You configure an ArubaOS-Switch to enforce 802.1X authentication with ClearPass Policy Manager (CPPM) denned as the RADIUS server Clients cannot authenticate You check Aruba ClearPass Access Tracker and cannot find a record of the authentication attempt.

What are two possible problems that have this symptom? (Select two)

A. users are logging in with the wrong usernames and passwords or invalid certificates.

B. Clients are configured to use a mismatched EAP method from the one In the CPPM service.

C. The RADIUS shared secret does not match between the switch and CPPM.

D. CPPM does not have a network device defined for the switch's IP address.

E. Clients are not configured to trust the root CA certificate for CPPM's RADIUS/EAP certificate.

What is one practice that can help you to maintain a digital chain or custody In your network?

A. Enable packet capturing on Instant AP or Moodily Controller (MC) datepath on an ongoing basis

B. Enable packet capturing on Instant AP or Mobility Controller (MC) control path on an ongoing basis.

C. Ensure that all network infrastructure devices receive a valid clock using authenticated NTP

D. Ensure that all network Infrastructure devices use RADIUS rather than TACACS+ to authenticate managers

What is a vulnerability of an unauthenticated Dime-Heliman exchange?

A. A hacker can replace the public values exchanged by the legitimate peers and launch an MITM attack.

B. A brute force attack can relatively quickly derive Diffie-Hellman private values if they are able to obtain public values

C. Diffie-Hellman with elliptic curve values is no longer considered secure in modem networks, based on NIST recommendations.

D. Participants must agree on a passphrase in advance, which can limit the usefulness of Diffie- Hell man in practical contexts.

You are configuring ArubaOS-CX switches to tunnel client traffic to an Aruba Mobility Controller (MC). What should you do to enhance security for control channel communications between the switches and the MC?

A. Create one UBT zone for control traffic and a second UBT zone for clients.

B. Configure a long, random PAPI security key that matches on the switches and the MC.

C. install certificates on the switches, and make sure that CPsec is enabled on the MC

D. Make sure that the UBT client vlan is assigned to the interface on which the switches reach the MC and only that interface.

Which attack is an example or social engineering?

A. An email Is used to impersonate a Dank and trick users into entering their bank login information on a fake website page.

B. A hacker eavesdrops on insecure communications, such as Remote Desktop Program (RDP). and discovers login credentials.

C. A user visits a website and downloads a file that contains a worm, which sell-replicates throughout the network.

D. An attack exploits an operating system vulnerability and locks out users until they pay the ransom.

How does the ArubaOS firewall determine which rules to apply to a specific client's traffic?

A. The firewall applies every rule that includes the dent's IP address as the source.

B. The firewall applies the rules in policies associated with the client's wlan

C. The firewall applies thee rules in policies associated with the client's user role.

D. The firewall applies every rule that includes the client's IP address as the source or destination.

From which solution can ClearPass Policy Manager (CPPM) receive detailed information about client device type OS and status?

A. ClearPass Onboard

B. ClearPass Access Tracker

C. ClearPass OnGuard

D. ClearPass Guest

You have been authorized to use containment to respond to rogue APs detected by ArubaOS Wireless Intrusion Prevention (WIP). What is a consideration for using tarpit containment versus traditional wireless containment?

A. Rather than function wirelessly, tarpit containment sends ARP frames over the wired network to poison rogue APs ARP tables and prevent them from transmitting on the wired network.

B. Rather than target all clients connected to rogue APs, tarpit containment targets only authorized clients that are connected to a rogue AP, reducing the chance of negative effects on neighbors.

C. Tarpit containment does not require an RF Protect license to function, while traditional wireless containment does.

D. Tarpit containment forms associations with clients to enable more effective containment with fewer disassociation frames than traditional wireless containment.

You have an Aruba solution with multiple Mobility Controllers (MCs) and campus APs. You want to deploy a WPA3-Enterprise WLAN and authenticate users to Aruba ClearPass Policy Manager (CPPM) with EAP-TLS.

What is a guideline for ensuring a successful deployment?

A. Avoid enabling CNSA mode on the WLAN, which requires the internal MC RADIUS server.

B. Ensure that clients trust the root CA for the MCs’ Server Certificates.

C. Educate users in selecting strong passwords with at least 8 characters.

D. Deploy certificates to clients, signed by a CA that CPPM trusts.

What is an Authorized client as defined by ArubaOS Wireless Intrusion Prevention System (WIP)?

A. a client that has a certificate issued by a trusted Certification Authority (CA)

B. a client that is not on the WIP blacklist

C. a client that has successfully authenticated to an authorized AP and passed encrypted traffic

D. a client that is on the WIP whitelist.

What is one way that WPA3-Enterprise enhances security when compared to WPA2-Enterprise?

A. WPA3-Enterprise implements the more secure simultaneous authentication of equals (SAE), while WPA2-Enterprise uses 802.1X.

B. WPA3-Enterprise provides built-in mechanisms that can deploy user certificates to authorized end-user devices.

C. WPA3-Enterprise uses Diffie-Hellman in order to authenticate clients, while WPA2-Enterprise uses 802.1X authentication.

D. WPA3-Enterprise can operate in CNSA mode, which mandates that the 802.11 association uses secure algorithms.

You are deploying a new wireless solution with an Aruba Mobility Master (MM). Aruba Mobility Controllers (MCs), and campus APs (CAPs). The solution will include a WLAN that uses Tunnel for the forwarding mode and WPA3-Enterprise for the security option.

You have decided to assign the WLAN to VLAN 301, a new VLAN. A pair of core routing switches will act as the default router for wireless user traffic.

Which links need to carry VLAN 301?

A. only links in the campus LAN to ensure seamless roaming

B. only links between MC ports and the core routing switches

C. only links on the path between APs and the core routing switches

D. only links on the path between APs and the MC