Month End Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: pass65

HPE6-A78 Aruba Certified Network Security Associate Exam Questions and Answers

Questions 4

What is one of the policies that a company should define for digital forensics?

Options:

A.

which data should be routinely logged, where logs should be forwarded, and which logs should be archived

B.

what are the first steps that a company can take to implement micro-segmentation in their environment

C.

to which resources should various users be allowed access, based on their identity and the identity of their clients

D.

which type of EAP method is most secure for authenticating wired and wireless users with 802.1

Buy Now
Questions 5

You have been asked to send RADIUS debug messages from an AOS-CX switch to a central SIEM server at 10.5.15.6. The server is already defined on the switch with this command:

logging 10.5.15.6

You enter this command:

debug radius all

What is the correct debug destination?

Options:

A.

file

B.

console

C.

buffer

D.

syslog

Buy Now
Questions 6

You have detected a Rogue AP using the Security Dashboard Which two actions should you take in responding to this event? (Select two)

Options:

A.

There is no need to locale the AP If you manually contain It.

B.

This is a serious security event, so you should always contain the AP immediately regardless of your company's specific policies.

C.

You should receive permission before containing an AP. as this action could have legal Implications.

D.

For forensic purposes, you should copy out logs with relevant information, such as the time mat the AP was detected and the AP's MAC address.

E.

There is no need to locate the AP If the Aruba solution is properly configured to automatically contain it.

Buy Now
Questions 7

What is a correct guideline for the management protocols that you should use on AOS-CX switches?

Options:

A.

Make sure that SSH is disabled and use HTTPS instead.

B.

Make sure that Telnet is disabled and use SSH instead.

C.

Make sure that Telnet is disabled and use TFTP instead.

D.

Make sure that HTTPS is disabled and use SSH instead.

Buy Now
Questions 8

You have enabled 802.1X authentication on an AOS-CX switch, including on port 1/1/1. That port has these port-access roles configured on it:

    Fallback role = roleA

    Auth role = roleB

    Critical role = roleCNo other port-access roles are configured on the port. A client connects to that port. The user succeeds authentication, and CPPM does not send an Aruba-User-Role VSA.What role does the client receive?

Options:

A.

The client receives roleC.

B.

The client is denied access.

C.

The client receives roleB.

D.

The client receives roleA.

Buy Now
Questions 9

You have been asked to rind logs related to port authentication on an ArubaOS-CX switch for events logged in the past several hours But. you are having trouble searching through the logs What is one approach that you can take to find the relevant logs?

Options:

A.

Add the "-C and *-c port-access" options to the "show logging" command.

B.

Configure a logging Tiller for the "port-access" category, and apply that filter globally.

C.

Enable debugging for "portaccess" to move the relevant logs to a buffer.

D.

Specify a logging facility that selects for "port-access" messages.

Buy Now
Questions 10

What distinguishes a Distributed Denial of Service (DDoS) attack from a traditional Denial or service attack (DoS)?

Options:

A.

A DDoS attack originates from external devices, while a DoS attack originates from internal devices

B.

A DDoS attack is launched from multiple devices, while a DoS attack is launched from a single device

C.

A DoS attack targets one server, a DDoS attack targets all the clients that use a server

D.

A DDoS attack targets multiple devices, while a DoS Is designed to Incapacitate only one device

Buy Now
Questions 11

A company has AOS-CX switches deployed in a two-tier topology that uses OSPF routing at the core.

You need to prevent ARP poisoning attacks. To meet this need, what is one technology that you could apply to user VLANs on access layer switches? (Select two.)

Options:

A.

ARP inspection

B.

OSPF passive interface

C.

BPDU guard (protection)

D.

DHCPv4 snooping

E.

BPDU filtering

Buy Now
Questions 12

HPE6-A78 Question 12

An admin has created a WLAN that uses the settings shown in the exhibits (and has not otherwise adjusted the settings in the AAA profile) A client connects to the WLAN Under which circumstances will a client receive the default role assignment?

Options:

A.

The client has attempted 802 1X authentication, but the MC could not contact the authentication server

B.

The client has attempted 802 1X authentication, but failed to maintain a reliable connection, leading to a timeout error

C.

The client has passed 802 1X authentication, and the value in the Aruba-User-Role VSA matches a role on the MC

D.

The client has passed 802 1X authentication and the authentication server did not send an Aruba-User-Role VSA

Buy Now
Questions 13

Which scenario requires the Aruba Mobility Controller to use a Server Certificate?

Options:

A.

Obtain downloadable user roles (DURs) from ClearPass.

B.

Synchronize its clock with an NTP server that requires authentication.

C.

Use RadSec for enforcing 802.1X authentication to ClearPass.

D.

Use RADIUS for enforcing 802.1X authentication to ClearPass.

Buy Now
Questions 14

A company has added a new user group. Users in the group try to connect to the WLAN and receive errors that the connection has no Internet access. The users cannot reach any resources. The first exhibit shows the record for one of the users who cannot connect. The second exhibit shows the role to which the ArubaOS device assigned the user's client.

What is a likely problem?

Options:

A.

The ArubaOS device has a server derivation rule configured on it that has overridden the role sent by CPPM.

B.

The ArubaOS device does not have the correct RADIUS dictionaries installed on it to under-stand the Aruba-User-Role VSA.

C.

The role name that CPPM is sending does not match the role name configured on the Aru-baOS device.

D.

The clients rejected the server authentication on their side because they do not have the root CA for CPPM's RADIUS/EAP certificate.

Buy Now
Questions 15

What is one benefit of enabling Enhanced Secure mode on an ArubaOS-Switch?

Options:

A.

Control Plane policing rate limits edge ports to mitigate DoS attacks on network servers.

B.

A self-signed certificate is automatically added to the switch trusted platform module (TPM).

C.

Insecure algorithms for protocol such as SSH are automatically disabled.

D.

All interfaces have 802.1X authentication enabled on them by default.

Buy Now
Questions 16

You configure an ArubaOS-Switch to enforce 802.1X authentication with ClearPass Policy Manager (CPPM) denned as the RADIUS server Clients cannot authenticate You check Aruba ClearPass Access Tracker and cannot find a record of the authentication attempt.

What are two possible problems that have this symptom? (Select two)

Options:

A.

users are logging in with the wrong usernames and passwords or invalid certificates.

B.

Clients are configured to use a mismatched EAP method from the one In the CPPM service.

C.

The RADIUS shared secret does not match between the switch and CPPM.

D.

CPPM does not have a network device defined for the switch's IP address.

E.

Clients are not configured to trust the root CA certificate for CPPM's RADIUS/EAP certificate.

Buy Now
Questions 17

What is a correct description of a stage in the Lockheed Martin kill chain?

Options:

A.

In the delivery stage, the hacker delivers malware to targeted users, often with spear phishing methods.

B.

In the installation phase, hackers seek to install vulnerabilities in operating systems across the network.

C.

In the weaponization stage, malware installed in the targeted network seeks to attack intrusion prevention systems (IPS).

D.

In the exploitation phase, hackers conduct social engineering attacks to exploit weak algorithms and crack user accounts.

Buy Now
Questions 18

An organization has HPE Aruba Networking infrastructure, including AOS-CX switches and an AOS-8 mobility infrastructure with Mobility Controllers (MCs) and APs. Clients receive certificates from ClearPass Onboard. The infrastructure devices authenticate clients to ClearPass Policy Manager (CPPM). The company wants to start profiling clients to take their device type into account in their access rights.

What is a role that CPPM should play in this plan?

Options:

A.

Assigning clients to their device categories

B.

Helping to forward profiling information to the component responsible for profiling

C.

Accepting and enforcing CoA messages

D.

Enforcing access control decisions

Buy Now
Questions 19

What is one way a honeypot can be used to launch a man-in-the-middle (MITM) attack to wireless clients?

Options:

A.

It uses ARP poisoning to disconnect wireless clients from the legitimate wireless network and force clients to connect to the hacker’s wireless network instead.

B.

It runs an NMap scan on the wireless client to find the client's MAC and IP address. The hacker then connects to another network and spoofs those addresses.

C.

It uses a combination of software and hardware to jam the RF band and prevent the client from connecting to any wireless networks.

D.

It examines wireless clients' probes and broadcasts the SSIDs in the probes, so that wireless clients will connect to it automatically.

Buy Now
Questions 20

How can hackers implement a man-in-the-middle (MITM) attack against a wireless client?

Options:

A.

The hacker uses a combination of software and hardware to jam the RF band and prevent the client from connecting to any wireless networks.

B.

The hacker runs an NMap scan on the wireless client to find its MAC and IP address. The hacker then connects to another network and spoofs those addresses.

C.

The hacker connects a device to the same wireless network as the client and responds to the client’s ARP requests with the hacker device’s MAC address.

D.

The hacker uses spear-phishing to probe for the IP addresses that the client is attempting to reach. The hacker device then spoofs those IP addresses.

Buy Now
Questions 21

A company has Aruba Mobility Controllers (MCs), Aruba campus APs, and ArubaOS-CX switches. The company plans to use ClearPass Policy Manager (CPPM) to classify endpoints by type. The company is contemplating the use of ClearPass’s TCP fingerprinting capabilities.

What is a consideration for using those capabilities?

Options:

A.

ClearPass admins will need to provide the credentials of an API admin account to configure on Aruba devices.

B.

You will need to mirror traffic to one of CPPM's span ports from a device such as a core routing switch.

C.

ArubaOS-CX switches do not offer the support necessary for CPPM to use TCP fingerprinting on wired endpoints.

D.

TCP fingerprinting of wireless endpoints requires a third-party Mobility Device Management (MDM) solution.

Buy Now
Questions 22

How can ARP be used to launch attacks?

Options:

A.

Hackers can use ARP to change their NIC's MAC address so they can impersonate legiti-mate users.

B.

Hackers can exploit the fact that the port used for ARP must remain open and thereby gain remote access to another user's device.

C.

A hacker can use ARP to claim ownership of a CA-signed certificate that actually belongs to another device.

D.

A hacker can send gratuitous ARP messages with the default gateway IP to cause devices to redirect traffic to the hacker's MAC address.

Buy Now
Questions 23

What is one of the roles of the network access server (NAS) in the AAA framework?

Options:

A.

It negotiates with each user’s device to determine which EAP method is used for authentication.

B.

It determines which resources authenticated users are allowed to access and monitors each user’s session.

C.

It enforces access to network services and sends accounting information to the AAA server.

D.

It authenticates legitimate users and uses policies to determine which resources each user is allowed to access.

Buy Now
Questions 24

You have a network with AOS-CX switches for which HPE Aruba Networking ClearPass Policy Manager (CPPM) acts as the TACACS+ server. When an admin authenticates, CPPM sends a response with:

    Aruba-Priv-Admin-User = 1

    TACACS+ privilege level = 15What happens to the user?

Options:

A.

The user receives auditors access.

B.

The user receives no access.

C.

The user receives administrators access.

D.

The user receives operators access.

Buy Now
Questions 25

You have an HPE Aruba Networking Mobility Controller (MC) that is locked in a closet. What is another step that HPE Aruba Networking recommends to protect the MC from unauthorized access?

Options:

A.

Set the local admin password to a long random value that is unknown or locked up securely.

B.

Disable local authentication of administrators entirely.

C.

Change the password recovery password.

D.

Use local authentication rather than external authentication to authenticate admins.

Buy Now
Questions 26

HPE6-A78 Question 26

A company has an Aruba Instant AP cluster. A Windows 10 client is attempting to connect a WLAN that enforces WPA3-Enterprise with authentication to ClearPass Policy Manager (CPPM). CPPM is configured to require EAP-TLS. The client authentication fails. In the record for this client’s authentication attempt on CPPM, you see this alert.

What is one thing that you check to resolve this issue?

Options:

A.

whether the client has a third-party 802.1 X supplicant, as Windows 10 does not support EAP-TLS

B.

whether the client has a valid certificate installed on it to let it support EAP-TLS

C.

whether EAP-TLS is enabled in the SSID Profile settings for the WLAN on the IAP cluster

D.

whether EAP-TLS is enabled in the AAA Profile settings for the WLAN on the IAP cluster

Buy Now
Questions 27

What is a Key feature of me ArubaOS firewall?

Options:

A.

The firewall is stateful which means that n can track client sessions and automatically allow return traffic for permitted sessions

B.

The firewall Includes application layer gateways (ALGs). which it uses to filter Web traffic based on the reputation of the destination web site.

C.

The firewall examines all traffic at Layer 2 through Layer 4 and uses source IP addresses as the primary way to determine how to control traffic.

D.

The firewall is designed to fitter traffic primarily based on wireless 802.11 headers, making it ideal for mobility environments

Buy Now
Questions 28

What is an example or phishing?

Options:

A.

An attacker sends TCP messages to many different ports to discover which ports are open.

B.

An attacker checks a user’s password by using trying millions of potential passwords.

C.

An attacker lures clients to connect to a software-based AP that is using a legitimate SSID.

D.

An attacker sends emails posing as a service team member to get users to disclose their passwords.

Buy Now
Questions 29

What does the NIST model for digital forensics define?

Options:

A.

how to define access control policies that will properly protect a company's most sensitive data and digital resources

B.

how to properly collect, examine, and analyze logs and other data, in order to use it as evidence in a security investigation

C.

which types of architecture and security policies are best equipped to help companies establish a Zero Trust Network (ZTN)

D.

which data encryption and authentication algorithms are suitable for enterprise networks in a world that is moving toward quantum computing

Buy Now
Questions 30

A company is deploying AOS-CX switches to support 114 employees, which will tunnel client traffic to an HPE Aruba Networking Mobility Controller (MC) for the MC to apply firewall policies and deep packet inspection (DPI). This MC will be dedicated to receiving traffic from the AOS-CX switches.

What are the licensing requirements for the MC?

Options:

A.

One PEF license per switch

B.

One PEF license per switch, and one WCC license per switch

C.

One AP license per switch

D.

One AP license per switch, and one PEF license per switch

Buy Now
Questions 31

Which is a correct description of a stage in the Lockheed Martin kill chain?

Options:

A.

In the weaponization stage, which occurs after malware has been delivered to a system, the malware executes its function.

B.

In the exploitation and installation phases, malware creates a backdoor into the infected system for the hacker.

C.

In the reconnaissance stage, the hacker assesses the impact of the attack and how much information was exfiltrated.

D.

In the delivery stage, malware collects valuable data and delivers or exfiltrates it to the hacker.

Buy Now
Questions 32

Which is a use case for enabling Control Plane Policing on Aruba switches?

Options:

A.

to prevent unauthorized network devices from sending routing updates

B.

to prevent the switch from accepting routing updates from unauthorized users

C.

to encrypt traffic between tunneled node switches and Mobility Controllers (MCs)

D.

to mitigate Denial of Service (Dos) attacks on the switch

Buy Now
Questions 33

What is one benefit of a Trusted Platform Module (TPM) on an Aruba AP?

Options:

A.

It enables secure boot, which detects if hackers corrupt the OS with malware.

B.

It deploys the AP with enhanced security, which includes disabling the password recovery mechanism.

C.

It allows the AP to run in secure mode, which automatically enables CPsec and disables the console port.

D.

It enables the AP to encrypt and decrypt 802.11 traffic locally, rather than at the MC.

Buy Now
Questions 34

Refer to the exhibits.

HPE6-A78 Question 34

A company has added a new user group. Users in the group try to connect to the WLAN and receive errors that the connection has no Internet access. The users cannot reach any resources. The first exhibit shows the record for one of the users who cannot connect. The second exhibit shows the role to which the AOS device assigned the user’s client.

What is a likely problem?

Options:

A.

The AOS device does not have the correct RADIUS dictionaries installed on it to understand the Aruba-User-Role VSA.

B.

The AOS device has a server derivation rule configured on it that has overridden the role sent by CPPM.

C.

The clients rejected the server authentication on their side because they do not have the root CA for CPPM’s RADIUS/EAP certificate.

D.

The role name that CPPM is sending does not match the role name configured on the AOS device.

Buy Now
Questions 35

What is one thing can you determine from the exhibits?

Options:

A.

CPPM originally assigned the client to a role for non-profiled devices. It sent a CoA to the authenticator after it categorized the device.

B.

CPPM sent a CoA message to the client to prompt the client to submit information that CPPM can use to profile it.

C.

CPPM was never able to determine a device category for this device, so you need to check settings in the network infrastructure to ensure they support CPPM's endpoint classification.

D.

CPPM first assigned the client to a role based on the user's identity. Then, it discovered that the client had an invalid category, so it sent a CoA to blacklist the client.

Buy Now
Questions 36

What is one way that WPA3-Enterprise enhances security when compared to WPA2-Enterprise?

Options:

A.

WPA3-Enterprise implements the more secure simultaneous authentication of equals (SAE), while WPA2-Enterprise uses 802.1X.

B.

WPA3-Enterprise provides built-in mechanisms that can deploy user certificates to authorized end-user devices.

C.

WPA3-Enterprise uses Diffie-Hellman in order to authenticate clients, while WPA2-Enterprise uses 802.1X authentication.

D.

WPA3-Enterprise can operate in CNSA mode, which mandates that the 802.11 association uses secure algorithms.

Buy Now
Questions 37

Which attack is an example or social engineering?

Options:

A.

An email Is used to impersonate a Dank and trick users into entering their bank login information on a fake website page.

B.

A hacker eavesdrops on insecure communications, such as Remote Desktop Program (RDP). and discovers login credentials.

C.

A user visits a website and downloads a file that contains a worm, which sell-replicates throughout the network.

D.

An attack exploits an operating system vulnerability and locks out users until they pay the ransom.

Buy Now
Questions 38

You have a network with ArubaOS-Switches for which Aruba ClearPass Policy Manager (CPPM) is acting as a TACACS+ server to authenticate managers. CPPM assigns the admins a TACACS+ privilege level, either manager or operator. You are now adding ArubaOS-CX switches to the network. ClearPass admins want to use the same CPPM service and policies to authenticate managers on the new switches.

What should you explain?

Options:

A.

This approach cannot work because the ArubaOS-CX switches do not accept standard TACACS+ privilege levels.

B.

This approach cannot work because the ArubaOS-CX switches do not support TACACS+.

C.

This approach will work, but will need to be adjusted later if you want to assign managers to the default auditors group.

D.

This approach will work to assign admins to the default "administrators" group, but not to the default "operators" group.

Buy Now
Questions 39

Which is an accurate description of a type of malware?

Options:

A.

Worms are usually delivered in spear-phishing attacks and require users to open and run a file.

B.

Rootkits can help hackers gain elevated access to a system and often actively conceal themselves from detection.

C.

A Trojan is any type of malware that replicates itself and spreads to other systems automatically.

D.

Malvertising can only infect a system if the user encounters the malware on an untrustworthy site.

Buy Now
Questions 40

Your company policies require you to encrypt logs between network infrastructure devices and Syslog servers. What should you do to meet these requirements on an ArubaOS-CX switch?

Options:

A.

Specify the Syslog server with the TLS option and make sure the switch has a valid certificate.

B.

Specify the Syslog server with the UDP option and then add an CPsec tunnel that selects Syslog.

C.

Specify a priv key with the Syslog settings that matches a priv key on the Syslog server.

D.

Set up RadSec and then enable Syslog as a protocol carried by the RadSec tunnel.

Buy Now
Questions 41

Device A is contacting https://arubapedia.arubanetworks.com. The web server sends a certificate chain. What does the browser do as part of validating the web server certificate?

Options:

A.

It makes sure that the key in the certificate matches the key that DeviceA uses for HTTPS.

B.

It makes sure the certificate has a DNS SAN that matches arubapedia.arubanetworks.com

C.

It makes sure that the public key in the certificate matches DeviceA's private HTTPS key.

D.

It makes sure that the public key in the certificate matches a private key stored on DeviceA.

Buy Now
Questions 42

What is a guideline for managing local certificates on an ArubaOS-Switch?

Options:

A.

Before installing the local certificate, create a trust anchor (TA) profile with the root CA certificate for the certificate that you will install

B.

Install an Online Certificate Status Protocol (OCSP) certificate to simplify the process of enrolling and re-enrolling for certificate

C.

Generate the certificate signing request (CSR) with a program offline, then, install both the certificate and the private key on the switch in a single file.

D.

Create a self-signed certificate online on the switch because ArubaOS-Switches do not support CA-signed certificates.

Buy Now
Questions 43

What are some functions of an AruDaOS user role?

Options:

A.

The role determines which authentication methods the user must pass to gain network access

B.

The role determines which firewall policies and bandwidth contract apply to the clients traffic

C.

The role determines which wireless networks (SSiDs) a user is permitted to access

D.

The role determines which control plane ACL rules apply to the client's traffic

Buy Now
Questions 44

An MC has a WLAN that enforces WPA3-Enterprise with authentication to HPE Aruba Networking ClearPass Policy Manager (CPPM). The WLAN's default role is set to guest. A Mobility Controller (MC) has these roles configured on it:

    authenticated

    denyall

    guest

    general-access

    guest-logon

    logon

    stateful-dot1x

    switch-logon

    voiceA client authenticates. CPPM returns an Access-Accept with an Aruba-User-Role VSA set to general_access. What role does the client receive?

Options:

A.

guest

B.

logon

C.

general-access

D.

authenticated

Buy Now
Questions 45

You have an Aruba Mobility Controller (MC) that is locked in a closet. What is another step that Aruba recommends to protect the MC from unauthorized access?

Options:

A.

Use local authentication rather than external authentication to authenticate admins.

B.

Change the password recovery password.

C.

Set the local admin password to a long random value that is unknown or locked up securely.

D.

Disable local authentication of administrators entirely.

Buy Now
Questions 46

An AOS-CX switch currently has no device fingerprinting settings configured on it. You want the switch to start collecting DHCP and LLDP information. You enter these commands:

Switch(config)# client device-fingerprint profile myprofile

Switch(myprofile)# dhcp

Switch(myprofile)# lldp

What else must you do to allow the switch to collect information from clients?

Options:

A.

Configure the switch as a DHCP relay

B.

Add at least one LLDP option to the policy

C.

Apply the policy to edge ports

D.

Add at least one DHCP option to the policy

Buy Now
Questions 47

What role does the Aruba ClearPass Device Insight Analyzer play in the Device Insight architecture?

Options:

A.

It resides in the cloud and manages licensing and configuration for Collectors

B.

It resides on-prem and provides the span port to which traffic is mirrored for deep analytics.

C.

It resides on-prem and is responsible for running active SNMP and Nmap scans

D.

It resides In the cloud and applies machine learning and supervised crowdsourcing to metadata sent by Collectors

Buy Now
Questions 48

Refer to the exhibit.

Device A is establishing an HTTPS session with the Arubapedia web sue using Chrome. The Arubapedia web server sends the certificate shown in the exhibit

What does the browser do as part of vacating the web server certificate?

Options:

A.

It uses the public key in the DigCen SHA2 Secure Server CA certificate to check the certificate's signature.

B.

It uses the public key in the DigCert root CA certificate to check the certificate signature

C.

It uses the private key in the DigiCert SHA2 Secure Server CA to check the certificate's signature.

D.

It uses the private key in the Arubapedia web site's certificate to check that certificate's signature

Buy Now
Questions 49

Refer to the exhibit.

HPE6-A78 Question 49

You are deploying a new ArubaOS Mobility Controller (MC), which is enforcing authentication to Aruba ClearPass Policy Manager (CPPM). The authentication is not working correctly, and you find the error shown In the exhibit in the CPPM Event Viewer.

What should you check?

Options:

A.

that the MC has been added as a domain machine on the Active Directory domain with which CPPM is synchronized

B.

that the snared secret configured for the CPPM authentication server matches the one defined for the device on CPPM

C.

that the IP address that the MC is using to reach CPPM matches the one defined for the device on CPPM

D.

that the MC has valid admin credentials configured on it for logging into the CPPM

Buy Now
Questions 50

Which correctly describes a way to deploy certificates to end-user devices?

Options:

A.

ClearPass Onboard can help to deploy certificates to end-user devices, whether or not they are members of a Windows domain

B.

ClearPass Device Insight can automatically discover end-user devices and deploy the proper certificates to them

C.

ClearPass OnGuard can help to deploy certificates to end-user devices, whether or not they are members of a Windows domain

D.

in a Windows domain, domain group policy objects (GPOs) can automatically install computer, but not user certificates

Buy Now
Exam Code: HPE6-A78
Exam Name: Aruba Certified Network Security Associate Exam
Last Update: Apr 24, 2025
Questions: 167

PDF + Testing Engine

$57.75  $164.99

Testing Engine

$43.75  $124.99
buy now HPE6-A78 testing engine

PDF (Q&A)

$36.75  $104.99
buy now HPE6-A78 pdf