Correct Answer: B

The UBT solution requires that the edge ports on the switches are configured in VLAN trunk mode, not access mode. This is because the UBT solution uses a special VLAN (VLAN 4095 by default) to encapsulate the user traffic and tunnel it to the gateway. The edge ports need to allow this VLAN as well as any other VLANs that are used for management or control traffic. Therefore, the edge ports should be configured as VLAN trunk ports and allow the necessary VLANs

Correct Answer: C

AppRF and WebCC are features that allow the MCs to classify and control application traffic and web content based on predefined or custom categories 12. These features are required to meet the scenario requirements of denying access to

all high-risk websites and denying access to the WLAN for a period of time if they send any SSH or Telnet traffic.

To enable AppRF and WebCC, you need to check the following settings:

On the global level, you need to enable AppRF and WebCC under Configuration > Services > AppRF and Configuration > Services > WebCC, respectively 12. On the role level, you need to enable AppRF and WebCC under Configuration >

Security > Access Control > Roles > medical-mobile > AppRF and Configuration > Security > Access Control > Roles > medical-mobile > WebCC, respectively 12. You also need to make sure that the MCs have valid licenses for AppRF and

WebCC, which are included in the ArubaOS PEFNG license 3.

Correct Answer: C

MAC Authentication Bypass (MAB) is a technique that allows non-802.1X-capable devices to bypass the 802.1X authentication process and gain network access based on their MAC addresses. However, MAB has some security drawbacks, such as the possibility of MAC address spoofing or unauthorized devices being added to the network. Therefore, it is recommended to use a custom MAC-Auth authentication method that adds an additional layer of security to MAB.

A custom MAC-Auth authentication method is a method that uses a combination of the MAC address and another attribute, such as a username, password, or certificate, to authenticate the device. This way, the device needs to provide both the MAC address and the additional attribute to gain access, making it harder for an attacker to spoof or impersonate the device. A custom MAC-Auth authentication method can be created and configured in ClearPass Policy Manager (CPPM) by following the steps in the Customizing MAC Authentication - Aruba page.

Correct Answer: B

A custom NAE script is a Python script that defines the monitors, the alert-trigger logic, and the remedial actions for an NAE agent. A monitor is a URI that specifies the data source and the data type that the NAE agent should collect and analyze. For example, to monitor the ARP inspection statistics on a VLAN, the monitor URI would be something like this:

where is the ID of the VLAN to be monitored.

To allow the admins to select the correct VLAN ID for the agent to monitor when they create the agent, you need to define a VLAN ID parameter in the NAE script. A parameter is a variable that can be set by the user when creating or modifying an agent. A parameter can be referenced in other parts of the script by using the syntax ${parameter-name}. For example, to define a VLAN ID parameter and reference it in the monitor URI, you would write something like this: This way, when the admins create or modify the agent, they can enter the VLAN ID that they want to monitor, and the NAE script will use that value in the monitor URI. You can find more information about how to write custom NAE scripts and use parameters in the NAE Scripting Guide

Correct Answer: A

Dynamic authorization is a feature that allows CPPM to send change of authorization (CoA) or disconnect messages to the MC to modify or terminate a user session based on certain conditions or events 1. Dynamic authorization uses the RFC 3576 protocol, which is an extension of the RADIUS protocol 2. To enable dynamic authorization on the MC, you need to configure the IP address and UDP port of the CPPM server as the RFC 3576 server on the MC 3. The default UDP port for RFC 3576 is 3799, but it can be changed on the CPPM server . The MC and CPPM must use the same UDP port for dynamic authorization to work properly 3. In this scenario, the MC is configured with the IP address of the CPPM server (10.47.47.8) as the RFC 3576 server, but it is using the default UDP port of 3799. However, according to the exhibit, the CPPM server is using a different UDP port of 1700 for dynamic authorization . This mismatch causes the CoA requests from CPPM to fail on the MC, as shown by the statistics . To fix this issue, you need to change the UDP port in the MCs' RFC 3576 server config to match the UDP port used by CPPM, which is 1700 in this case. Alternatively, you can change the UDP port in CPPM to match the default UDP port of 3799 on the MC. Either way, you need to ensure that both devices use the same UDP port for dynamic authorization .

Correct Answer: A

The exhibit shows a screenshot of a Malwarebytes alert that indicates that a website was blocked due to compromise. The alert contains the following information: The type of protection: Web Protection The website that was blocked: 10.254.1.21 The port that was used: 80 The process that initiated the connection: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe The IP address of the device that initiated the connection: 10.1.26.151 The IP address of the device that initiated the connection is the one that should be recorded as a possibly compromised client, as it indicates that the device tried to access a malicious website that could infect it with malware or steal its data. In this case, the IP address of the possibly compromised client is 10.1.26.151.

Correct Answer: D

The correct answer is D. Enabling alerts and email notifications for events related to gateway IPS engine utilization and errors. Gateway IDS/IPS is a feature that allows the Aruba gateways to monitor and block malicious or unwanted traffic based on predefined or custom rules 1. The Fail Strategy is a setting that determines how the gateways handle traffic when the IPS engine fails or crashes 2. The Block option means that the gateways will stop forwarding traffic until the IPS engine recovers, while the Bypass option means that the gateways will continue forwarding traffic without inspection 2. The Block option provides more security, but it also increases the risk of network outages if the IPS engine fails frequently or for a long time 2. To minimize this risk, it is recommended to enable alerts and email notifications for events related to gateway IPS engine utilization and errors 3. This way, the network administrators can be informed of any issues with the IPS engine and take appropriate actions to restore or troubleshoot it 3. The other options are not correct or relevant for this issue: Option A is not correct because configuring a relatively high threshold for the gateway threat count alerts would not help minimize unexpected outages caused by using the Block option. The gateway threat count alerts are used to notify the network administrators of the number of threats detected by the IPS engine, but they do not affect how the gateways handle traffic when the IPS engine fails 4. Option B is not correct because making sure that the gateways have formed a cluster and operate in default gateway mode would not help minimize unexpected outages caused by using the Block option. The gateway cluster mode is used to provide high availability and load balancing for the gateways, but it does not affect how the gateways handle traffic when the IPS engine fails . The default gateway mode is used to enable routing and NAT functions on the gateways, but it does not affect how the gateways handle traffic when the IPS engine fails . Option C is not correct because setting the IDS or IPS policy to the least restrictive option, Lenient, would not help minimize unexpected outages caused by using the Block option. The IDS or IPS policy is used to define what rules are applied by the IPS engine to inspect and block traffic, but it does not affect how the gateways handle traffic when the IPS engine fails 2. The Lenient option contains fewer and older rules than the Moderate or Strict options, which means that it

provides less security and more false negatives .

Correct Answer: A

According to the AOS-CX User Guide, one way to configure the VLAN setting for the reception role is to assign a consistent name to VLAN 14, 24, or 34 on each access layer switch and reference that name in the enforcement profile VLAN settings. This way, the switches can download the role settings from CPPM and apply the correct VLAN based on the name, rather than the ID. For example, the enforcement profile VLAN settings could be:

And the VLAN configuration on each switch could be:

Correct Answer: C

This is because the Live Events monitoring tool is a feature that allows you to view and filter real-time events and alerts from your network devices and clients on Aruba Central. You can use the Live Events monitoring tool to detect which IoT clients have used SSH by applying the following filters: Category: IoT Application: SSH The Live Events monitoring tool will then display a list of all the IoT clients that have used SSH, along with other information such as their IP address, MAC address, hostname, SSID, AP name, etc. You can also export the list as a CSV file for further analysis or reporting.

A. Create and apply a Central client profile tag that selects the SSH application and the clients' category. This is not the fastest way to find a list of all the IoT clients that have used SSH because creating and applying a client profile tag is a

process that involves several steps and might take some time to take effect. A client profile tag is a feature that allows you to group and classify clients based on various criteria, such as device type, OS, category, application, etc. To create

and apply a client profile tag that selects the SSH application and the clients' category, you need to do the following:

Navigate to Clients > Client Profile Tags on Aruba Central. Click Add Tag and enter a name and description for the tag. Click Add Rule and select Application as the attribute and SSH as the value. Click Add Rule again and select Category as

the attribute and IoT as the value.

Click Save to create the tag.

Navigate to Clients > Client List on Aruba Central. Select the clients that you want to apply the tag to and click Assign Tag.

Select the tag that you created and click Apply.

After applying the tag, you can then filter the client list by the tag name and see a list of all the IoT clients that have used SSH. However, this method might not be as fast or accurate as using the Live Events monitoring tool, as it depends on

how often the client profile tags are updated and synchronized with Aruba Central.

B. Run a search for SSH traffic and loT client IDs in Aruba ClearPass Policy Manager's (CPPM's) accounting information. This is not the fastest way to find a list of all the IoT clients that have used SSH because running a search in CPPM's

accounting information is a process that involves accessing another system and querying a large amount of data. Accounting information is a feature that allows CPPM to collect and store data about network sessions, such as start time, end

time, duration, bytes sent/received, etc. To run a search for SSH traffic and IoT client IDs in CPPM's accounting information, you need to do the following:

Log in to CPPM and navigate to Monitoring > Live Monitoring > Accounting. Click on Advanced Search and enter SSH as the value for Service Name. Click on Add Filter and enter IoT as the value for Endpoint Category.

Click on Search to run the query.

The query will then return a list of all the network sessions that involved SSH traffic and IoT clients. However, this method might not be as fast or convenient as using the Live Events monitoring tool, as it requires logging in to another system

and searching through a large amount of data that might not be relevant or current. D. Use Central's Gateway IDS/IPS Security Dashboard to search for SSH events and sources. This is not a valid way to find a list of all the IoT clients that

have used SSH because the Gateway IDS/IPS Security Dashboard is a feature that only applies to wired network devices connected to Aruba gateways, not wireless devices connected to Aruba APs. The Gateway IDS/IPS Security

Dashboard is a feature that allows you to monitor and manage security events and alerts from your wired network devices on Aruba Central. You can use the Gateway IDS/IPS Security Dashboard to search for security events related to SSH,

such as brute force attacks or unauthorized access attempts, but not for normal SSH traffic from wireless IoT devices. Therefore, this method will not help you find a list of all the IoT clients that have used SSH.

Correct Answer: C

EAP (Extensible Authentication Protocol) is a framework that allows different authentication methods to be used for network access. EAP is used for RADIUS/EAP authentication, which is a common method for authenticating domain users on domain computers using certificates. EAP requires that the RADIUS server, such as ClearPass Policy Manager (CPPM), validates the certificates presented by the clients and verifies their identity against an identity source, such as Windows AD. Therefore, the root certificate for the Windows CA that issues the certificates to the clients should have the EAP usage in the ClearPass CA Trust list. Radsec (RADIUS over TLS) is a protocol that allows secure and encrypted communication between RADIUS servers and clients using TLS. Radsec is used for encrypting all communications between CPPM and the domain controllers, which act as RADIUS clients. Radsec requires that both the RADIUS server and the RADIUS client validate each other's certificates and establish a TLS session. Therefore, the root certificate for the Windows CA that issues the certificates to the domain controllers should have the Radsec usage in the ClearPass CA Trust list.