wants to turn on Wireless IDS/IPS infrastructure and client detection at the high level on HPE Aruba Networking APs. The company does not want to

enable any prevention settings.

What should you explain about HPE Aruba Networking recommendations?

A.

HPE Aruba Networking recommends turning on both wired and wireless prevention whenever you enable detection at high.

B.

HPE Aruba Networking recommends using hybrid AP mode, as opposed to Air Monitors (AMs), when implementing detection without prevention.

C.

HPE Aruba Networking recommends disabling client detection when you configure infrastructure detection at high, as infrastructure detection includes all the client checks and more.

D.

HPE Aruba Networking recommends configuring infrastructure and client detection at a custom level and disabling or tuning some of the settings that are likely to produce false positives.

Full Access