Refer to the exhibit:

A customer has configured the Aruba Controller for administrative authentication using ClearPass as a TACACS server. During testing, the read-only user is getting the root access role. What could be a possible reason for this behavior? (Select two.)

A. The Controllers Admin Authentication Options Default role is mapped to toot.

B. The ClearPass user role associated to the read-only user is wrong

C. The Controller Server Group Match Rules are changing the user role

D. The read-only enforcement profile is mapped to the root role

E. On the Controller, the TACAC$ authentication server Is not configured for Session authorization

Refer to the exhibit:

A customer has configured Onboard and Windows devices work as expected but cannot get the Apple iOS devices to Onboard successfully. Where would you look to troubleshoot the Issued (Select two)

A. Check if the ClearPass HTTPS server certificate installed in the server is issued by a trusted commercial certificate authority.

B. Check if the customer installed the internal PKl Root certificate presented by the ClearPass during the provisioning process.

C. Check if a DNS entry is available for the ClearPass hostname in the certificate, resolvable from the DNS server assigned to the client.

D. Check if the customer has Instated a custom HTTPS certificate for IDS and another internal PKl HTTPS certificate for other devices.

E. Check if the customer has installed the same internal PKl signed RADIUS server certificate as the HTTPS server certificate.

How does the RadSec improve the RADIUS message exchange? (Select two.)

A. It can be used on an unsecured network or the Internet.

B. It builds a TTLS tunnel between the NAD and ClearPass.

C. Only the NAD needs to trust the ClearPass Certificate.

D. It encrypts the entire RADIUS message.

E. It uses UDP to exchange the radius packets.

Refer to the exhibit:

The customer complains that the user shown cannot log into the ClearPass Server as an administrator using the [Policy Manager Admin Network Login Service]. What could be the reason for this?

A. The user might be used for a TACACS authentication

B. The account created does not fit this purpose.

C. The mapping on the role should be changed to [RADIUS Super Admin]

D. The local user authentication might be disabled

Under Onboard management and control, which option will deny the user from re-provisioning the device a second time?

A. Revoke and Delete certificate

B. Delete user

C. Revoke certificate

D. Delete certificate

Refer to the exhibit: Your customer configured a ClearPass server to process the Guest and Secure SSIDs broadcasting from both Aruba and Cisco WLAN controllers When an Employee connects to Aruba or Cisco secure SSID, the authentication hits the guest service causing the client to fail the connection to the network. What change can be implemented to make both the secure and guest services created for Aruba and Cisco devices to work correctly?

A. Move the HS-Guest User Authentication with MAC Caching service to the first position.

B. Modify the service rule matching algorithm to ALL in HS-Guest User Authentication service.

C. Disable HS-Guest User Authentication service and move HS-Guest MAC Authentication to seventh position.

D. Move the HS_Building Aruba 802.1x service to the second position in the service order.

Refer to the exhibit: A customer has configured Onboard in a cluster. After the Primary server's failure, the BYOD devices fail to connect to the network. What would you do to troubleshoot?

A. Verify the OSCP URL under TLS authentication method is mapped to http://localhost/ guestmdps_ocsp.php/2

B. Reboot the active ClearPass server and reconnect the client to the SSID by selecting the correct certificate when prompted

C. Check EAP certificate on the secondary node is issued by the same common root Certificate Authority (CA)

D. Check if a DNS entry is available for the ClearPass hostname in the certificate, resolvable from the DNS server assigned to the client

Refer to the exhibit:

The customer configured an 802.1x service with different enforcement actions for personal and corporate

laptops. The corporate laptops are always being redirected to the BYOD Portal. The customer has sent

you the above screenshots.

How would you resolve the issue? (Select two)

A. Modify the enforcement policy and change the rule evaluation algorithm to select first match

B. Modify the enforcement policy and re-order the condition with posture not_equals to healthy as the sixth condition

C. Modify the enforcement policy and re-order the EAP-PEAP with [user authenticated] rule to the last condition.

D. Modify the enforcement policy and re-order the condition with Posture - Unknown as the fifth condition

E. Remove the EAP-PEAP with [user authenticated] condition for Onboard and create another service

A customer is looking to implement a Web-Based Health Check solution with the following requirements:

for the HR user's client devices, check if a USB stick is mounted.

for the RandD user's client devices, check if the hard disk is fully encrypted.

The Web-Based Health Check service has been configured but the customer it is not sure how to design

the Profile Policy.

How can be accomplished this customer request?

A. create two Posture Policies and customize the OnGuard Agent (Persistent or Dissolvable) to select the correct SHV checks

B. create one Posture Policy and define Rules Conditions that will apply different Tokens for each SHV check condition

C. create two Posture Policies and use the Restrict by Roles option to filter for HR and RandD user roles and apply the correct SHV checks

D. create one Posture Policy to check the HR users client devices and use the NAP Agent to check RandD users client devices

Refer to the exhibit: A customer has configured a Guest Self registration page for their Cisco Wireless network with the settings shown. What should be changed in order to successfully authenticate guests users?

A. Secure Login should use HTTP

B. Change the Vendor Settings to Airespace Networks

C. Change \he IP Address to the Cisco Controller DNS name

D. Login Method should be Controller-initiated - using HTTPs form submit