HPE6-A68 Aruba Certified ClearPass Professional (ACCP) 6.7 Questions and Answers

Guest User Repository and Active Directory server both as authentication sources

Active Directory server as the authentication source, and Guest User Repository as the authorization source

Guest User Repository as the authentication source, and Guest User Repository and Active Directory server as authorization sources

Either the Guest User Repository or Active Directory server should be the single authentication source

Guest User Repository as the authentication source and the Active Directory server as the authorization source

to send information via RADIUS packets to Aruba NADs

to gather and send Aruba NAD information to ClearPass

to send information via RADIUS packets to clients

to gather information about Aruba NADs for ClearPass

to send CoA packets from ClearPass to the Aruba NAD

Subscriber in the main data center

Publisher in the regional office

Any of the other three Publishers

Publisher in the mid-size branch

Publisher in the DMZ

10 ClearPass Guest licenses, 10 ClearPass Onguard licenses and 10 ClearPass Onboard licenses

25 ClearPass Profiler licenses

25 ClearPass Enterprise licenses

10 ClearPass Enterprise licenses

25 ClearPass Redundancy licenses

Certificate Signing Request

Binary encoded X.509 certificate

Binary encoded X.509 certificate with public key

Certificate with an encrypted private key

Certificate chain

RADIUS Authentications will fail because the wired switch will not be able to reach the ClearPass server.

During RADIUS Authentication, certificate exchange between the wired switch and ClearPass will fail.

RADIUS Authentications will timeout because the wired switch will not be able to reach the ClearPass server.

RADIUS Authentication will succeed, but Post-Authentication Disconnect-Requests from ClearPass to the wired switch will not be delivered.

RADIUS Authentication will succeed, but RADIUS Access-Accept messages from ClearPass to the wired switch for Change of Role will not be delivered.

RestrictedACL

Remote Employee ACL

[Deny Access Profile]

EMPLOYEE_VLAN

HR VLAN

DHCP server IP

Active Directory IP

Switch IP

Microsoft NPS server IP

ClearPass server IP

Username and Password

Pre-shared key

WPA2-PSK

Server Certificate

Client Certificate

Executive

iOS Device

Vendor

Remote Employee

HR Local

It will send the Session-Timeout attribute in the RADIUS Access-Request packet to the NAD and the NAD will end the user’s session after 600 seconds.

It will send the Session-Timeout attribute in the RADIUS Access-Accept packet to the User and the user’s session will be terminated after 600 seconds.

It will count down 600 seconds and send a RADUIS CoA message to the NAD to end the user’s session after this time is up.

It will count down 600 seconds and send a RADUIUS CoA message to the user to end the user’s session after this time is up.

It will send the session –Timeout attribute in the RADIUS Access-Accept packet to the NAD and the NAD will end the user’s session after 600 seconds.

Enable sponsor approval confirmation in Receipt actions.

Configure SMTP messaging in the Policy Manager.

Configure a MAC caching service in the Policy Manager.

Configure a MAC auth service in the Policy Manager.

Enable sponsor approval in the captive portal authentication profile on the NAD.

If HTTPS is used for the web login page, after authentication is completed guest Internet traffic will all be encrypted as well.

During web login authentication, if HTTPS is used for the web login page, guest credentials will be

encrypted.

After authentication, an IPSEC VPN on the guest’s client be used to encrypt Internet traffic.

HTTPS should never be used for Web Login Page authentication.

If HTTPS is used for the web login page, after authentication is completed some guest Internet traffic may be unencrypted.

EAP-GTC

PAP

EAP-TLS

CHAP

PEAP with MSCHAPv2

Aruba Controller

LDAP server

Cisco Controller

Active Directory

Aruba Mobility Access Switch

IOS 5

Laptop running Mac OS X 10.8

Laptop running Mac OS X 10.6

Android 2.2

Windows XP

Only the attribute values of department and memberOf can be used in role mapping policies.

The attribute values of department, title, memberOf, telephoneNumber, and mail are directly applied as ClearPass.

Only the attribute value of company can be used in role mapping policies, not the other attributes.

The attribute values of department and memberOf are directly applied as ClearPass roles.

Only the attribute values of title, telephoneNumber, and mail can be used in role mapping policies.

after the user clicks the login button and after the NAD sends an authentication request

after the user self-registers but before the user logs in

after the user clicks the login button but before the NAD sends an authentication request

when a user is re-authenticating to the network

before the user self-registers

Endpoints repository

Onboard Device repository

MDM repository

Guest User repository

Local User repository

It will be visible in the Guest User Repository with Unknown Status

It will be deleted from the Endpoint table.

It will be visible in the Guest User Repository with Known Status.

It will be visible in the Endpoints table with Known Status.

It will be visible in the Endpoints table with Unknown Status.

The ClearPass server has a trusted server certificate issued by Verisign.

The ClearPass server has an untrusted server certificate issued by the internal Microsoft Certificate server.

The ClearPass server does not recognize the client’s certificate.

The DNS server is not replying with an IP address for www.google.com.

radius01 was deleted from the list of authentication sources.

The policy service was moved to position number 4.

radius01 was moved to position number 4.

The policy service was moved to position number 3.

raduis01 was added as an authentication source.

to audit client authentications

to display changes made to the ClearPass configuration

to display the entire configuration of the ClearPass Policy Manager

to audit the network for PCI compliance

to display system events like high CPU usage.

It will be stored in the Publisher’s guest user repository and the Subscriber’s Onboard user repository.

It will be stored in the Publisher’s local user repository and the Subscriber’s guest user repository.

It will be stored in the Publisher’s guest user repository permanently, but only for 14 days in the Subscriber’s guest user repository,

It will be stored in both the Publisher’s guest user repository and the Subscriber’s guest user repository.

It will be stored in the Publisher’s guest user repository, but not the Subscriber’s.

During dual SSID onboarding, when the client connects to the Guest network

During EAP-PEAP authentication in single SSID onboarding

During post-Onboard EAP-TLS authentication, when the client verifies the server certificate

During Onboard Web Login Pre-Auth, when the client loads the Onboarding web page

During post-Onboard EAP-TLS authentication, when the server verifies the client certificate

To send a RADIUS CoA message from the ClearPass server to the client

To disconnect the user for 30 seconds when they are in an unhealthy posture state

To blacklist the user when they are in an unhealthy posture state

To force the user to re-authenticate and run through the service flow again

To remediate the client applications and firewall do that updates can be installed

The test verifies that a client with username test1 can authenticate using EAP-PEAP.

Role mapping simulation verifies if the remote lab AD has the ClearPass server certificate.

Role mapping simulation verifies that the client certificate is valid during EAP-TLS authentication.

The simulation test result shows the firewall roles assigned to the client by the Aruba Controller.

The roles assigned in the results tab are based on rules matched in the AD Role Mapping Policy.

The amount of time the Policy Manager caches the user credentials stored in the Active Directory.

The amount of time the Policy Manager waits for a response from the Active Directory before checking the backup authentication source.

The amount of time the Policy Manager caches the user attributes fetched from Active Directory.

The amount of time the Policy Manager waits for response from the Active Directory before sending a timeout message to the Network Access Device.

The amount of time the Policy Manager caches the user\s client certificate.

EAP-TLS Authentication will be unaffected

The user can Onboard their device again

A new device certificate will be automatically pushed out to the device

The user cannot Onboard their device again

EAP-TLS Authentication will fail

Mobile device Management is the result of Onboarding.

Third party Mobile Device Management solutions can be integrated with ClearPass.

Mobile Device Management is the authentication that happens before Onboarding.

Mobile Device Management is an application container that is used to provision work applications.

Mobile Device Management is used to control device functions post-Onboarding.

The user account has expired.

The client used a wrong password.

The shared secret between the NAD and ClearPass does not match.

The user’s certificate is invalid.

The user is not found in the database.