passit4sure.accp-v6.2.140 - gratis exam · passit4sure.accp-v6.2.140 ... an employee authenticates...

Passit4sure.ACCP-v6.2.140.QA

Number: ACCP-v6.2Passing Score: 800Time Limit: 120 minFile Version: 13.6

http://www.gratisexam.com/

ACCP-v6.2

Aruba Certified Clearpass Professional v6.2

I passed the exam and got 810/1000. Just I studied only this dump I did notconsider any other dumps and training material.

It has a very informative and descriptive material. You must pass.

It’s a revolutionary new way to learn and prepare f or your certificationexam.

I found these practice dumps very complete includin g everything I needed topass on my first try. Much Appreciated!

Dump is extremely demanding because of popularity, I used this product andcould not figure out any inaccuracy.

This dump does an excellent job of teaching exactly what's needed, and the140-question practice exam is a really close approx imation of what to expect on

the exam.

Exam A

QUESTION 1What is the function of ClearPass Onboard?

A. Provide guest access for visitors to connect to the networkB. Process authentication requests based on policy servicesC. Profile devices connecting to the networkD. Provision personal devices to securely connect to the networkE. To allow a windows machine to use machine authentication to access the network

Correct Answer: DSection: (none)Explanation

Explanation/Reference:

QUESTION 2What is the Onboard license usage based on?

A. Each user connected to the provisioning SSID uses 1 Onboard license.B. Each user authenticated using the Onboard credential uses 1 Onboard license.C. Each user provisioned using the Onboard process uses 1 Onboard license.D. Each user that has the OnGuard agent downloaded uses 1 Onboard license.E. Each user that downloads the Onboard application to their iOS device uses 1 Onboard license.

Correct Answer: CSection: (none)Explanation


QUESTION 3An employee provisions their personal smart phone using the Onboard process. In addition, they have acorporate laptop given to them by IT that connects to the secure network. How many licenses does the userconsume?

A. 1 Policy Manager license, 1 Onboard License.B. 1 Policy Manager license, 1 Guest License.C. 2 Policy Manager licenses, 1 Onboard License.D. 2 Policy Manager licenses, 2 Onboard Licenses.E. 1 Policy Manager license, 2 Guest licenses.



QUESTION 4An employee authenticates using their corporate laptop and runs the dissolvable onguard agent to send ahealth check back the Policy Manager. Based on the health of the device a VLAN is assigned to thecorporate laptop.

Which licenses are consumed in this scenario?

A. 1 Policy Manager license, 1 Onboard License.B. 1 Policy Manager license, 1 OnGuard License.C. 2 Policy Manager licenses, 1 OnGuard License.D. 1 Policy Manager license, 1 Profile License.E. 2 Policy Manager licenses, 2 Onguard licenses.

Correct Answer: BSection: (none)Explanation


QUESTION 5A customer would like to deploy ClearPass with the following objectives: they have between 2000 to 3000corporate users that need to authenticate daily using EAP-TLS. They want to allow for up to 1000 employeedevices to be onboarded. They would also like to allow up to 100 different guest users each day toauthenticate using the web login feature.


Which of the following best describes the license mix that they need to purchase?

A. CP-HW-5k, 100 Onboard, 100 Guest.B. CP-HW-500, 1000 Onboard, 100 Guest.C. CP-HW-2k, 1000 Onboard, 100 Guest.D. CP-HW-5k, 2500 Enterprise.E. CP-HW-5k, 1000 Enterprise.


Explanation/Reference:Fixed.

QUESTION 6Which of the following statements is true about the Endpoint Profiler? (Choose 2)

A. The Endpoint Profiler requires the Onboard license to be enabled.B. The Endpoint Profiler uses DHCP fingerprinting for device categorization.C. Data obtained from the Endpoint Profiler can be used in Enforcement Policy.D. The Endpoint Profiler can only categorize laptops and desktops.E. Endpoint Profiler requires a profiling license.

Correct Answer: BCSection: (none)Explanation


QUESTION 7Which of the following methods can be used as collectors for device profiling? (Choose 2)

A. OnGuard agentB. Active Directory AttributesC. ActiveSync PluginD. Username and PasswordE. Client's role on the controller

Correct Answer: ACSection: (none)Explanation


QUESTION 8Refer to the screen capture below:

Based upon Endpoint information shown here, which collectors were used to profile the device as AppleiPad? (Choose 2)

A. OnGuard AgentB. HTTP User-AgentC. DHCP fingerprintingD. SNMPE. SmartDevice



QUESTION 9To setup an Aruba Controller as DHCP relay for device fingerprinting, which of the following IP addressesneeds to be configured?

A. DHCP server IPB. ClearPass server IPC. Active Directory IPD. Microsoft NPS server IPE. Switch IP



QUESTION 10What database in the Policy Manager contains the device attributes derived by profiling?

A. Local Users RepositoryB. Onboard Devices RepositoryC. Endpoints RepositoryD. Guest User RepositoryE. Client Repository




Based on the Endpoint Profiler output shown here, which of the following statements is true?

A. The devices have been profiled using DHCP fingerprinting.B. There are 5 devices profiled in the Computer Device Category.C. Apple devices will be profiled in the SmartDevice category.D. There is only 1 Microsoft Windows device present in the network.E. The linux device with MAC address 000c29fd8945 has not been profiled.



QUESTION 12Which of the following conditions can be used for rule creation of an Enforcement Policy? (Choose 3)

A. System TimeB. Clearpass IP addressC. PostureD. Switch VLANE. Connection Protocol

Correct Answer: ACESection: (none)Explanation



Based on the Enforcement Policy configuration, if a user with Role Engineer connects to the network andthe posture token assigned is Unknown, what Enforcement Profile will be applied?

A. EMPLOYEE_VLANB. Remote Employee ACLC. RestrictedACLD. Deny Access ProfileE. HR VLAN




Based on the Enforcement Policy configuration, if a user with Role Remote Worker connects to the networkand the posture token assigned is quarantine, what Enforcement Profile will be applied?

A. EMPLOYEE_VLANB. Remote Employee ACLC. RestrictedACLD. Deny Access ProfileE. HR VLAN




Based on the Enforcement Policy configuration, if a user connects to the network using an Apple iphone,what Enforcement Profile is applied?

A. WIRELESS_CAPTIVE_NETWORKB. WIRELESS_HANDHELD_NETWORKC. WIRELESS_GUEST_NETWORKD. WIRELESS_EMPLOYEE_NETWORKE. Deny Access

Correct Answer: ASection: (none)Explanation



A user who is tagged with the ClearPass roles of Role_Engineer and developer, but not testqa, connects tothe network with a corporate Windows laptop. What Enforcement Profile is applied?

A. WIRELESS_CAPTIVE_NETWORKB. WIRELESS_HANDHELD_NETWORKC. WIRELESS_GUEST_NETWORKD. WIRELESS_EMPLOYEE_NETWORKE. Deny Access



QUESTION 17Which of the following components of a Policy Service is mandatory?

A. EnforcementB. PostureC. ProfilerD. Role Mapping PolicyE. Authorization Source



QUESTION 18Which of the following options is the correct order of steps of a Policy Service request?

1) Clearpass tests the request against Service Rules to select a Policy Service.2) Clearpass applies the Enforcement Policy.3) Negotiation of the Authentication Method occurs between the NAD and Clearpass.4) Clearpass sends the Enforcement Profile attributes to the NAD.5) NAD forwards authentication request to Clearpass.

A. 1, 3, 2, 4, 5B. 5, 1, 3, 2, 4C. 5, 1, 3, 4, 2D. 1, 2, 3, 4, 5E. 2, 3, 4, 5, 1



QUESTION 19Which of the following information is NOT required while building a Policy Service for 802.1Xauthentication?

A. Network Access Device usedB. Authentication Method usedC. Authentication Source usedD. Posture Token of the clientE. Profiling information of the client



QUESTION 20Which of the following components can use Active Directory authorization attributes for the decision-makingprocess? (Choose 2)

A. Role Mapping PolicyB. Posture PolicyC. Enforcement PolicyD. Service Rules



QUESTION 21What information can we conclude from the following graph?

A. This graph represents all authentication requests received by Clearpass in one year.B. This graph represents all authentication requests received by Clearpass in a day.C. The graph represents all authentication requests received by Clearpass in a month.D. Each bar represents total authentication requests per minute.E. Each bar represents total authentication requests per day.

Correct Answer: ESection: (none)Explanation


QUESTION 22What information can we conclude from the above audit row detail? (Choose 2)

A. radius01 was added as an authentication source.B. radius01 was deleted from the list of authentication sources.C. The policy service was moved to position number 3.D. The policy service was moved to position number 4.E. radius01 was moved to position number 4.

Correct Answer: BDSection: (none)Explanation


QUESTION 23What is the purpose of the Audit Viewer in the Monitoring section of ClearPass Policy Manager?

A. To audit client authentications.B. To audit the network for PCI compliance.C. To display the entire configuration of the ClearPass Policy Manager.D. To display changes made to the ClearPass configuration.E. To display system events.



QUESTION 24If the "Alerts" tab in an authentication session details tab in Access Tracker shows the following errormessage "Access denied by policy", what could be a possible cause for authentication failure?

A. Implementation of an Enforcement PolicyB. Implementation of a firewall policyC. Failure to categorize the request in a Clearpass serviceD. Implementation of a Posture PolicyE. Failure to activate the enforcement policy



QUESTION 25If a client's authentication is failing and there are no entries in the Clearpass's Access Tracker, which of thefollowing is a possible reason for the authentication failure?

A. The client used a wrong password.B. The user is not found in the database.C. The shared secret between Network Access Device and Clearpass does not match.D. The user account has expired.E. The user's certificate is invalid.



QUESTION 26Which of the following statements is true based on the Access Tracker output shown below?

A. The client wireless profile is incorrectly setup.B. Clearpass does not have a service enabled for MAC authentication.C. The client MAC address is not present in the Endpoints table in the Clearpass database.D. The client used incorrect credentials to authenticate to the network.E. The RADIUS client on the Windows server failed to categorize the service correctly.



QUESTION 27Which of the following are valid policy simulation types in Clearpass? (Choose 3)

A. Role MappingB. Endpoint ProfilerC. Authorization AttributesD. Chained SimulationE. Enforcement Policy

Correct Answer: ADESection: (none)Explanation


QUESTION 28The screenshot here from the Event Viewer in ClearPass shows an error when a user does an EAP-TLSauthentication to ClearPass through an Aruba Controller's Wireless Network.

What is the cause of this error?

A. The client has sent an incorrect shared secret for the 802.1X authentication.B. The controller has sent an incorrect shared secret for the RADIUS authentication.C. The client's shared secret used during the certificate exchange is incorrect.D. The controller's shared secret used during the certificate exchange is incorrect.E. The NAS source interface IP is incorrect.


Explanation/Reference:Accurate.

QUESTION 29Which of the following use cases will require a ClearPass Guest application license? (Choose 2)

A. Sponsor based guest user access

B. Employee personal device registrationC. User self registration for accessD. Guest device fingerprintingE. Endpoint health assessment



QUESTION 30Below is a screenshot of the Guest Role Mapping Policy:


What is the purpose of this Role Mapping Policy?

A. To send a firewall role back to the controller based on the Guest User's Role ID.B. To assign Controller roles to guests.C. To display a role name on the Self-registration receipt page.D. To assign ClearPass roles to guests based on the guest's Role ID as seen during authentication.E. To assign all 3 roles of [Contractor], [Guest] and [Employee] to every guest user.



QUESTION 31An administrator logs in to the Guest module in ClearPass and under 'List Accounts' sees the following:

If a user with username [email protected] tries to access the Web Login page, what would we expectto happen?

A. The user will not be able to access the Web Login page.B. The user will be able to login and authenticate successfully but they will be immediate disconnected

after.C. The user will not be able to login and authenticate.D. The user will be able to login for the next 4.9 days, but after this they will not be able to login anymore.



QUESTION 32Refer to the screenshot below:

Based on the above configuration, which of the following statements is true?

A. The visitor_phone field will be visible to operator creating the account.B. The visitor_phone field will be visible to the guest users in the web login page.C. The visitor_company field will be visible to operator creating the account.D. The visitor_company field will be visible to the guest users in the web login page.E. The email field will be visible to guest users on the web login page.




Based on the above configuration which of the following statements is true?

A. Only guest users connecting to SSID Aruba will be allowed access to the network by ClearPass Guest.B. The minimum password length for guest passwords is set to a default value of 8.C. The usernames generated for guest users by Guest Manager will be a combination of random numbers.D. The password generated for guest users by Guest Manager will be a combination of random numbers.



QUESTION 34Refer to the screenshot in the diagram below, as seen when configuring a Web Login Page in ClearPassGuest:

What is the page name field used for?

A. For Administrators to access the PHP page, but not guests.B. For Administrators to reference the page only.C. For forming the Web Login Page URL.D. For forming the Web Login Page URL and the page name that guests must configure on their laptop

wireless supplicant.E. For forming the Web Login Page URL where Administrators add guest users.



QUESTION 35Refer to the screenshot in the diagram below, as seen when a Web Login Page is configured in ClearPassGuest:

What is the Address field value 'securelogin.arubanetworks.com' used for?

A. For appending to the Web Login URL, before the page name.B. For ClearPass to POST the user credentials to the NAD device.C. For ClearPass to send a RADIUS request to the NAD device.D. For ClearPass to send a TACACS+ request to the NAD device.E. For appending to the Web Login URL, after the page name.



QUESTION 36Below is a screenshot of a Captive Portal Authentication profile inside the Aruba Controller:

Which field would you change so that guest users are redirected to the ClearPass Captive Portal when theyconnect to the Guest SSID?

A. Login PageB. Welcome PageC. Both Login & Welcome PageD. Default RoleE. Default Guest Role



QUESTION 37Below is an extract from the Web Login Page configuration in ClearPass Guest:

What is the purpose of the Pre-Auth Check?

A. To authenticate users before they launch the Web Login Page.B. To authenticate users before ClearPass sends the credentials to the NAD device.C. To authenticate users after the NAD device sends an authentication request to ClearPass.D. To replace the need for the NAD to send an authentication request to ClearPass.E. To re-authenticate users when they're roaming from one NAD to another.



QUESTION 38Below is an Enforcement Profile that has been created in the Policy Manager:

What is the action that is taken by this Enforcement Profile?

A. ClearPass will count down 600 seconds and send a RADIUS CoA message to the NAD device to endthe user's session after this time is up.

B. ClearPass will send the Session-Timeout attribute in the RADIUS Access-Accept packet to the Userand the user's session will be terminated after 600 seconds.

C. ClearPass will send the Session-Timeout attribute in the RADIUS Access-Accept packet to the NADdevice and the NAD will end the user's session after 600 seconds.

D. ClearPass will send the Session-Timeout attribute in the RADIUS Access-Request packet to the NADdevice and the NAD will end the user's session after 600 seconds.



QUESTION 39Below is a screenshot of a client connecting to a Guest SSID:

Based on the image shown above, which of the following best describes the client's state?

A. The client authenticated through the web login page first before it was able to obtain an IP address.B. The client does not have an IP address, but they have authenticated through the web login page.C. The client does not have an IP address because they have not authenticated through the web login

page yet.D. We can't tell from the image above.



QUESTION 40A Bank would like to deploy ClearPass Guest with web login authentication so that their customers can self-register on the network to get network access when they have meetings with Bank Employees. However,they're concerned about security.

Which of the following is true? (Choose 3)

A. During web login authentication, if HTTPS is used for the web login page, guest credentials will beencrypted.

B. If HTTPS is used for the web login page, after authentication is completed guest Internet traffic will allbe encrypted as well.

C. If HTTPS is used for the web login page, after authentication is completed some guest Internet trafficmay be unencrypted.

D. After authentication, an IPSEC VPN on the guest's client can be used to encrypt Internet traffic.E. HTTPS should never be used for Web Login Page authentication.

Correct Answer: ACDSection: (none)Explanation


QUESTION 41A Hospital would like to deploy ClearPass Guest for friends and relatives of patients to access the Internet.They would like patients to be able to access an internal webpage on the intranet where they can viewpatient information. However, other guests should not have access to this page.

Which of the following is true? (Choose 2)

A. The NAD device will be firewalling users to block Intranet traffic.B. ClearPass will be firewalling users to block Intranet traffic.C. It's necessary for us to have two separate web login pages due to the different access requirements of

patients and guests.D. We will need to configure different Enforcement actions for patients and guests in the service.E. Both the NAD and Clearpass would have to firewall users to block traffic.

Correct Answer: ADSection: (none)Explanation


QUESTION 42Below is a screenshot of a self-registration receipt:

Which of the following is true?

A. Expiration time for guest accounts can be modified by the visitor.B. Receipt Actions such as 'Download account details' cannot be modified in the self-registration editor.C. Company Name field cannot be removed from the registration page using the self-registration editor.D. The user will only be able to login between the Activation and Expiration time.E. The user must be logged in before they can use the 'Download account details' link.



QUESTION 43A company deployed the guest Self-registration with Sponsor Approval workflow for their guest SSID. Theadministrator logs into the Policy Manager and sees the following in the Guest User Repository:

What can you conclude from the above? (Choose 2)

A. The guest has submitted the registration form.B. The guest has not submitted the registration form yet.C. The sponsor has confirmed the guest account.D. The sponsor has not confirmed the guest account yet.E. The user's account is active.



QUESTION 44Refer to the screenshot below of a MAC Caching enforcement policy:


A. Only a user with Controller role of [Guest] will be allowed to authenticateB. Only a user with Clearpass role of [Guest] and that has authenticated using the web login page less

than 5 minutes ago, will have their MAC authentication succeedC. Only a user with Clearpass role of [Guest] and that has authenticated using the web login page more

than 5 minutes ago, will have their MAC authentication succeedD. Only a user whose last MAC authentication was less than 5 minutes ago, will have their MAC

authentication succeed




Which of the following is true of the MAC-Guest-Check SQL query authorization source?

A. It's used to check if the MAC address status is known in the endpoints tableB. It's used to check if the guest account has expiredC. It's used to check if the MAC address status is unknown in the endpoints tableD. It's used to check how long it's been since the last web login authenticationE. It's used to check if the MAC address is in the MAC Caching repository



QUESTION 46A hotel chain recently deployed ClearPass Guest. A guest enters the hotel and connects to the Guest SSID.They launch their web browser and type in www.google.com, but they're unable to immediately see the weblogin page.

Which of the following could be causing this? (Choose 2):

A. The DNS server is not replying with an IP address for www.google.com.B. The guest is using a Linux laptop which doesn't support web login.C. The ClearPass server has a server certificate issued by Verisign.D. The ClearPass server has a server certificate issued by the internal Microsoft Certificate Server.E. The ClearPass server does not recognize the client's certificate.



QUESTION 47Refer to the screenshot below of a MAC Caching service:

A guest connects to the Guest SSID and authenticates successfully using the guest.php web login page.Which of the following is true?

A. Their MAC address will be visible in the Endpoints table with Known Status.B. Their MAC address will be visible in the Endpoints table with Unknown Status.C. Their MAC address will be visible in the Guest User Repository with Known Status.D. Their MAC address will be visible in the Guest User Repository with Unknown Status.E. Their MAC address will be deleted from the Endpoints table.



QUESTION 48Which of the following CLI commands is used to upgrade the image of a ClearPass server?

A. Upgrade imageB. System upgrade


C. Upgrade software

D. RebootE. System update



QUESTION 49Which of the following statements is true about the skin plugins in ClearPass guest?

A. Skins are created by Aruba Professional Services.B. Skins allow addition of content items to web login pages.C. Skins are used to create hotspot login pages.D. Skins are used to create Onboard registration pages.E. Skins allow customers to implement advertising.



QUESTION 50What does a client need for it to perform EAP-TLS successfully? (Choose 2)

A. Username and PasswordB. Client CertificateC. Pre-shared keyD. Certificate AuthorityE. Server Certificate

Correct Answer: BESection: (none)Explanation


QUESTION 51Refer to the screenshot in the diagram below, which illustrates a configuration of a Windows 802.1Xsupplicant for EAP-PEAP authentication.

In a deployment, which certificate would you select under the 'Trusted root certification authority' section?

A. The server certificateB. The client certificateC. The root CA self-signed certificateD. The root CA certificate signed by the clientE. The client certificate signed by the root CA



QUESTION 52Refer to the screenshot in the diagram below, which illustrates the configuration of a Windows 802.1Xsupplicant.

What will selecting 'Validate server certificate' do?

A. The client will send its certificate to the server for verification.B. The server will send its private key to the client for verification.C. The server and client will perform an HTTPS SSL certificate exchange.D. The client will verify the server certificate against a trusted CA.E. The client will send its private key to the server for verification.



QUESTION 53Refer to the screenshot in the diagram below, which illustrates the configuration of a Windows 802.1Xsupplicant.

If 'Automatically use my Windows logon name and password' are selected, which of the following is true?

A. The client's Windows login username and password will be sent in a EAP frame to the AuthenticationServer.

B. The client's Windows login username and password will be sent in a RADIUS Accounting frame to theAuthentication server.

C. The client will need to re-authenticate every time they connect to the network.D. The client's Windows logon name and password will be sent via a TACACS+ frame to the authentication

server.E. The client will prompt the user to enter the logon username and password.



QUESTION 54

What does a client need for it to perform EAP-PEAP successfully, if 'Validate Server Certificate' is notenabled?

A. Username and PasswordB. Client CertificateC. Pre-shared keyD. Certificate AuthorityE. Server Certificate



QUESTION 55What is RADIUS CoA used for?

A. To authenticate users or devices before granting them access to a network.B. To force the client to re-authenticate upon roaming to a new Controller.C. To apply firewall policies based on authentication credentials.D. To validate a host MAC against a white and a black list.E. To transmit messages to the NAD/NAS to modify a user's session status.



QUESTION 56What are Operator Profiles used for?

A. To assign ClearPass roles to guest users.B. To enforce role based access control for ClearPass Guest operator users.C. To enforce role based access control for ClearPass Policy Manager admin users.D. To map AD attributes to admin privilege levels in ClearPass Guest.E. To enforce role based access control for Aruba Controllers.




Based on the Translation Rule configuration shown above, which of the following statements is true?

A. A user from group MatchAdmin will be assigned the operator profile of IT Administrators.B. All active directory users will be assigned the operator profile of IT Administrators.C. All admin users will be assigned the operator profile of IT Administrators.D. A user from group Administrators will be assigned the operator profile of IT Administrators.E. This translation rule is not valid for Active Directory administrators.



QUESTION 58Which of the following steps are required to use ClearPass as a TACACS+ Authentication server for anetwork device? (Choose 2)


A. Configure the ClearPass Policy Manager as an Authentication server on the network device.B. Configure ClearPass roles on the network device.C. Configure RADIUS Enforcement Profile for the desired privilege level.

D. Configure TACACS Enforcement Profile for the desired privilege level.E. Enable RADIUS accounting on the NAD device.



QUESTION 59Which of the following is FALSE?

A. Active Directory can be used as the authentication source to process TACACS+ authentication requestscoming to Clearpass from NAD devices

B. Active Directory can be used as the authentication source to process Clearpass Guest Admin AccessC. TACACS+ authentication requests received by Clearpass are always forwarded to a Windows Server

that can handle these requestsD. TACACS+ authentication requests from NAD devices to Clearpass are processed by a TACACS+

serviceE. The local user repository in Clearpass can be used as the authentication source for TACACS+ services



QUESTION 60Which of the following is NOT a function of ClearPass Onboard?

A. Configure network settingsB. Provision device credentialsC. Remote wipe & controlD. Revoke device credentialsE. Provisioning of VPN Settings



QUESTION 61Which of the following devices support Apple over-the-air provisioning? (Choose 2)

A. Laptop running Mac OS X 10.6B. Laptop running Mac OS X 10.8C. iOS 5D. Android 2.2E. Windows XP




At which stage of the onboard process is workspace installed?

A. Pre-provisioning stageB. Provisioning stageC. Authentication stageD. After authentication stage



QUESTION 63Which of the following is true? (Choose 2)

A. Mobile Device Management is used to control device usage post-onboardingB. Mobile Device Management is an application container that is used to provision work applicationsC. Mobile Device Management cannot be deployed without WorkspaceD. 3rd party Mobile Device Management solutions can be integrated with ClearpassE. Mobile Device Management cannot do remote wipes of devices without workspace being installed



QUESTION 64Which of the following statements is true about certificate revocation?

A. Onboard cannot revoke device certificates.B. Revoked certificates are automatically deleted from Certificate Management.C. When a certificate is revoked, OCSP checks for certificate validity will fail.D. A revoked certificate becomes valid again after 24 hours.E. Certificates can only be revoked once they expire.



QUESTION 65Which of the following statements is true about Certificate Authorities in ClearPass Onboard?

A. ClearPass cannot operate as a root CA.B. The root CA needs to be connected to the network to perform CRL checks.C. ClearPass Onboard CA is always configured as an Intermediate CA that is part of an Enterprise PKI.D. ClearPass Onboard CA can operate either as a root CA, or as an Intermediate CA.E. Clearpass cannot operate as an intermediate CA.




Based on the above configuration, which of the following statements is true?

A. ClearPass is configured as a Root CA.B. ClearPass is configured as the Intermediate CA.C. ClearPass has an expired server certificate.D. The arubatraining-REMOTELABSERVER-CA will issue client certificates during Onboarding.E. This is not a valid trust chain since the arubatraining-REMOTELABSERVER-CA has a self- signed

certificate.



QUESTION 67What is the certificate format PKCS #7, or .p7b, used for?

A. Certificate chainB. Certificate Signing RequestC. Certificate with an encrypted private keyD. Binary encoded X.509 certificateE. Binary encoded X.509 certificate with public key

Correct Answer: ASection: (none)

Explanation



This authentication method is applied to a service processing EAP-TLS authentications. Which of thefollowing is FALSE?

A. Devices with revoked certificates will not be allowed accessB. Devices with deleted certificates will not be allowed accessC. Devices will perform OCSP check to their laptop's localhost OCSP serverD. Devices will perform OCSP check with Clearpass




Which of the following statements is correct regarding the above configuration for the private key? (Choose2)

A. The private key is stored in the user device.B. The private key is stored in the ClearPass server.C. More bits in the private key will reduce security, hence smallest private key size is used.D. More bits in the private key will increase the processing time, hence smallest private key size is used.E. The private key for TLS client certificates is not created.




An employee connects a corporate laptop to the network and authenticates for the first time using EAP-TLS. Based on the above Enforcement Policy configuration, what Enforcement Profile will be sent in thisscenario?

A. Deny Access ProfileB. Onboard Post-Provisioning - ArubaC. Onboard Pre-Provisioning ArubaD. Cannot be determinedE. Onboard Device Repository



QUESTION 71An Android device goes through the single-ssid onboarding process and successfully connects using EAP-TLS to the secure network. What is the order in which services are triggered?

A. Onboard Provisioning, Onboard AuthorizationB. Onboard Provisioning, Onboard Authorization, Onboard ProvisioningC. Onboard Authorization, Onboard ProvisioningD. Onboard Authorization, Onboard Provisioning, Onboard AuthorizationE. Onboard Provisioning



QUESTION 72

Which of the following is TRUE of dual-SSID onboarding?

A. The device connects to the secure SSID for provisioningB. The Onboard Authorization service is triggered when the user connects to the secure SSIDC. The Onboard Provisioning service is triggered when the user connects to the Provisioning SSIDD. The Onboard Authorization service is triggered during the Onboarding processE. The Onboard Authorization service is never triggered




Which of the following statements is correct regarding the above configuration for 'maximum devices'?

A. It limits the total number of Onboarded devices connected to the network.B. It limits the total number of devices that can be provisioned by ClearPass.C. It limits the number of devices that a single user can Onboard.D. It limits the number of devices that a single user can connect to the network.E. With this setting, the user cannot Onboard any devices.


Explanation/Reference:Perfectly right answer.

QUESTION 74In single SSID onboarding, which of the following methods can be used in the Enforcement Policy todistinguish between a provisioned device and a device that has not gone through the Onboard workflow?

A. Authentication Method usedB. Network Access Device usedC. Endpoint OS Category

D. OnGuard Agent usedE. Active Directory Attributes



QUESTION 75A report is configured as follows:

What type of records will this report display?

A. All successful RADIUS authentications through ClearPass.B. All failed RADIUS authentications through ClearPass.C. All successful RADIUS authentications from the 10.8.10.100 NAD device to ClearPass.D. All RADIUS authentications from the 10.8.10.100 NAD device to ClearPass.



QUESTION 76Refer to the screen capture. The following is seen in the Licensing tab of the Publisher after a cluster hasbeen formed between a publisher (192.168.0.53) and subscriber (192.168.0.54):

What is the maximum number of clients that can be Onboarded on the subscriber node?

A. 1000B. 550C. 25D. 525E. 500



QUESTION 77A guest self-registered through a Publisher's Register page. Which of the following will occur?

A. The guest's account will be stored in the Publisher's guest user repository, but not the Subscriber's.B. The guest's account will be stored in both the Publisher's guest user repository and the Subscriber's

guest user repository.C. The guest's account will be stored in the Publisher's local user repository and the Subscriber's guest

user repository.D. The guest's account will be stored in the Publisher's guest user repository and the Subscriber's Onboard

user repository.E. The guest's account will ONLY be stored in the Publisher's guest user repository.

Correct Answer: BSection: (none)

Explanation


QUESTION 78Below is a network topology diagram:

How many clusters are needed for this deployment?

A. 1B. 3C. 4D. 8E. 2



QUESTION 79A Publisher node in a cluster goes down and Subscribers are no longer able to reach the publisher. Whichof the following is true? (Choose 2).

A. Users authenticating with the Publisher node continue to authenticate.

B. Users authenticating with the Subscriber nodes are no longer able to authenticate.C. Users authenticating with the Publisher node are no longer able to authenticate.D. Users authenticating with the Subscriber nodes continue to authenticate.E. No users can authenticate to either the Publisher or Subscriber nodes.

Correct Answer: CDSection: (none)Explanation


QUESTION 80Which of the following statements is true about the Clearpass hardware appliances?

A. DHCP can be used to assign IP addresses to management and data ports.B. Both Management and Data Ports must be configured.C. Clearpass has a default management IP of 172.16.0.254.D. Only static IP addresses are allowed on the management and data ports.E. The maximum number of devices supported is 5000.



QUESTION 81UDP Port 3799 is used for RADIUS CoA (RFC 3576). This port has been blocked by a firewall between aNAD device and ClearPass. Which of the following is true?

A. RADIUS Authentications will fail since the NAD won't be able to reach the ClearPass server.B. RADIUS Authentications will not happen since the NAD won't be able to reach the ClearPass server.C. RADIUS Authentication will succeed, but Post-Authentication Disconnect-Requests from ClearPass to

the Controller will not be delivered.D. RADIUS Authentication will succeed, but RADIUS Access-Accept messages from ClearPass to the

Controller for Change of Role will not be delivered.E. During RADIUS authentication, certificate exchange between the NAD and Clearpass will fail.


Explanation/Reference:Answer is Modified.

QUESTION 82What is the purpose of the Serial Port in the ClearPass appliance?

A. To connect 2 ClearPass servers together in a cluster.B. To connect a ClearPass server to a Network Access Device.C. For administrators to configure the ClearPass appliance using the command line.D. For administrators to configure the ClearPass appliance using the WebUI.E. For administrators to access Clearpass using SSH.



QUESTION 83Which of the following is true about Data and Management ports on the ClearPass appliance? (Choose 2)

A. Configuration of the data port is optional.B. Configuration of the data port is mandatory.C. Configuration of the management port is optional.D. Configuration of the management port is mandatory.E. Static IP addresses are only allowed on the management port.



QUESTION 84Shown here is a AAA profile in the Aruba Controller.

According to the configuration shown here, what would we expect to see in the ClearPass Policy Manager?

A. RADIUS accounting start-stop messagesB. RADIUS interim accounting messagesC. RADIUS interim & start-stop messagesD. No accounting messages will be seenE. RADIUS accounting messages will be sent from the Client to the Controller



QUESTION 85Shown here is an Aruba Instant configuration screenshot

What is the purpose of enabling the 'Dynamic RADIUS proxy' feature?

A. The Instant AP will proxy all RADIUS Access-Requests sent to it from clients and will forward these toClearPass.

B. The Instant AP will send a RADIUS Access-Reject packet to other Instant APs in the cluster ifcredentials are incorrect, to reduce the number of RADIUS requests sent to ClearPass.

C. All Instant APs in the cluster will use the Virtual Controller IP as the Source IP for RADIUS requests.


D. All Instant APs in the cluster will use the Virtual Controller IP as the Destination IP for RADIUS requests.E. The Instant AP will proxy all RADIUS Access-Requests sent to it from Clearpass and will forward these

to the clients.



QUESTION 86What must be configured to enable RADIUS authentication with Clearpass on a network access device(NAD)? (Choose 2)

A. An NTP server needs to be set up on the NAD.

B. A bind username and bind password must be provided.C. A shared secret must be configured on the Clearpass server and NAD.D. The Clearpass server must have the network device added as a valid NAD.E. The Clearpass server certificate must be installed on the NAD.



QUESTION 87Refer to the diagram below.

In which of the following scenarios will ClearPass select the Policy Service named 'Test device group'?

A. If an end user IP address is part of the device group HQ.B. If the IP address of the NAD device is part of the device group HQ.C. If the ClearPass IP address is part of the device group HQ.D. If the client's NAD IP address is part of the device group HQ.E. If the client's Network Authentication Distribution server's IP address belongs to device group HQ.



QUESTION 88In the screenshot shown here of the Local User repository in ClearPass,

what Aruba User Role will be assigned to "mike" when he authenticates?

A. [Employee]B. EmployeeC. mikeD. We can't know this from the screenshot aboveE. john



QUESTION 89Which of the following ways are used by Clearpass to assign roles to the client? (Choose 2)

A. Through a role mapping policy.B. Roles can be derived from the Aruba Network Access Device.C. From the attributes configured in Active Directory.D. From the attributes configured in a Network Access Device.E. From the server derivation rule in the Aruba Controller server group for the client.




If a user from the department "Product Management" connects on Monday to a NAD device that belongs tothe Device Group HQ, what role is assigned to the user in Clearpass?

A. ExecutiveB. HR LocalC. EmployeeD. GuestE. Linux Hosts



QUESTION 91Refer to the screen capture below

If a user from the department "HR" connects on Monday using their Windows Laptop to a switch thatbelongs to the Device Group HQ, what role is assigned to the user in Clearpass?

A. ExecutiveB. HR LocalC. EmployeeD. GuestE. Vendor




If a user from the department "HR" connects on Monday to a switch that belongs to the Device GroupRemote NAD, what roles are assigned to the user in Clearpass? (Choose 2)

A. ExecutiveB. Remote EmployeeC. iOS DeviceD. GuestE. HR Local




What does the Cache Timeout Value refer to?

A. The amount of time the Policy Manager caches the user credentials stored in the Active Directory.B. The amount of time the Policy Manager caches the user attributes fetched from Active Directory.C. The amount of time the Policy Manager waits for a response from the Active Directory before sending a

timeout message to the Network Access Device.D. The amount of time the Policy Manager waits for a response from the Active Directory before checking

the backup authentication source.E. The amount of time the Policy Manager caches the user's client certificate.




Based on the Attribute configuration shown above, which of the following statements is true?

A. Only the attribute values of department and memberOf can be used in role mapping policies.B. Only the attribute values of title, telephoneNumber, mail can be used in role mapping policies.C. Only the attribute values of company can be used in role mapping policies.D. The attribute values of department and memberOf are directly applied as ClearPass roles.E. The attribute values of department, title, memberOf, telephoneNumber, mail are directly applied as

ClearPass roles.



QUESTION 95How is Authorization used in a Policy Service? Refer to the diagram below:

A. It allows us to use attributes stored in databases in role mapping and Enforcement.B. It allows us to use attributes stored in databases in role mapping only, but not Enforcement.C. It allows us to use attributes stored in databases in Enforcement only, but not role mapping.D. It allows us to use attributes stored in external databases for Enforcement, but authorization does not

use internal databases for reference.E. It allows us to use attributes stored in internal databases for Enforcement, but authorization does not

use external databases for reference.



QUESTION 96Refer to the following Service configuration:

A user connects for the first time to an Aruba access point wireless SSID named "pod8wireless- guest-SSID". The SSID has web login authentication with RADIUS MAC authentication enabled and ClearPass isthe authentication server. The user hasn't yet launched their web browser.

Which service will be triggered?

A. pod8wiredB. pod8-mac authC. pod8wirelessD. [Policy Manager Admin Network Service]E. No service will be triggered



QUESTION 97Refer to the following Service configuration:

A user connects to an Aruba Access Point wireless SSID named "secure-corporate" and performs an802.1X authentication with ClearPass as the authentication server.

Which service will be triggered?

A. pod8wiredB. pod8-mac authC. pod8wirelessD. [Policy Manager Admin Network Service]E. No service will be triggered



QUESTION 98Refer to the following Authentication sources configuration:

Which of the following scenarios is true for the above configuration?

A. If the user is not found in the local user repository a reject message is sent back to the NAD device.B. If the user is not found in the local user repository a timeout message is sent back to the NAD device.C. If the user is not found in the local user repository and remotelab AD, a reject message is sent back to

the NAD device.D. If the user is not found in the local user repository but is present in the remotelab AD, a reject message

is sent back to the NAD device.E. If the user is not found in the remotelab AD but is present in the local user repository, a reject message

is sent back to the NAD device.



QUESTION 99Which of the following statements is true about the User databases in Clearpass?

A. Entries in the guest user DB do not expire.B. Custom attributes can be created for entries in the user DB.C. The endpoints table can only be populated by manually adding MAC addresses to the table.D. A Static host list can only contain a list of IP addresses.E. Entries in the guest user DB cannot be deleted.



QUESTION 100The screenshot below shows various Enforcement profile templates in the Policy Manager:

Which of the following best describes when SNMP based Enforcement should be used?

A. To send a VLAN to an Aruba Controller for a user.B. To send a VLAN to an Aruba Switch for a user.C. To send a VLAN to a NAD device that doesn't support RADIUS attributes.D. To send a VLAN to a NAD device that doesn't support RADIUS authentication.E. To send a VLAN to a client device that doesn't support RADIUS authentication.



QUESTION 101Refer to the following configuration for a VLAN Enforcement Policy:

Based on the Policy configuration, if an Engineer connects to the network on Saturday using WEBAUTHauthentication, what VLAN will be assigned?

A. Full Access VLANB. Employee VlanC. Deny AccessD. Internet VLANE. There is not enough data to determine the VLAN result.




Based on the Policy configuration, if an Engineer connects to the network on Saturday using RADIUSauthentication, what VLAN will be assigned?

A. Full Access VLANB. Employee VlanC. Deny AccessD. Internet VLANE. There is not enough data to determine the VLAN result.




Based on the profile configuration, which of the following VLANs will be assigned to the user when thisprofile is used?

A. VLAN 13B. VLAN 6C. VLAN 10D. VLAN 1E. VLAN 10800




Which of the following statements is true for the above configuration?

A. This profile will be applied to requests coming from an end user in the Device Group HQ.B. This profile will be applied to requests coming from a Network Access Device in the Device Group HQ.C. The profile will be applied to requests processed by a ClearPass appliance in Device Group HQ.D. This profile will be applied to all users.E. This profile will be applied to RADIUS requests that have timed out after 10800 seconds.



QUESTION 105Which of the following statements is true about Enforcement Profiles in Clearpass?

A. The Enforcement Profile attribute value needs to match the ClearPass role value for a user.B. Access-control attributes from an Enforcement Profile are returned to the Authentication Source.C. Access-control attributes from an Enforcement Profile are returned to the Network Access Device.D. Once created in the service wizard, the Enforcement Profile cannot be modified.E. Enforcement Profiles must use RADIUS dictionary attributes only.



QUESTION 106Which of the following checks are made with OnGuard posture evaluation in Clearpass? (Choose 3)

A. Peer-to-peer application checksB. Client role checkC. EAP TLS certificate validityD. Registry keysE. Operating System version

Correct Answer: ADESection: (none)Explanation



Based on the above Enforcement Profile configuration, which of the following statements is correct?

A. The Enforcement Profile sends an unhealthy role value to the Network Access Device.B. The Enforcement Profile sends a limited access vlan value to the Network Access Device.C. The Enforcement Profile sends a message to the OnGuard Agent on the client device.D. The Enforcement Profile sends a message to the OnGuard Agent on the Controller.E. A RADIUS CoA message is sent to bounce the client.



QUESTION 108

Which of the following types of Posture Token sources are available on Clearpass? (Choose 2)

A. Posture PolicyB. Endpoint ProfilerC. Microsoft NPS ServerD. Active DirectoryE. Aruba Controller



QUESTION 109Which of the following is NOT a valid type of Posture Token?

A. UnknownB. HealthyC. QuarantineD. UnhealthyE. Infected




Based on the posture plugin configuration shown in the above screen, which of the following statements istrue?

A. Check for any antivirus software enabled for all versions of Windows OS.B. Check for any antivirus software enabled for Windows 7.C. Check for AVG antivirus software enabled and is latest for Windows 7.D. It is using the OnGuard dissolvable agent to perform the antivirus/antispyware checks.E. It is using auto remediation for Windows 7 clients.



QUESTION 111A customer would like to deploy ClearPass with the following objectives: they have 2000 devices that needto be onboarded, 2000 corporate devices running posture checks daily, and 500 different guest users eachday authenticating using the web login feature.


A. CP-HW-500, 2500 Clearpass EnterpriseB. CP-HW-5k, 2500 Clearpass Enterprise

C. CP-HW-5k, 4500 Clearpass EnterpriseD. CP-HW-25k, 4500 Clearpass EnterpriseE. CP-HW-25k, 4000 Clearpass Enterprise



QUESTION 112A customer would like to deploy ClearPass with the following objectives: they have 3000 corporate laptopsdoing EAP-TLS authentication daily, 1000 personal smartphone devices that need to be onboarded. Thecorporate laptops are required to pass a posture check before getting access to the network.


A. CP-HW-5k, 1000 Clearpass EnterpriseB. CP-HW-5k, 1000 Onboard, 3000 OnguardC. CP-HW-25k, 1000 Clearpass EnterpriseD. CP-HW-25k, 1000 Onboard, 3000 OnguardE. CP-HW-25k, 3000 Onguard



QUESTION 113A customer would like to deploy ClearPass with the following objectives: Every day, 100 employeesauthenticate with their corporate laptops using EAP-TLS. Every Friday, there is a meeting with businesspartners and an additional 50 devices authenticate using Web Login Guest Authentication.

Which of the following is correct? (Choose 2)

A. When counting policy manager licenses, they need to include the additional 50 business partner devicesB. When counting policy manager licenses, they can exclude the additional 50 business partner devicesC. They should purchase guest licensesD. They should purchase onboard licensesE. They should purchase onguard licenses




QUESTION 114Which licenses are included in the built in Starter kit for Clearpass?

A. 25 ClearPass Policy Manager licensesB. 25 Clearpass Enterprise licensesC. 10 ClearPass Guest licenses, 10 ClearPass OnGuard licenses and 10 ClearPass Onboard licensesD. 25 ClearPass Profiler licensesE. 10 Clearpass Enterprise licenses



QUESTION 115A company implemented the Self-Registration with Sponsor Approval workflow for their Guest SSID. Aguest connects to the Guest SSID, then self-registers. They see the following on their client device:


A. The Sponsor approved the guest already.

B. The Sponsor has not approved the guest yet.C. A confirmation email was sent to the sponsor at [email protected]. A guest registration receipt was sent to [email protected]. The guest is ready to login using their username and password.



QUESTION 116Refer to the screenshot below outlining a guest Self-Registration with Sponsor Approval workflow:

At which stage is an email request sent to the sponsor?

A. After 'Redirects (1)'B. After 'Submit form (3)'C. After 'Login Message page (5)'D. After 'Automated NAS login (6)'

E. After 'Guest Role (7)'



QUESTION 117What are these RADIUS attributes used for in the Aruba RADIUS dictionary shown here?

A. To send information via RADIUS packets to clients.B. To send information via RADIUS packets to Aruba NADs.C. To gather information about Aruba NADs for ClearPass.D. To gather and send Aruba NAD information to ClearPass.E. To send CoA packets from Clearpass to the Aruba NAD.

Correct Answer: B

Section: (none)Explanation


QUESTION 118Describe the purpose of the Aruba TACACS+ dictionary as shown here:

A. The Aruba-Admin-Role attribute is used to assign different privileges to clients during 802.1Xauthentication.

B. The Aruba-Admin-Role attribute is used by ClearPass to assign TIPS roles to clients during 802.1Xauthentication.

C. The Aruba-Admin-Role attribute is used to assign different privileges to administrators logging into anAruba NAD device.

D. The Aruba-Admin-Role attribute is used to assign different privileges to administrators logging intoClearPass.

E. The Aruba-Admin-Role on the controller is applied to users using TACACS+ to login to the PolicyManager.


Explanation/Reference:Updated.


Based on the Enforcement Policy configuration shown in the capture, what Enforcement Profile will anemployee connecting an iOS device to the network for the first time receive using EAP- PEAP?

A. Deny Access ProfileB. Onboard Post-Provisioning - ArubaC. Onboard Pre-Provisioning ArubaD. Cannot be determinedE. Onboard Device Repository



QUESTION 120A Search was performed using Insight and the following is displayed:

What could be a possible reason for the ErrorCode 'Failed to classify request to service' shown above?

A. The user failed authentication.B. ClearPass couldn't match the authentication request to a service, but the user passed authentication.C. ClearPass service rules were not configured correctly.D. ClearPass service authentication sources were not configured correctly.E. The NAD device didn't send the authentication request.



QUESTION 121Which of the following is NOT a function of ClearPass Insight?

A. Report GenerationB. RADIUS Accounting Start-Stop messagesC. Email AlertsD. SMS AlertsE. Searching for RADIUS failed authentications




Why is the Insight Repository used as an authorization source for this MAC authentication service?

A. To check how long ago the last web login authentication was doneB. To check how many sessions ago the last web login authentication was doneC. To check how long ago the last MAC authentication was doneD. To run a report when the user authenticatesE. To validate the user's MAC address against the endpoints table



QUESTION 123Below is a screenshot of a client's laptop:

What would you expect to happen next?

A. The web login page will be displayed.B. The user will be presented with a self-registration receipt.C. The NAD device will send an authentication request to ClearPass.D. The client will send a NAS authentication request to ClearPass.E. Clearpass will send a NAS authentication request to the NAD device.



QUESTION 124Below is a screenshot of a user logged in to the Self-Service Portal:

Notice the traffic received and traffic sent statistics. Which of the following is true?

A. These show the total amount of traffic the guest transmitted after account expiration, as seen throughRADIUS accounting messages sent from the NAD to ClearPass.

B. These show the total amount of traffic the guest transmitted, as seen through RADIUS accountingmessages sent from the NAD to ClearPass.

C. These show the total amount of traffic the NAD transmitted to ClearPass, as seen through RADIUSaccounting messages from the NAD to ClearPass.

D. These show the total amount of traffic the guest transmitted, as seen through RADIUS CoA packetsfrom the NAD to ClearPass.



QUESTION 125An administrator enabled the Pre-auth check for their guest self-registration. At what stage in the

registration process is this check performed?

A. Before the user self-registers.B. After the user self-registers; before the user logs in.C. After the user logs in; before the NAD sends an authentication request.D. After the user logs in; after the NAD sends an authentication request.E. When a user is re-authenticating to the network.



QUESTION 126Which of the following statements is true about the Policy Simulation test figure shown below?

A. The simulation test result shows the roles assigned to the client by the Aruba Controller.B. The roles assigned in the result are based on rules matched in the AD Role Mapping Policy.

C. The test verifies that a client with username test1 can authenticate using EAP-PEAP.D. Role mapping simulation verifies if Table6 Wireless service has been configured correctly.



QUESTION 127What types of files are stored in the Local Shared Folders database in Clearpass? (Choose 2)

A. Backup FilesB. Software imageC. Log filesD. Generated ReportsE. Device fingerprint dictionaries



QUESTION 128A University wants to deploy ClearPass with the Guest module. They have two types of users that need touse web login authentication. The first type of users are students whose accounts are in their ActiveDirectory Server. The second type of users are friends of students who need to self-register to access thenetwork.

How should the service be setup in the Policy Manager for this Network?

A. Create a service with the Guest User Repository as the Authentication Source and the Active DirectoryServer as the authorization source.

B. Create a service with the Active Directory Server as the Authentication Source and the Guest UserRepository as the authorization source.

C. Create a service with the Guest User Repository and Active Directory servers as AuthenticationSources.

D. Create a service with only the Guest user Repository as the authentication source, and Guest UserRepository and Active Directory server as authorization sources.

E. Create a service with the Guest User Repository or Active Directory server as the single AuthenticationSource.




Based on the Posture Policy configuration shown above, which of the following statements is true?

A. This Posture Policy can be applied to an 802.1x wired service.B. This Posture Policy checks the health status of devices running Windows, Linux and Mac OSC.D. This Posture Policy can use either the persistent or dissolvable OnGuard agent to obtain the statement

of health.E. This Posture Policy checks for presence of a firewall application in Windows devices.F. This Posture Policy checks with a Windows NPS server for posture tokens.




Based on the Access Tracker output for the user shown above, which of the following statements is true?

A. A NAP agent was used to obtain the posture token for the user.B. The authentication method used is EAP-PEAP.C. A Healthy Posture Token was sent to the Policy Manager.D. A RADIUS-Access-Accept message is sent back to the Network Access Device.E. The Aruba Terminate Session enforcement profile is applied because the posture check failed.



QUESTION 131Which of the following is a benefit of ClearPass OnGuard?

A. Allows employees and other non-IT staff to create temporary accounts for Wi-Fi access.B. Offers an easy way for users to self-configure their devices to support 802.1X authentication on wired

and wireless networks.C. Enables organizations to run advanced endpoint posture assessments.D. Offers full self-service provisioning for personal employee owned devices.E. Allows a receptionist in a hotel to create accounts for guest users.


Explanation/Reference:Valid Answer.


If a user from the department "QA" authenticates from a laptop running MAC OS X, what role is assigned tothe user in Clearpass?

A. iOS DeviceB. Remote EmployeeC. HR LocalD. GuestE. Executive



QUESTION 133Which of the following statements is NOT true about the configuration of Active Directory (AD) as anExternal Authentication Server in Clearpass?

A. Clearpass should join the AD domain when PEAP and MSCHAPv2 are used as the authentication type.B. The bind DN for an AD can be in the administrator@domain format.C. Clearpass cannot be a member of more than one AD domain.D. The list of attributes fetched from the AD can be customized.E. Clearpass nodes in a cluster can join different AD domains.



QUESTION 134Which of the following statements is NOT true about the configuration of a generic LDAP server as anExternal Authentication Server in Clearpass?

A. The bind DN can be in the administrator@domain format.B. The list of attributes fetched from an LDAP server can be customized.C. An LDAP Browser can be used to search the Base DN.D. Multiple LDAP servers cannot be configured as authentication sources.E. Generic LDAP servers can be used as authentication sources.



QUESTION 135What does the Posture Token QUARANTINE imply?

A. The client is compliant. However, there is an update available to remediate the client to HEALTHY state.B. The posture of the client is unknown.C. The client is infected and is a threat to other systems in the network.D. The client is out of compliance.E. The client is out of compliance, but has HEALTHY state.



QUESTION 136Which of the following statements is NOT true about OnGuard? (Choose 2)

A. It is used to identify and remove any malware/viruses.B. It is used to ensure that Antivirus/Antispyware programs are running and are up to date as desired.C. It supports both Windows and Mac OS X clients.D. It only supports 802.1X authentication.E. It supports both a persistent and web based agent.



QUESTION 137Which of following is true for both the persistent and dissolvable versions of OnGuard? (Choose2)

A. Ability to bounce the endpointB. Auto-remediation is availableC. Gather statement of health information for network authorizationD. Supports Windows, Mac OS X devicesE. They need to be installed on the client devices.



QUESTION 138Which of the following device types support Exchange ActiveSync configuration with Onboard?

A. Windows laptopB. Apple iOS deviceC. Android deviceD. Mac OS X deviceE. Linux Laptop



QUESTION 139Which of the following authentication protocols can be used for authenticating Windows clients that areOnboarded? (Choose 2)

A. PEAP with MSCHAPv2B. EAP-GTCC. EAP-TLSD. PAPE. CHAP




Which of the following statements is true regarding the above configuration for network settings? (Choose2)

A. Onboarded devices will connect to Employee_Secure SSID after provisioning.B. Onboarded devices will connect to secure_emp SSID after provisioning.C. Users will connect to Employee_Secure SSID for provisioning their devices.D. Users must enter a Pre-shared key to connect to the network.E. Users will do 802.1X authentication when connecting to the SSID.



passit4sure.accp-v6.2.140 - gratis exam · passit4sure.accp-v6.2.140 ... an employee authenticates...

Documents