Questions & Answers PDF P-1

HP
HPE6-A82 Exam
Aruba Certified ClearPass Associate Exam
 Questions & Answers PDF P-2

Product Questions: 60
Version: 4.0

Question: 1

What is RADIUS Change of Authorization (CoA)?

A. It allows ClearPass to transmit messages to the Network Attached Device/Network Attached

Server (NAD/NAS) to modify a user’s session status
B. It allows clients to issue a privilege escalation request to ClearPass using RADIUS to switch to
TACACS+
C. It is a mechanism that enables ClearPass to assigned a User-Based Tunnel (UBT) between a switch
and controller for Dynamic Segmentation
D. It forces the client to re-authenticate upon roaming to an access point controlled by a foreign
mobility controller.

Answer: A

Reference:
http://www.arubanetworks.com/techdocs/ClearPass/Aruba_CPPMOnlineHelp/Content/CPPM_User
Guide/Enforce/EPRADIUS_CoA.htm
Question: 2

Which Authorization Source support device profile enforcement?

A. Local user Repository

B. Endpoint Repository
C. OnGuard Repository
D. Gust User Repository

Answer: A

Question: 3

Refer to the exhibit.

 Questions & Answers PDF P-3

Where will the guests browser be redirected during a captive portal login attempt?

A. The captive portal page hosted on the Aruba controller

B. The redirect will time out and fan to resolve
C. The captive portal page hosted on ClearPass
D. The captive portal page hosted on Aruba Central in the cloud

Answer: D

Question: 4

An organization wants to have guests connect their own personal devices to the wireless network
without requiring a receptionist setting up a guest account. Which ClearPass feature can be used to
meet the organization's requirements?

A. Guest with self-registration

B. ClearPass Onboard
C. MAC authentication with profiling
D. Policy Manager Enforcement

Answer: A

Question: 5

What are "Known" endpoints in ClearPass?

A. These are endpoints whose beacons have been detected but have never completed
authentication
 Questions & Answers PDF P-4

B. The label "Known" indicates rogue endpoints labeled as "friendly" or "ignore"

C. "Known" endpoints have be fingerprinted to determine their operating system and manufacturer.
D. "Known" endpoints can be authenticated based on MAC address to bypass the captive portal
login.

Answer: D

Question: 6

When is it appropriate to use the built-in Local user database in ClearPass?

A. In small-business environments where the user accounts rarely change and new accounts are
uncommon.
B. In a hospitality deployment for guest accounts created and managed by start
C. In a public-facing guest network environment where the guests are prompted to self-register
D. In a large campus environment where Students and Contractors account for 35.000 entries that
change weekly

Answer: B

Question: 7

Refer to the exhibit.

 Questions & Answers PDF P-5

A client is attempting to authenticate using their Windows account with a bad password if the
Remote Lab AD server is down for maintenance, what win be the expected result?

A. ClearPass receive a timeout attempt when trying the Remote Lao AD server first No further
processing will occur until the Remote Lab AD server is marked as "Down" by the Administrator
B. ClearPass try either server Backup 1 or Backup 2 depending on which has responded the fastest in
prior attempts to authenticate ClearPass win then receive a result of Active Directory Authentication
failed No further processing will occur
C. ClearPass receives a timeout attempt when trying the Remote Lab AD server first. It will then try
the server Backup 1 and Backup 2: both will send a result authentication failed
D. ClearPass receives a timeout attempt when trying the Remote Lab AD server first It will then try
the server Backup 1 and receive a result of Active Directory Authentication failed No further
processing will occur

Answer: D

Question: 8

Aruba self-registration with sponsorship is a solution best applied to which type of network?

A. a chain of auto part stores where employees are assigned mobile devices using a Mobile Device
Manager (MDM) and public wireless is available for customers
 Questions & Answers PDF P-6

B. a large corporate environment with hundreds of contractors requiring wireless access to printers
and internet but no other guest access is allowed
C. a hotel where hundreds of guests are checked in and out of the building daily that may want
access to wireless internet
D. a chain of coffee shops using in a public downtown area with a high amount of guest turnover
needing access to public wireless

Answer: A

Question: 9

What is a good collector type used for ClearPass to discover devices with static IP addresses?

A. DHCP Collectors
B. Network Functions
C. Active Collectors
D. ClearPass Air Monitors

Answer: A

Question: 10

What are two ways to add guest accounts to ClearPass? (Select two.)

A. Using the "Import Accounts" under ClearPass Guest

B. Using the "Create Account" or "Create Multiple'' options under ClearPass Guest
C. Assigning the default role "Lobby Ambassador to a receptionist to then add the accounts
D. Using the "Sync Accounts'' under ClearPass Guest
E. importing accounts from Active Directory once ClearPass is added with Admin credentials

Answer: BD

Question: 11

Which actions are necessary to set up a ClearPass guest captive portal web login page to execute
with no errors? (Select two)

A. Install an enterprise Certificate Authority (CA) signed HTTPS certificate in the Network Access
Device (NAD)
B. Configure the vendor settings in the Network Access Device (NAD) to match the web login page
C. Install an enterprise Certificate Authority (CA) signed HTTPS certificate in ClearPass and the
Network Access Device (NAD)
D. Install a publicly signed HTTPS certificate in ClearPass and the Network Access Device (NAD)
E. Configure the vendor settings in the web Login page to match the Network Access Device (NAD).

Answer: DE
 Questions & Answers PDF P-7

Question: 12

Refer to the diagram.

When creating a new ClearPass Service, the [Time Source] has been added as an authorization
source. What time source is ClearPass referencing?

A. the ClearPass server where insight Master has been enabled

B. the local time setting found on the authenticating client machine
C. the NTP (Network Time Protocol) source indicated in the Cluster settings
D. the local clock of the ClearPass server doing the authentication

Answer: B

Question: 13

Which ClearPass fingerprint collectors are valid for active profiling of endpoints? (Select two.)

A. DHCP fingerprinting
B. IF-MAP
C. SNMP
D. HTTP user agents
E. NMAP

Answer: CD

Question: 14

Refer to the Endpoint in the screenshot.

 Questions & Answers PDF P-8

What are possible ways that it was profiled? (Select two)

A. Cisco Device Sensor

B. Exchange Plugging agent
C. 3rd part MDM
D. DNS fingerprinting
E. NAD ARP listening handler

Answer: CE

Question: 15

When ClearPass is communicating with external context servers, which connection protocol is
typically used?

A. YAML
B. SOAP and XML
C. REST APIs over HTTPS
D. FTP over SSH

Answer: B

Question: 16
 Questions & Answers PDF P-9

What services are recommended to be allowed by the pre-authenticated role assigned to the Client
during the Captive Portal process? (Choose three.)

A. HTTPS to the internet

B. DHCP options 43 and 150
C. DHCP address assignment
D. RADIUS to ClearPass
E. HTTPS to ClearPass
F. DNS resolution

Answer: ACF

Question: 17

ClearPass receives fingerprinting profile data for a client device that is based on MAC OUl. NMAP.
DHCP, and OnGuard Which fingerprint or fingerprints are used?

A. All fingerprints are applied

B. The last fingerprint gathered
C. NMAP because it is actively obtained
D. OnGuard because it is application based

Answer: D

Question: 18

Which items can be obtained from device profiling'? (Select three )

A. Device Location
B. Device Family
C. Device Category
D. Device Type
E. Device Health

Answer: ACD

Question: 19

Refer to the exhibit.

 Questions & Answers PDF P-10

What are two consequences of the Cache Timeout being set to 36000 seconds? (Select two.)

A. A user changing departments may not see their Department attribute change in AD reflected
while authenticating until the Cache Timeout period has ended
B. Less traffic is required between ClearPass and the AD server when re-authenticating within a 10
hour period.
C. The Cache Timeout is designed to reduce the amount of traffic between ClearPass and the AD
server by caching user credentials for a 10 hour period
D. ClearPass will cache all user and machine attributes from AD every 10 hours in anticipation of one
of those users or machines attempting to authenticate
E. On a failed authentication attempt. ClearPass will consider any subsequent attempts within 10
hours as total failed attempts before blacklisting the client.

Answer: AD

Question: 20

Which option support DHCP profiling for devices in a network?

A. enabling DHCP relay on our network access devices so DHCP requests are forwarded to ClearPass
B. enabling the DHCP server to profile endpoints and forward meta-data to ClearPass
C. DHCP profiling is enabled on ClearPass by default configuration of the network access devices is
not necessary
D. configuring ClearPass as a DHCP relay for the client

Answer: A
 Questions & Answers PDF P-11

Reference:
https://community.arubanetworks.com/aruba/attachments/aruba/ForoenEspanol/653/1/ClearPass
%20Profiling%20TechNote.pdf

Question: 21

Refer to the exhibit.

What is true regarding leaving the indicated option "Use cached Roles and Posture attributes from
previous sessions" unchecked?

A. The service will make the enforcement decision based upon the updated Posture regardless of
caching
B. A posture change applied to an endpoint is going to be lost each time the client re-authenticates
C. Posturing win no longer be evaluated in determining the enforcement policy for current or future
sessions.
D. Cached posture results are no longer stored by ClearPass but instead are saved to the endpoint of
the client.

Answer: B

Question: 22

Which most accurately describes the "Select All Matches" rule evaluation algorithm in Enforcement
Policies?

A. Each rule is checked, and once a match is found, the Enforcement profile assigned to that rule is
applied and the rule matching stops.
 Questions & Answers PDF P-12

B. All rules are checked. And if there is no match no Enforcement profile is applied.
C. Each rule is checked, and once a match is found, the Enforcement profile assigned to that rule ts
applied, along with the default Enforcement profile.
D. All rules are checked for any matching rules and their respective Enforcement profiles are applied.

Answer: D

Question: 23

Sponsorship has been enabled on the guest network A guest user connects and completes the self-
registration form indicating a valid sponsor. The guest then clicks submit What is the current state of
the guest account?

A. The guest account is created in a disabled state with the "Log In" button grayed out
B. The guest account is not yet created and remains in a disabled state There is not "Log in" button
yet displayed
C. The guest account is created in disabled state, the "Log In" button will appear only after the
sponsor approval process is completed
D. The guest account is created in an enabled state with the Tog in" button functional

Answer: C

Question: 24

Which authentication method requires a client certificate?

A. PEAP
B. Guest serf-registration
C. EAP-TLS
D. MAC Authentication

Answer: C

Question: 25

What is the benefit to installing a wild card certificate for captive portal authentication?

A. Guests no longer are required to validate certificates during captive portal.

B. Allows different certificates for each controller for increased security
C. Wild card certificates are provide greater security than normal certificates
D. Allows the single wild card certificate to be installed on all controllers in the environment

Answer: A

Question: 26
 Questions & Answers PDF P-13

When should a role mapping policy be used in an 802.1x service with Active Directory as the
authentication source?

A. When you want to match Active Directory attributes directly to an enforcement policy.
B. When you want to enable attributes as roles directly without combining multiple attributes
C. When you want to translate and combine Active Directory attributes into ClearPass roles.
D. When you want to match Active Directory attributes to a Aruba firewall role on a Aruba Network
Access Device.

Answer: A

Question: 27

An organization has configured guest self-registration with internal sponsorship Which options can
be configured to send guest users their credentials outside of the initial login web-page? (Select two
)

A. Configure a Short Message Service (SMS) Gateway under ClearPass Guest configuration.
B. Configure the self-registration page for the guest to receive a Simple Mali Transport Protocol
(SMTP) receipt
C. Configure a Short Message Service (SMS) Gateway in ClearPass Policy Manager administration.
D. Configure a Simple Mail Transport Protocol (SMTP) server in ClearPass Guest administration.
E. Configure a Simple Man Transport Protocol (SMTP) server in ClearPass Policy Manager
administration

Answer: AC

Question: 28

What is an effect of the Cache Timeout setting on the authentication source settings for Active
Directory?

A. ClearPass will validate the user credentials, then, for the duration of the cache. ClearPass will just
fetch account attributes.
B. The Cache Timeout is designed to reduce the amount of traffic between ClearPass and the A/D
server by caching the credentials
C. The Cache Timeout is designed to reduce the amount of traffic between ClearPass and the A/D
server by caching the attributes.
D. ClearPass will validate the user credentials on the first attempt, then will always fetch the account
attributes

Answer: A
 Questions & Answers PDF P-14

Question: 29

Which is true regarding the Cisco Device Sensor feature in ClearPass? (Select two.)

A. Requires the purchase of a supported Cisco Access Point licensed as an Aruoa Monitor Mode AP.
to then act as !he sensor
B. Forwards DHCP and HTTP user-agent info to ClearPass using Control and Datagram Transport Layer
Security (DTLS) encapsulation
C. Gathers raw endpoint data from Cisco Discovery Protocol (CDP) and Link Layer Discovery Protocol
(LLDP)
D. Forwards DHCP and HTTP user-agent info to ClearPass using RADIUS accounting packets
E. Requires a Cisco Smart Net license to be installed on the Network Access Device (NAD) utilizing the
feature

Answer: DE

Question: 30

Refer to the exhibit.

What does a bold field indicate?

A. The field is currently enabled.

B. The field is a non-system field
C. The field has been customized
D. The field Is required

Answer: D

Question: 31

What is the purpose of service rules in ClearPass? )

A. selects the Posture Policy used with OnGuard

B. selects the Enforcement Profiles used in a service
 Questions & Answers PDF P-15

C. selects the Service to process a request

D. selects the Authentication Source for the client

Answer: D

Question: 32

Refer to the exhibit.

what will be the enforcement for the user "nell"?

A. Corp Secure Contractor

B. Allow Full Access
C. Secure Corp BYOD Access
D. Allow internet Only Access

Answer: C

Question: 33

Which two are required to add a Network Access Device (NAD) into ClearPass? (Select two.)
 Questions & Answers PDF P-16

A. ClearPass Admin login credentials

B. SSH password
C. Shared Secret
D. HTTPS certificate
E. NAD IP address

Answer: CE

Question: 34

Which Authorization Source supports device profile enforcement?

A. OnGuard Repository
B. Endpoints Repository
C. Guest User Repository
D. Local User Repository

Answer: D

Question: 35

DRAG DROP
Match the correct Profiling Collector with the Collector Type. Collector Types may be used more than
once.

Answer:
 Questions & Answers PDF P-17

Question: 36

DRAG DROP
Match the ClearPass system description to the best term Options are used only once.

Answer:
 Questions & Answers PDF P-18

Question: 37

A customer is setting up Guest access with ClearPass. They are considering using 802.1X for both the
Employee network and the Guest network. What are two issues the customer may encounter when
deploying 802 1X with the Guest network? (Select two)

A. the lack of encryption during the authentication process

B. ClearPass win not be able to enforce individual Access Control policies.
C. the high level of complexity for users to join the guest network
D. Guests will not be able to be uniquely identified.
E. difficult to maintain in an environment with a large number of transient guest users

Answer: DE

Question: 38

What needs to be configured for ClearPass use an enforcement rule base on client Data Cap?

A. Interim Accounting on the Network Access Device (NAD).

B. Enable Active Sessions in ClearPass Guest
C. Enable Logging of Accounting Start-Stop packets.
D. Make sure the Endpoint Profiling is configured

Answer: D

Question: 39

Which fingerprint collectors can help to distinguish between an iPhone and an iPad? (Select two.)

A. IF-MAP
B. MAC OUI
C. HTTP
D. TCP header capture
E. SNMP

Answer: AB

Question: 40

What is a function of the posture token in ClearPass OnGuard? (Select two )

A. Identifies clients that are not security compliant

B. Initiates the Auto-Remediation process
 Questions & Answers PDF P-19

C. Controls access to network resources

D. Denies access to unhealthy clients
E. indicates the Health Status of the Client

Answer: CE

Question: 41

When joining ClearPass to an Active Directory (AD) domain, what information is required? (Select
two.)

A. ClearPass Policy Manager (CPPM) enterprise credentials.

B. Domain Administrator credentials with at least read access
C. Domain User credentials with read-write access
D. Cache Timeout value set to at least 10 hours
E. Fully Qualified Domain Name (FQDN) of the AD Domain Controller.

Answer: BE

Question: 42

Which must be taken into account if a customer wants to use the DHCP collector with 802.1X
authentication?

A. Because DHCP fingerprinted is a Layer-3 function, it cannot t>e used with an 802 1X
authentication service.
B. The client needs to be granted limited access before the enforcement policy can take into account
the device type
C. When a client sends an authentication request to ClearPass, the profiler will also gather DHCP
information
D. The client needs to connect to an open network first to be profiled, then shifted to the secure
802.1x network.

Answer: A

Question: 43

Which ClearPass feature assesses endpoint context and client device type?

A. Profiling
B. Posture
C. Captive Portal
D. Onboard

Answer: A
Questions & Answers PDF P-20
 Questions & Answers PDF P-21

Question: 44

Which are valid enforcement profile types? (Select two)

A. Policy Service Enforcement

B. RADIUS Change of Authorization (CoA)
C. Aruba Script Enforcement
D. ClearPass Entity Update Enforcement

Answer: BD

Question: 45

Which statement is true about OnGuard? (Select two.)

A. It is used to identify and remove any malware/viruses

B. It is used to ensure that Antivirus/Antispyware programs are running
C. It supports Doth Windows and Mac OS X clients
D. It only supports 802 1X authentication

Answer: BC

Question: 46

Which configuration options are necessary to add a Network Access Device into the ClearPass Policy
Manager? (Select two.)

A. ClearPass Admin Password

B. https certificate
C. NAD IP Address
D. Shared Secret
E. CLI Console Password

Answer: CD

Question: 47

What happens when a client successfully authenticates but does not match any Enforcement Policy
rules?

A. A RADIUS Accept is returned and the default Enforcement Profile is applied.

B. A RADIUS reject is returned for the client.
C. A RADIUS Accept is retuned, and the default rule is applied to the device.
 Questions & Answers PDF P-22

D. A RADIUS Accept is returned with no Enforcement Profile applied

Answer: A

Question: 48

What is the significance of using the [Allow ALL MAC AUTH] as an Authentication Method for Guests?

A. This removes the reliance on the known or unknown status for MAC authentication.
B. All clients with unknown endpoints will be granted guest access regardless of authorization
C. Client attempts will fail without an additional Authentication method applied.
D. All clients with known endpoints will be granted guest access regardless of authorization.

Answer: A

Question: 49

Refer to the exhibit.

Which user authentication request will match the service rules of the Policy Service shown?

A. a wireless user connecting to any SSID on an Aruba Controller

B. a wireless user connection would fail because of miss-configured service rules
C. a wireless user connected to any SSID named "CORP"
D. a wireless user connecting to an Aruoa lAP on the SSIO "CORP"

Answer: D

Question: 50

What is true regarding Posturing and Profiling?

A. Both Posturing and Profiling describe the same thing, what is the health of the client endpoinst?
B. Profiling describes categorizing the user based on their department while Posturing validates the
user as authenticated
C. Posturing and Profiling are role assignments in ClearPass used internally to map to enforcement
policies.
D. Profiling is the act of identifying the endpoint type while Posturing is assigning a status as to the
 Questions & Answers PDF P-23

health of the endpoint

Answer: A

Question: 51

When using Guest Authentication with MAC Caching service template, which statements are true?
(Select two.)

A. The guest authentication is provided better security than without using MAC caching
B. The guest authentication is provided better security than without using MAC caching
C. The endpoint status of the client will be treated as "known" the first time the client associates to
the network
D. Which wireless SSID and wireless controller must be indicated when configuring the template
E. The client will be required to re-enter their credentials even if still within the MAC-Auth Expiry
term

Answer: CE

Question: 52

Your boss suggests configuring a guest self-registration page in ClearPass for an upcoming conference
event. What are the benefits of using guest serf-registration'? (Select two)

A. This strategy effectively stops employees from putting their own corporate devices on the guest
network.
B. This will enable additional information to be gathered about guests during the conference.
C. This allows guest users to create and manage their own login account.
D. This will allow employee personal devices to be Onboarded to the corporate network
E. This will allow conference employees to pre-load additional device information as guests arrive
and register

Answer: BC

Question: 53

Refer to the exhibit.

 Questions & Answers PDF P-24

A user connects to an Aruba Access Point wireless SSID named 'Secure-Corporate" and performs an
802 1X authentication with ClearPass as the authentication server
Based on this service configuration, which service will be triggered?

A. Service One
B. Service Two
C. Service Three
D. No service will be triggered

Answer: C

Question: 54

DRAG DROP
Select all that apply
Match the security description to the term that best fits. Options are used only once.
 Questions & Answers PDF P-25

Answer:

Question: 55

Refer to the exhibit.

What does Starch Base Dn do when joining an Active Directory domain? {Select two.)

A. sets the starting point in the directory tree for the Base DN (Distinguished Name) search
B. searches for the Base DN (Distinguished Name) based on what was typed in the field
C. runs an Active Directory query that returns all results along with any matching the entered Base
DN (Distinguished Name)
D. validates the connection details entered in the Connection Details
E. updates the Base DN (Distinguished Name) in Active Directory if no match is found

Answer: DE

Question: 56

Which option supports DHCP profiling for devices in a network?

A. Configuring DHCP relay on ClearPass in order to allow the client to receive DHCP after being
profited
 Questions & Answers PDF P-26

B. Enabling DHCP relay on Network Access Devices (NADs) to forward DHCP requests to ClearPass
C. DHCP profiling is enabled on ClearPass by default configuration of DHCP relay on the Network
Access Device (NAD) is not required
D. Enabling the DHCP server to profile endpoints and forward the meta-data to Clearpass.

Answer: AB

Question: 57

What are benefits of using Network Device Groups in ClearPass? (Select two.)

A. Allows Service selection rules to match based upon which Network Device Group the Network
Access Device (NAD) belongs to
B. Network Access Devices (NADs) only require Aruba factory installed certificates to join a Network
Device Group
C. A Network Access Device is must be discovered by ClearPass prior to be added to a Network
Device Group
D. Another way to add a customizable "attribute" field to reference when processing authentication
requests
E. Can apply to both Network Access Devices (NADs) as wen as client machines as a way to filter
authentication requests

Answer: B

Question: 58

An organization wants guests to be able to create their own guest accounts for access to the public
WLAN Guests do not want to have to repeatedly tog in multiple times through the day Which
clearPass feature can meet these requirements?

A. Enforcement based on endpoint profiling

B. Guest access with Media Access Control (MAC) caching
C. ClearPass Onboard Portal.
D. Guest self-registration with sponsor approval

Answer: C

Question: 59

An organization with 345 employees wants to have the guest create their own accounts for access to
the public WLAN. and when guests reconnect they do not want the guest to have to tog in again
Which ClearPass features can be used to meet these requirements?

A. ClearPass Onboard Portal

B. Guest access with MAC caching
C. Guest serf-registration with sponsor approval
 Questions & Answers PDF P-27

D. Enforcement based on endpoint profiling

Answer: B

Question: 60

A customer with 985 employees would like to authenticate employees using a captive portal guest
web login page Employees should use their AD credentials to login on this page
Which statement is true?

A. The customer needs to add second guest service in the policy manager for the guest network.
B. The customer needs to add the AD server as an authentication source in a guest service
C. Employees must be taken to a separate web login page on the guest network
D. The customer needs to add the AD servers RADIUS certificate to the guest network.

Answer: B