[Jan-2022] HPE6-A77 Exam Dumps Pass with Updated 2022 Aruba Certified ClearPass Expert Written Exam
Free HPE6-A77 Exam Dumps to Pass Exam Easily
HP HPE6-A77 Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
| Topic 5 |
|
| Topic 6 |
|
| Topic 7 |
|
| Topic 8 |
|
| Topic 9 |
|
NEW QUESTION 13
A customer has a ClearPass cluster deployment with four servers, two servers at the data center and two servers at a large remote site connected over an SD-WAN solution The customer would like to implement OnGuard, Guest Self-Registration, and 802.1x authentication across their entire environment. During testing the customer is complaining that users connecting to an Instant Cluster Employee SSID at the remote site, with the OnGuard Persistent Agent installed are randomly getting their health check missed.
What could be a possible cause of this behavior?
- A. The OnGuard Clients are automatically mapped to the Policy Manager Zone based on their IP range but an ACL on the switch could be blocking access.
- B. The traffic on the TCP port 6658 is congested due to the fact that this port is also used by the IPsec keep-alive packets of the SD-WAN solution.
- C. The Aruba-user-role received by the IAP is filtering the TCP port 6658 to the ClearPass servers and after 10 seconds the SSL fallback gets activated and randomly generates the issue.
- D. The ClearPass Policy Manager zones have been defined but the local IP sub-nets have not been property mapped to the zones and the OnGuard Agent might connect to any of the servers in the cluster.
Answer: C
NEW QUESTION 14
Refer to the exhibit:
A customer has configured onboard in a cluster with two nodes All devices were onboarded in the network through node1but those clients tail to authenticate through node2 with the error shown. What steps would you suggest to make provisioning and authentication work across the entire cluster? (Select three.)
- A. Configure the Onboard Root CA to trust the Policy Manager EAP certificate root.
- B. Have all of the BYOD clients disconnect and reconnect to me network
- C. Make sure that the HTTPS certificate on both nodes is issued as a Code Signing certificate
- D. Make sure that the EAP certificates on both nodes are issued by one common root Certificate Authority (CA).
- E. Have all of the BYOD clients re-run the Onboard process
- F. Configure the Network Settings in Onboard to trust the Policy Manager EAP certificate
Answer: A,D,F
NEW QUESTION 15
Refer to the exhibit:
A customer has just configured a Posture Policy and the T2-Healthcheck Service. Next they installed the OnGuard Agent on Secure_Employee SSID. When they check Access Tracker they see many WEBAUTH requests are being triggered.
What could be the reason?
- A. TCP port 6658 is not allowed between the client and the ClearPass server
- B. The OnGuard Agent trigger the events based on changing the Health Status
- C. OnGuard Web-Based Health Check interval has been wrongly configured to three minutes.
- D. The OnGuard Agent is connecting to the Data Port interface on ClearPass
Answer: C
NEW QUESTION 16
Refer to the exhibit:
A customer with multiple Aruba Controllers has just installed a new certificate for "*.customerdomain com" on all Aruba Controllers. While testing the existing guest Self-Registration page the customer noticed that the logins are failing. While troubleshooting they are finding no entries in the Event Viewer or Access Tracker for the tests. Suspecting that the Aruba Controllers may not be properly posting the credentials from the guest browser, they open the NAS Vendor Settings for the Guest Self-Registration Page. From the screen shown, how can you fix the errors?
- A. Change the "Secure Login:" field to "Use Vendor Default".
- B. Change the "IP Address: field to" securelogin.customerdomain.com.
- C. Change the "IP Address field to "captiveportal-login.customerdomain.com".
- D. Add PTR records on the DNS server for "securelogin.arubanetworks.com".
Answer: A
NEW QUESTION 17
A corporate ClearPass Cluster with two servers located at a single site, has both Management and Data port IP addresses configured. The Management port IPs are in the DataCenter networks subnet, while the Data port IPs are in the DMZ. What is the difference between using one Virtual IP for the AAA traffic versus sending AAA requests to the physical IPs for each server? (Select two.)
- A. The Individual IPs can provide failover and load balancing.
- B. Using the one Virtual IP can provide failover and load balancing.
- C. The failover can be accomplished only by using Virtual IP.
- D. By using the Virtual IP, the failover convergence is faster than using individual server IPs.
- E. One Virtual IP can be used together with the individual server IPs for load balancing.
Answer: A,B
NEW QUESTION 18
Refer to the exhibit:
Your company has a postgres SQL database with the MAC addresses of the company-owned tablets You have configured a role mapping condition to tag the SQL devices. When one of the tablets connects to the network, it does not get the correct role and receives a deny access profile.
How would you resolve the issue?
- A. Enable authorization tab in the service and add the SQL server as an authorization source.
- B. Add the SQL server as an authentication source and map .t under the authentication tab in the service.
- C. Remove SQL condition from role mapping policy and add it under the enforcement policy conditions.
- D. Edit the SQL authentication source niter attributes and modify the SQL server filter query.
Answer: D
NEW QUESTION 19
A customer would like to allow only the AD users with the "Manager" title from the "HQ" location to Onboard their personal devices. Any other AD users should not be authorized to pass beyond the initial device provisioning page. Which Onboard service will you use to implement this requirement?
- A. Onboard Provisioning service
- B. Onboard Pre-Auth service
- C. Onboard Authorization service
- D. Onboard CP login service
Answer: D
NEW QUESTION 20 
What are valid options for Network Access Device Settings? (Select two.)
- A. On the Attributes tab. you can enable the service to write attributes like Location and Device type based on policy.
- B. You can configure SNMP Write Settings to send commands to the devices that do not support other methods.
- C. You can configure SNMP Read Settings to monitor the load of a NAD in order not to overload it with the requests.
- D. The OnConnect Enforcement allows you to enable specific ports that trigger Enforcement when any device connects.
- E. In CLI settings, you can define the access credentials and the command templates that will be used.
Answer: A,D
NEW QUESTION 21
A customer has completed all the required configurations in the Windows server in order for Active Directory Certificate Services (ADCS) to sign Onboard device TLS certificates. The Onboard portal and the Onboard services are also configured. Testing shows that the Client certificates ate still signed by the Onboard Certificate Authority and not ADCS.
How can you help the customer with the situation?
- A. Configure
the identity certificate signer as Active Directory Certificate Services and enter the ADCS URL
http://ADCSVVeoEnrollmentServemostname/certsrv in the OnBoard Provisioning settings. - B. Enable access to SCEP servers from the Certificate Authority to make ClearPass Onboard to use of the Active Directory Certificate Services (ADCS) web enrollment to sign the device TLS certificates.
- C. Educate the customer that, when integrating with Active Directory Certificate Services (ADCS) the Onboard CA will the same authority used for signing me final TLS certificate of the device.
- D. Enable access to EST servers from the Certificate Authority to make ClearPass Onboard to use of the Active Directory Certificate Services (ADCS) web enrollment to sign the device TLS certificates.
Answer: D
NEW QUESTION 22
You are deploying ClearPass Policy Manager with Guest functionality for a customer withmultiple Aruba Networks Mobility Controllers The customer wants to avoid SSL errors during guest access but due to company security policy cannot use a wildcard certificate on ClearPass or the Controllers.
What is the most efficient way to configure the customers guest solution? (Select two.)
- A. Install multiple public certificates with a different Common Name on each controller
- B. Install the same public certificate on all Controllers with the common name "controller {company domain}"
- C. Build one Web Login page with vendor settings for controller {company domain)
- D. Build multiple Web Login pages with vendor settings configured for each controller
Answer: B,D
NEW QUESTION 23
Refer to the exhibit:
You configuring an 802 1x service endpoint profiling. When the client connects to the network, ClearPass successfully profiles the client and sends Radius Change of Authorization (RCoA) but Radius Change of Authorization {RCoA) fails for the client You manually clicked on the Change Status button in the access tracker to force an RCoA but that failed too.
What must you check to ensure that the RCoA will work? (Select two.)
- A. RFC 3576 option is enabled for Aruba Controller under Network devicein ClearPass.
- B. The RFC 3576 shared secret on ClearPass should match the Authentication Server shared secret
- C. RFC 3576 server IPs and the Authentication server IPs should be same in the AAA profile
- D. RFC 3576 server should be mapped in the server group on the Aruba Controller
Answer: A,B
NEW QUESTION 24
A customer has acquired another company that has its own Active Directory infrastructure The 802 1X authentication works with the customers original Active Directory servers but the customer would like to authenticate users from the acquired company as well. What steps are required, in regards to the Authentication Sources, in order to support this request? (Select two.)
- A. There is no need to Join ClearPass to the new AD domain.
- B. Create a new Authentication Source, type Active Directory.
- C. Add the new AD server(s) as backup into the existing Authentication Source.
- D. Create a new Authentication Source, type Generic LDAP.
- E. Join the ClearPass server(s) to the new AD domain.
Answer: A,E
NEW QUESTION 25
You have Integrated ClearPass Onboard with Active Directory Certificate Services (ADCS) web enrollment to sign the Anal device TLS certificates The Onboard provisioning process completes successfully but when the user finally clicks connect, the user falls to connect to the network with an unknown_ca certificate error.
What steps will you follow to complete the requirement?
- A. Make sure that the ClearPass servers are using the default self-signed certificates for both SSL and RADIUS server identity
- B. Make sure both the ClearPass servers have different certificates used for both SSL and RADIUS server identity.
- C. Export the self-signed certificate from the ClearPass servers and manually add them as trusted certificates in clients
- D. Add the ADCS root certificate to both the CPPM Certificate trust list and to the Onboard Certificate Store trust list
Answer: A
NEW QUESTION 26
Refer to the exhibit:
A customer has configured the Aruba Controller for administrative authentication using ClearPass as a TACACS server. During testing, the read-only user is getting the root access role. What could be a possible reason for this behavior? (Select two.)
- A. The read-only enforcement profile is mapped to the root role
- B. The Controller Server Group Match Rules are changing the user role
- C. On the Controller, the TACAC$ authentication server Is not configured for Session authorization
- D. The ClearPass user role associated to the read-only user is wrong
- E. The Controllers Admin Authentication Options Default role is mapped to toot.
Answer: B,C
NEW QUESTION 27
Refer to the exhibit:
A customer has configured a service with the Onboard Devices Repository as an Authentication Source and an Active Directory Domain Server as an Authorization Source. What will happen if the client certificate is still valid and the user account associated with the certificate is disabled in Active Directory?
- A. ClearPass will block network access to the device
- B. ClearPass will allow the device to access the network.
- C. Enforcement will apply the [Deny Access Profile]
- D. ClearPass will redirect the client to Onboard again
- E. ClearPass will not process the request
Answer: A
NEW QUESTION 28
A customer is looking to implement a Web-Based Health Check solution with the following requirements:
* for the HR user's client devices, check if a USB stick is mounted.
* for the R&D user's client devices, check if the hard disk is fully encrypted.
The Web-Based Health Check service has been configured but the customer it is not sure how to design the Profile Policy How can be accomplished this customer request?
- A. create two Posture Policies and customize the OnGuard Agent (Persistent or Dissolvable) to select the correct SHV checks
- B. create two Posture Policies and use the Restrict by Roles option to filter for HR and R&D user roles and apply the correct SHV checks
- C. create one Posture Policy and define Rules Conditions that will apply different Tokens for each SHV check condition
- D. create one Posture Policy to check the HR users client devices and use the NAP Agent to check R&D users client devices
Answer: A
NEW QUESTION 29
Refer to the exhibit:
The customer configured an 802.1x service with different enforcement actions for personal and corporate laptops. The corporate laptops are always being redirected to the BYOD Portal. The customer has sent you the above screenshots.
How would you resolve the issue? (Select two)
- A. Modify the enforcement policy and change the rule evaluation algorithm to select first match
- B. Modify the enforcement policy and re-order the condition with posture not_equals to healthy as the sixth condition
- C. Remove the EAP-PEAP with [user authenticated] condition for Onboard and create another service
- D. Modify the enforcement policy and re-order the EAP-PEAP with [user authenticated] rule to the last condition.
- E. Modify the enforcement policy and re-order the condition with Posture - Unknown as the fifth condition
Answer: D,E
NEW QUESTION 30
A customer has deployed an OnGuard Solution to all the corporate devices using a group policy rule to push the OnGuard Agents. The network administrator is complaining that some of the agents are communicating to the ClearPass server that is located in a DMZ, outside the firewall The network administrator wants all of the agents System Health Validation traffic to stay inside the Management subnets.
What can the ClearPass administrator do to move the traffic only to the ClearPass Management Ports?
- A. Filter TCP port 6658 on the firewall, forcing the OnGuard agent to use the ClearPass Management port.
- B. Edit the agent.conf file being deployed to the clients to use the ClearPass Management Port for SHV updates.
- C. Configure a Policy Manager Zone mapping so the OnGuard agent will use the Management Port IP.
- D. Select the correct OnGuard Agent installer, and use the one configured for Management Port for the clients.
Answer: C
NEW QUESTION 31
A customer has configured Onboard with Single SSID provision for Aruba IAP Windows devices work as expected but cannot get the Apple iOS devices to work. The Apple iOS devices automatically get redirected to a blank page and do not get the Onboard portal page. What would you check to fix the issue?
- A. Verify if the Onboard URL is updated correctly in the external captive portal profile.
- B. Verify if Onboard Pre-Provisioning enforcement profile sends the correct Aruba user role.
- C. Verify if the checkbox "Enable bypassing the Apple Captive Network Assistant" is checked.
- D. Verify if the external captive portal profile is enabled to use HTTPS with port 443.
Answer: A
NEW QUESTION 32
Refer to the exhibit:
A customer is trying to configure a TACACS Authentication Service for administrative access to the Aruba Controller, During testing the authentication is not successful Given the screen shot what could be the reason for the Login status REJECT?
- A. The password used by the administrative user,user is wrong.
- B. The Read-only Administrator role does not exist on the Controller.
- C. The Enforcement profile is not designed to be used on Aruba Controller.
- D. The Enforcement profile used is not a TACACS profile.
Answer: A
NEW QUESTION 33
......
HPE6-A77 Exam Dumps, HPE6-A77 Practice Test Questions: https://www.itcertmagic.com/HP/real-HPE6-A77-exam-prep-dumps.html