HPE6-A84 Aruba Certified Network Security Expert Written Exam Questions and Answers

Auto-site clustering is a feature that allows gateways in the same site and group to form a cluster automatically. However, this mode does not support VRRP IP addresses, which are required for dynamic authorization (CoA) from ClearPass Policy Manager (CPPM) to the gateways. Dynamic authorization is a mechanism that allows CPPM to change the attributes or status of a client session on the gateways without requiring re-authentication. This is useful for applying policies, roles, or bandwidth limits based on various conditions. Without VRRP IP addresses, CPPM would not be able to send CoA messages to the correct gateway in case of a failover event, resulting in inconsistent or incorrect client behavior.

To enable VRRP IP addresses for dynamic authorization, you need to set up gateway clusters manually and assign a VRRP VLAN and a VRRP IP address to each cluster. This way, CPPM can use the VRRP IP address as the NAS IP address for RADIUS communications and CoA messages. The VRRP IP address will remain the same even if the active gateway in the cluster changes due to a failover event, ensuring seamless operations. You can find more information about how to set up gateway clusters manually and configure VRRP IP addresses in the Gateway Cluster Deployment - Aruba page and the ClearPass Policy Manager User Guide1.

This is because a downloadable user role (DUR) is a feature that allows the switch to use a central ClearPass server to download user-roles to the switch for authenticated users12 A DUR can contain various attributes and rules that define the access level and privileges of the user, such as VLAN, ACL, PoE, reauthentication period, etc3 A DUR can also be customized and updated on the ClearPass server without requiring any changes on the switch1

A DUR can be used to create a “provision” role that allows users to enroll new wired clients in Intune. The “provision” role can have limited access that only lets them enroll and receive certificates from the Intune service. The “provision” role can also have rules that restrict the Internet access of the users to only the necessary sites, such as the Intune portal and the certificate authority. The rules can be based on IPv4 or IPv6 addresses, depending on the network configuration and preference2

A. Configuring the rules for the “provision” role with IPv6 addresses, which tend to be more stable. This is not a valid recommendation because it does not address how to create and apply the “provision” role on the switch. Moreover, IPv6 addresses do not necessarily tend to be more stable than IPv4 addresses, as both protocols have their own advantages and disadvantages4

B. Enabling tunneling to the MCs on the “provision” role and then setting up the privileges on the MCs. This is not a valid recommendation because it does not explain how to enable tunneling or what MCs are. Moreover, tunneling is a technique that encapsulates one network protocol within another, which adds complexity and overhead to the network communication5

D. Assigning the “provision” role to a VLAN and then setting up the rules within a Layer 2 access control list (ACL). This is not a valid recommendation because it does not explain how to assign a role to a VLAN or how to create a Layer 2 ACL on the switch. Moreover, a Layer 2 ACL is limited in its filtering capabilities, as it can only match on MAC addresses or Ethernet types, which might not be sufficient for restricting Internet access to specific sites

This is because SNMPv3 is a secure version of SNMP that provides authentication, encryption, and access control for network management. SNMPv3-only is a configuration option on AOS-CX switches that disables SNMPv1 and SNMPv2c, which are insecure versions of SNMP that use plain text community strings for authentication. By setting the snmp-server settings to “snmpv3-only”, the switch will only respond to SNMPv3 requests and reject any SNMPv1 or SNMPv2c requests, thus remedying the vulnerability and meeting the customer’s requirements.

A. Enabling control plane policing to automatically drop SNMP GET requests. This is not a valid recommendation because control plane policing is a feature that protects the switch from denial-of-service (DoS) attacks by limiting the rate of traffic sent to the CPU. Control plane policing does not disable SNMPv1 or SNMPv2c, but rather applies a rate limit to all SNMP requests, regardless of the version. Moreover, control plane policing might also drop legitimate SNMP requests if they exceed the rate limit, which could affect the network management.

C. Adding an SNMP community with a long random name. This is not a valid recommendation because an SNMP community is a shared secret that acts as a password for accessing network devices using SNMPv1 or SNMPv2c. Adding an SNMP community with a long random name does not disable SNMPv1 or SNMPv2c, but rather creates another community string that can be used for authentication. Moreover, adding an SNMP community with a long random name does not improve the security of SNMPv1 or SNMPv2c, as the community string is still transmitted in plain text and can be intercepted by an attacker.

D. Enabling SNMPv3, which implicitly disables SNMPv1/v2. This is not a valid recommendation because enabling SNMPv3 does not implicitly disable SNMPv1 or SNMPv2c on AOS-CX switches. Enabling SNMPv3 only adds support for the secure version of SNMP, but does not remove support for the insecure versions. Therefore, enabling SNMPv3 alone does not remedy the vulnerability or meet the customer’s requirements.

The Fail Strategy is a configuration option for the IPS mode of inspection on Aruba gateways. It defines the action to be taken when the IPS engine crashes and cannot inspect the traffic. There are two possible options for the Fail Strategy: Bypass and Block1

If you set the Fail Strategy to Bypass, you are telling the gateway to allow the traffic to flow without inspection when the IPS engine fails. This option ensures that there is no disruption in the network connectivity, but it also exposes the network to potential threats that are not detected or prevented by the IPS engine1

If you set the Fail Strategy to Block, you are telling the gateway to stop the traffic flow until the IPS engine resumes inspection. This option ensures that there is no compromise in the network security, but it also causes a loss of network connectivity for the duration of the IPS engine failure1

According to the Aruba Cloud Authentication and Policy Overview1, one of the prerequisites for configuring Cloud Authentication and Policy is to configure Device Insight (client profile) tags in Central. Device Insight tags are used to identify and classify IoT devices based on their behavior and characteristics. These tags can then be mapped to client roles, which are defined in the WLAN configuration for IAPs2. Client roles are used to enforce role-based access policies for the IoT devices. Therefore, option B is the correct answer.

Option A is incorrect because NetConductor is not related to Cloud Authentication and Policy. NetConductor is a cloud-based network management solution that simplifies the deployment and operation of Aruba Instant networks.

Option C is incorrect because integrating Aruba ClearPass Policy Manager (CPPM) and Device Insight is not a prerequisite for setting up the device role mappings. CPPM and Device Insight can work together to provide enhanced visibility and control over IoT devices, but they are not required for Cloud Authentication and Policy.

Option D is incorrect because creating global role-to-role firewall policies in Central is not a prerequisite for setting up the device role mappings. Global role-to-role firewall policies are used to define the traffic rules between different client roles across the entire network, but they are not required for Cloud Authentication and Policy.

A profile conflict occurs when ClearPass Policy Manager (CPPM) detects a change in the device category or OS family of an endpoint that has been previously profiled. This could indicate that someone has spoofed the MAC address of a legitimate device and is trying to gain unauthorized access to the network. For example, if an endpoint that was previously profiled as a Printer suddenly shows a new profile of Computer, this could be a sign of an attack. You can find more information about profile conflicts and how to resolve them in the ClearPass Policy Manager User Guide1. The other options are not necessarily signs of unauthorized access, as they could have other explanations. For example, multiple DHCP options under the fingerprints could indicate that the device has connected to different networks or subnets, an Unknown status could indicate that the device has not been authenticated yet, and a lack of hostname or a random hostname could indicate that the device has not been configured properly or has been reset to factory settings.

ClearPass Policy Manager (CPPM) requires network device entries for the devices that communicate with it using RADIUS or TACACS+ protocols. In this scenario, the gateways are the devices that act as RADIUS clients and send authentication requests to CPPM for the WLAN users. Therefore, CPPM needs to have network device entries for the gateways’ actual IP addresses and the shared secrets that match the ones configured on the gateways.

Additionally, CPPM also requires network device entries for the gateways’ dynamic authorization VRRP addresses, which are used for sending CoA messages to the gateways. CoA messages are used to change the attributes or status of a user session on the gateways without requiring re-authentication. For example, CPPM can use CoA to apply policies, roles, or bandwidth limits based on various conditions. To enable VRRP IP addresses for dynamic authorization, you need to set up gateway clusters manually and assign a VRRP VLAN and a VRRP IP address to each cluster. This way, CPPM can use the VRRP IP address as the NAS IP address for RADIUS communications and CoA messages. The VRRP IP address will remain the same even if the active gateway in the cluster changes due to a failover event, ensuring seamless operations.

According to the AOS-CX Switches Multiple Vulnerabilities1, one of the vulnerabilities (CVE-2021-41001) affects the Telnet service on AOS-CX switches. This vulnerability allows an unauthenticated remote attacker to cause a denial-of-service condition on the switch by sending specially crafted Telnet packets. The impact of this vulnerability is high, as it could result in a loss of management access and network disruption. Therefore, one immediate remediation that you should recommend is to disable Telnet on the switch. This way, the switch can prevent any malicious Telnet traffic from reaching it and avoid the exploitation of this vulnerability.

An authentication source is a configuration element in CPPM that defines how to connect to an external identity provider and retrieve user or device information . CPPM supports various types of authentication sources, such as Active Directory, LDAP, SQL, Kerberos, and HTTP .

To authenticate wireless and wired clients to Azure AD, you need to set up an authentication source as HTTP type, referencing Azure AD’s FQDN . This type of authentication source allows CPPM to use REST API calls to communicate with Azure AD and validate the user or device credentials . You also need to configure the OAuth 2.0 settings for the authentication source, such as the client ID, client secret, token URL, and resource URL .

To use information collected by Intune to make access control decisions, you need to set up another authentication source as HTTP type, referencing the Intune extension . This type of authentication source allows CPPM to use REST API calls to communicate with Intune and retrieve the device compliance status . You also need to configure the OAuth 2.0 settings for the authentication source, such as the client ID, client secret, token URL, and resource URL .

The correct answer is D. Enabling alerts and email notifications for events related to gateway IPS engine utilization and errors.

Gateway IDS/IPS is a feature that allows the Aruba gateways to monitor and block malicious or unwanted traffic based on predefined or custom rules 1. The Fail Strategy is a setting that determines how the gateways handle traffic when the IPS engine fails or crashes 2. The Block option means that the gateways will stop forwarding traffic until the IPS engine recovers, while the Bypass option means that the gateways will continue forwarding traffic without inspection 2.

The Block option provides more security, but it also increases the risk of network outages if the IPS engine fails frequently or for a long time 2. To minimize this risk, it is recommended to enable alerts and email notifications for events related to gateway IPS engine utilization and errors 3. This way, the network administrators can be informed of any issues with the IPS engine and take appropriate actions to restore or troubleshoot it 3.

The other options are not correct or relevant for this issue:

• Option A is not correct because configuring a relatively high threshold for the gateway threat count alerts would not help minimize unexpected outages caused by using the Block option. The gateway threat count alerts are used to notify the network administrators of the number of threats detected by the IPS engine, but they do not affect how the gateways handle traffic when the IPS engine fails 4.
• Option B is not correct because making sure that the gateways have formed a cluster and operate in default gateway mode would not help minimize unexpected outages caused by using the Block option. The gateway cluster mode is used to provide high availability and load balancing for the gateways, but it does not affect how the gateways handle traffic when the IPS engine fails . The default gateway mode is used to enable routing and NAT functions on the gateways, but it does not affect how the gateways handle traffic when the IPS engine fails .
• Option C is not correct because setting the IDS or IPS policy to the least restrictive option, Lenient, would not help minimize unexpected outages caused by using the Block option. The IDS or IPS policy is used to define what rules are applied by the IPS engine to inspect and block traffic, but it does not affect how the gateways handle traffic when the IPS engine fails 2. The Lenient option contains fewer and older rules than the Moderate or Strict options, which means that it provides less security and more false negatives .

According to the AOS-CX Switches Multiple Vulnerabilities1, one of the vulnerabilities (CVE-2021-41000) affects the SSH service on AOS-CX switches. This vulnerability allows an unauthenticated remote attacker to cause a denial-of-service condition on the switch by sending specially crafted SSH packets. The impact of this vulnerability is high, as it could result in a loss of management access and network disruption. Therefore, one recommendation to make is to create a control plane ACL to limit the sources that can access the switch with SSH. This way, the switch can filter out unwanted or malicious SSH traffic and reduce the risk of exploitation.

This is because ARP inspection is a security feature that validates ARP packets in a network and prevents ARP poisoning attacks12 ARP inspection works by intercepting, logging, and discarding ARP packets with invalid IP-to-MAC address bindings1 To enable ARP inspection, the switch needs to know which ports are trusted and which are untrusted. Trusted ports are those that connect to authorized DHCP servers or other network devices that are not vulnerable to ARP spoofing. Untrusted ports are those that connect to end hosts or devices that might send forged ARP packets13

In the exhibit, LAG 1 is configured as a trusted port for ARP inspection, which is correct because it connects to the core switch. However, the edge ports (1/1/1-1/1/24) are not configured as untrusted ports for ARP inspection, which is incorrect because they connect to end hosts that might be compromised by an attacker. By default, all ports are untrusted for ARP inspection, but this can be changed by using the command ip arp inspection trust on the interface configuration mode3 Therefore, to protect VLAN 4 against ARP poisoning, the edge ports should be configured as untrusted for ARP inspection by using the command no ip arp inspection trust on the interface configuration mode. This way, the switch will validate the ARP packets received on these ports against the DHCP snooping database or an ARP access-list and drop any invalid packets34

A. ARP proxy is not enabled on VLAN 4. This is not an issue because ARP proxy is an optional feature that allows the switch to respond to ARP requests on behalf of hosts in different subnets5 It is not related to ARP poisoning or ARP inspection.

B. LAG 1 is configured as trusted for ARP inspection but should be untrusted. This is not an issue because LAG 1 connects to the core switch, which is a trusted device that does not send forged ARP packets.

C. DHCP snooping is not enabled on VLAN 4. This is not an issue because DHCP snooping is a separate feature that prevents rogue DHCP servers from offering IP addresses to clients6 It is not directly related to ARP poisoning or ARP inspection, although it can provide information for ARP inspection validation if enabled