CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. HP
  5. HPE6-A84

Free HPE6-A84 Exam Braindumps (page: 5)

Page 5 of 16
PDF with 60 Questions

Refer to the scenario.

A customer is migrating from on-prem AD to Azure AD as its sole domain solution. The customer also manages both wired and wireless devices with Microsoft Endpoint Manager (Intune).

The customer wants to improve security for the network edge. You are helping the customer design a ClearPass deployment for this purpose. Aruba network devices will authenticate wireless and wired clients to an Aruba ClearPass Policy Manager (CPPM) cluster (which uses version 6.10).

The customer has several requirements for authentication. The clients should only pass EAP-TLS authentication if a query to Azure AD shows that they have accounts in Azure AD. To further refine the clients' privileges, ClearPass also should use information collected by Intune to make access control decisions.

The customer wants you to configure CPPM to collect information from Intune on demand during the authentication process.

What should you tell the Intune admins about the certificates issued to clients?

  1. They must be issued by a well-known, trusted C
  2. They must include the Intune ID in the subject name.
  3. They must include the client MAC address in the subject name.
  4. They must be issued by a ClearPass Onboard CA.

Answer(s): B

Explanation:

To configure CPPM to collect information from Intune on demand during the authentication process, you need to use the Intune extension for ClearPass. This extension allows ClearPass to query Intune for device compliance and configuration information using the Intune API. To use this extension, you need to register an app in Azure AD and grant it the required permissions to access Intune1 The Intune extension uses the device ID as the key to query Intune for device information. The device ID is a unique identifier that is assigned by Intune to each enrolled device. The device ID can be obtained from the client certificate that is used for EAP-TLS authentication. Therefore, the certificates issued to clients must include the Intune ID in the subject name, so that ClearPass can extract it and use it to query Intune2
The certificates issued to clients do not need to be issued by a well-known, trusted CA, as long as ClearPass trusts the CA that issued them. The certificates do not need to include the client MAC address in the subject name, as this is not relevant for querying Intune. The certificates do not need to be issued by a ClearPass Onboard CA, as this is not a requirement for using the Intune extension.


Reference:

1: ClearPass Extensions - Microsoft Intune Integration - Aruba, section "Configuring Microsoft Extension in ClearPass" 2: ClearPass Extensions - Microsoft Intune Integration - Aruba, section "Configuring EAP-TLS Authentication"



Refer to the scenario.

A customer is migrating from on-prem AD to Azure AD as its sole domain solution. The customer also manages both wired and wireless devices with Microsoft Endpoint Manager (Intune). The customer wants to improve security for the network edge. You are helping the customer design a ClearPass deployment for this purpose. Aruba network devices will authenticate wireless and wired clients to an Aruba ClearPass Policy Manager (CPPM) cluster (which uses version 6.10). The customer has several requirements for authentication. The clients should only pass EAP-TLS authentication if a query to Azure AD shows that they have accounts in Azure AD. To further refine the clients' privileges, ClearPass also should use information collected by Intune to make access control decisions.
You are planning to use Azure AD as the authentication source in 802.1X services.
What should you make sure that the customer understands is required?

  1. An app registration on Azure AD that references the CPPM's FQDN
  2. Windows 365 subscriptions
  3. CPPM's RADIUS certificate was imported as trusted in the Azure AD directory
  4. Azure AD Domain Services

Answer(s): A

Explanation:

To use Azure AD as the authentication source in 802.1X services, you need to configure CPPM as a SAML service provider and Azure AD as a SAML identity provider. This allows CPPM to use Azure AD for user authentication and role mapping. To do this, you need to create an app registration on Azure AD that references the CPPM's FQDN as the reply URL and the entity ID. You also need to grant the app registration the required permissions to access user information from Azure AD1



You are configuring gateway IDS/IPS settings in Aruba Central. For which reason would you set the Fail Strategy to Bypass?

  1. To permit traffic if the IPS engine falls to inspect It
  2. To enable the gateway to honor the allowlist settings configured in IDS/IPS policies
  3. To tell gateways to stop enforcing IDS/IPS policies if they lose connectivity to the Internet
  4. To avoid wasting IPS engine resources on filtering traffic for unauthenticated clients

Answer(s): A

Explanation:

The Fail Strategy is a configuration option for the IPS mode of inspection on Aruba gateways. It defines the action to be taken when the IPS engine crashes and cannot inspect the traffic. There are two possible options for the Fail Strategy: Bypass and Block1 If you set the Fail Strategy to Bypass, you are telling the gateway to allow the traffic to flow without inspection when the IPS engine fails. This option ensures that there is no disruption in the network connectivity, but it also exposes the network to potential threats that are not detected or prevented by the IPS engine1
If you set the Fail Strategy to Block, you are telling the gateway to stop the traffic flow until the IPS engine resumes inspection. This option ensures that there is no compromise in the network security, but it also causes a loss of network connectivity for the duration of the IPS engine failure1



How does Aruba Central handle security for site-to-site connections between AOS 10 gateways?

  1. It uses an Aruba proprietary integrity and encryption technologies to secure site-to-site connections, making them resistant to zero day attacks.
  2. It automatically establishes IPsec tunnels for all site-to-site (all HUBs and Branches) connections using keys securely distributed by Central.
  3. It automatically steers traffic away from Internet-based connections to more secure MPLS connections to reduce encryption overhead.
  4. It automatically establishes simple-to-manage and highly secure TLSv1.3 tunnels between gateways.

Answer(s): B

Explanation:

Aruba Central supports site-to-site VPNs between AOS 10 gateways, which are Aruba devices that provide routing, firewall, and VPN functions. Aruba Central can automatically provision and manage the site-to-site VPNs using the VPN Manager feature. The VPN Manager allows you to create VPN groups that consist of one or more hubs and branches, and define the VPN settings for each group1 Aruba Central uses IPsec as the protocol to secure the site-to-site connections between the AOS 10 gateways. IPsec is a standard protocol that provides encryption, authentication, and integrity for IP packets. Aruba Central automatically establishes IPsec tunnels for all site-to-site connections using keys that are securely distributed by Central. The keys are generated by Central and pushed to the gateways using a secure channel. The keys are rotated periodically to enhance security2



Page 5 of 16



Post your Comments and Discuss HP HPE6-A84 exam with other Community members:

fabio commented on September 09, 2024
great work at all
Anonymous
upvote