Refer to the exhibit.
A customer has just configured a Posture Policy and the T 2 -Health check Service. Next they installed the OnGuard Agent on a test client connected to the Secure_Employee SSID. When they check Access Tracker they see many WEBAUTH requests are being triggered.
What could be the reason?
- A . The OnGuard Agent trigger the events based on changing the Health Status.
- B . The OnGuard Agent is connecting to the Data Port interface on ClearPass.
- C . TCP port 6658 is not allowed between the client and the ClearPass server.
- D . OnGuard Web-Based Health Check interval has been configured to three minutes.
Your customer has read about a feature in OnGuard for OnGuard Persistent Agent and Agentless OnGuard that can display a new Posture Results web page to notify that and users with posture results for unhealthy clients after the health check is done.
Where do you configure this option?
- A . Policy Manager > Configuration > Enforcement > Profiles > Add a new profiles with Agent Enforcement as the template, and on the Attributes tab add the new Show Posture Results in Guest Page attribute and set the value for the attribute to true.
- B . Policy Manager > Configuration > Enforcement > Profiles > Add new profile with Aruba Radius Enforcement as the template, and on the Attributes tab add the Aruba-User-Role configured with the captive portal profile mapped with default Posture Check web page URL.
- C . Policy Manager > Configuration > Services > Edit the Web-base Health Check Only service, and on the posture tab under Remediation URL add the default Quarantined Blocked web page URL and complete the service configuration by hitting save.
- D . Policy Manager > Configuration > Services > Edit the Web-base Health Check Only service, and on the posture tab enable the checkbox for the new option Show Posture Results in Guest Page and complete the service configuration by hitting save.
A customer would like to allow only the AD users with the "Manager" title from the "HO" location to Onboard their personal devices. Any other AD users should not be authorized to pass beyond the initial device provisioning page .
Which Onboard service will you use to implement this requirement?
- A . Onboard Authorization service
- B . Onboard Pre-Auth service
- C . Onboard Provisioning service
- D . Onboard CP login service
What configuration steps should you follow to add terms and conditions page on Guest seIf-registration for CPPM? (Select two).
- A . Edit the creetoraccepiterms form field in register page and change HTML section by pointing the hyperlink to the HTML file uploaded
- B . Edit the accept_terms form field in receipt page and change HTML section by pointing the hyper link to the HTML file uploaded m Guest Manager
- C . Create an HTML page with custom terms and condition and upload it to public files
under Clearpass Guest -> configuration -> content manager - D . Edit the creatoracceprterms form field in receipt page and change HTML section by pointing the hyperlink to the HTML file uploaded
- E . Create an HTML page with custom terms and condition and upload it to private files under Clearpass Guest -> configuration -> content manager
Refer to the exhibit.
When creating a new report, there is in option to send report Notifications by Email Where is the email server configured?
- A . In the ClearPass Policy Manager Messaging Setup under Administration.
- B . In the Insight report on the next screen of the report definition
- C . In the Insight Reports Interface under Administration on the sidebar menu
- D . In the ClearPass Policy Manager Endpoint Context Servers under Administration.
Refer to the exhibit.
A customer it troubleshooting a client not getting the SHV posture updated and the OnGuard agent shows the Health Status Not Known .
What could the user do to update the health status?
- A . connect using an interface that is configured as Managed Interface
- B . reinstall the OnGuard agent from the Wired interface
- C . change the Policy Manager Zone mapping and add the WIRED interface range
- D . modify the agent.conf file and add the WIRED interface to it
A customer has acquired another company that has its own Active Directory infrastructure. The 802 1X PEAP authentication works with the customer’s original Active Directory servers but the customer would like to authenticate users from the acquired company as well.
What steps are required, in regards to the Authentication Sources, in order to support this request? (Select two.)
- A . Create a new Authentication Source, type Active Directory.
- B . Create a new Authentication Source, type Generic LDAP.
- C . Add the new AD server(s) as backup into the existing Authentication Source.
- D . There is no need to join ClearPass to the new AD domain.
- E . Join the ClearPass server(s) to the new AD domain.
You have designed a ClearPass solution for an Information Technology Business Park with 50,377 concurrent sessions including the visitors. The deployment includes eight ClearPass servers handling RADIUS authentication. Guest Self-Registration. Onboard and OnGuard. CPPM1 is acting as Publisher. CPPM2 to CPPM8 are added as subscriber nodes CPPM4 is the designated Standby Publisher. Servers CPPM2 and CPPM3 will be handling the Guest and Onboard HTTPS traffic. On a few devices, Corporate users will perform username and password based authentication with Active Directory accounts and on few devices, they will be using private CA signed TLS certificates to do the authentication The customer has three Active Directories (AD1, AD2 and A03) part of Multi-Domain Forest. To provide authentication redundancy, the customer has configured multiple Virtual IP settings between ClearPass servers in a cluster.
On all the Network Access Devices (NAD), the primary authentication server is configured as the VIP IP address and the secondary authentication server rs configured as CPPM1 MGMT IP address.
Based on the information provided, which ClearPass nodes will you join to the AD domain
- A . Join CPPM1. CPPM4 to CPPM7 servers to the AD root domain
- B . Join CPPM2 to CPPM7 ClearPass servers to the AD root domain.
- C . Join all the eight ClearPass servers to AD1, AD2 and AD3 domains.
- D . Join CPPM1. CPPM4 to CPPM8 to the AD1. AD2 and AD3 domains.
Refer to the exhibit.
A customer has configured Onboard in a cluster with two nodes. All devices were onboarded in the network through node1 but those clients fail to authenticate through node2 with the error shown.
What steps would you suggest to make provisioning and authentication work across the entire cluster? (Select three)
- A . Configure the Network Settings in Onboard to trust the Policy Manager EAP certificate.
- B . Have all of the BYOO clients disconnect and reconnect to the network.
- C . Configure the Onboard Root CA to trust the Policy Manager EAP certificate root.
- D . Make sure that the EAP certificates on both nodes are issued by one common root Certificate Authority (CA).
The customer has a 19.940 loT devices connected to the network and would like to use Allow All Mac Auth to authenticate the users and enforce the action based on the condition defined with the fingerprint details of the device .
Which Authorization source would you use to decide the access of the devices?
- A . Clear Pass Profiler Database
- B . Endpoint Database
- C . Local User Database
- D . Guest Device Database
Refer to the exhibit.
You configured a new Wireless 802.1 X service for a Cisco WLC broadcasting the secure-AOM-5007 SSID. The client fails to connect to the SSIO.
Using the screenshots as a reference, how would you fix this issue?
- A . Change the service condition to Radius:lETF Calling-Station-Id EQUALS Secure-ADM-5007
- B . Update the service condition Radws:IETF Called-Stat ion-Id CONTAINS secure-AOM-5007
- C . Remove the service condition Radius:IETF Service-Type BEL0NGS_T0 Login-User (1), 2.8
- D . Make sure that the Network Devices entry for the Cisco WLC has a vendor setting of "Airespace"
Refer to the exhibit.
What could be causing the error message received on the OnGuard client?
- A . The Service Selection Rules for the service are not configured correctly
- B . The Health-Check service does not have Posture Compliance option enabled
- C . The client’s OnGuard Agent has not been configured with the correct Policy Manager Zone.
- D . There is a firewall policy not allowing the OnGuard Agent to connect to ClearPass
Your customer has recently implemented a seIf-registration portal in ClearPass Guest to be used on a Guest SSID broadcast from an Aruba controller Your customer has started complaining that the users are not able to reliably access the Internet after clicking the login button on the receipt page They tell you that the users will click the login button multiple times and after about a minute they gam access.
What could be causing this issue?
- A . The enforcement profile on ClearPass is set up with an IETF:session delay.
- B . The self-registration page is configured with a 1 minute login delay.
- C . The guest users are assigned a firewall user role that has a rate limit.
- D . The guest users are assigned multiple DNS servers delaying DNS response.
A customer has two different geographical sites deployed with two ClearPass servers in each site. Site A has the Publisher (CPPM1) and a subscriber (CPPM2) and Site B has two subscribers (CPPM3 S CPPM4) All wired and wireless authentication requests from the respective sites are handled by respective CPPMs deployed in the sites When both the CPPM servers in Site B are lost, the authentications from Site B is handled by Site A subscriber (CPPM2). To control the Multi-Master Cache flush and reduce the amount of inter-site traffic, the customer also created a new Policy Manager Zone (Zone1) The Site B CPPM3 & CPPM4 are part of Zone! and Site A CPPM2 is also mapped to Zone1 as it will act as the backup RADIUS server for Site B The corporate laptops are installed with Persistent agent to run the OnGuard check and the OnGuard settings are also mapped to the Zones The Site A corporate user subnets are mapped to default zone and the Site 6 corporate user subnets are mapped to Zone1. The customer has the following issue in the setup: The corporate clients from Site A authenticating against the CPPM2 as their Primary RADIUS server assigns Quarantine enforcement profile even though the user s health status is Healthy.
What is the cause of this issue?
- A . Multi-master cache also contains the roles and posture of the associated and unassociated clients and is shared with all members part of that Policy Manager Zone. CPPM2 belongs to Zone1 and the OnGuard setting for Site A is part of the default zone and the system health validation information is sent to one of the nodes that are part of its home zone As Posture cache for Site A hi not available with CPPMZ. it fails to apply the enforcement profile based on correct health status.
- B . Multi-master cache also contains the roles and posture of the connected clients and is shared only with the members part of that Policy Manager Zone. CPPM2 belongs to Zone1 and the OnGuard setting for Site A is part of the default zone and the OnGuard system
health validation information is sent to one of the nodes that are part of its home zone only. As Posture cache for Site A is not available with CPPM2. it fails to apply the enforcement profile based on correct health status. - C . Multi-master cache also contains the roles and posture of the connected clients and is shared across all members part of the cluster. The OnGuard setting for Site A is part of only the default zone and the system health validation information is sent to one of the nodes that are part of its home zone only As the OnGuard setting of the Site A corporate user subset is not mapped with default as well as Zone1. CPPM2 fails to apply the enforcement profile based on correct health status.
- D . Multi-master cache also contains the roles and posture of the connected clients and is shared across all members part of the cluster. The OnGuard setting for Site A is part of only the default zone and the OnGuard system health validation information is sent to one of the nodes that is part of its home zone only. As the CPPM2 is also not mapped to the default zone as well as Zone1, CPPM2 fails to apply the enforcement profile based on correct health status.
Refer to the exhibit.
A customer has configured Onboard in a cluster. After the Primary server’s failure, the BYOD devices fail to connect to the network .
Which step below is the best starting point when troubleshooting’
- A . Verify the CPPM hostname in OSCP URL under TLS authentication method is updated
to localhost instead of primary server’s hostname. - B . Reboot the active ClearPass server and reconnect the client to the SSID by selecting the correct certificate when prompted.
- C . Check if a DNS entry is available for the ClearPass hostname in the certificate, resolvable from the DNS server assigned to the client.
- D . Check EAP certificate on the secondary node is issued by the same common root Certificate Authority (CA).
A Customer has these requirements:
• 2.000 loT endpoints that use MAC authentication
• 6.000 endpoints using a mix of username/password and certificate (Corporate/BYOD) based authentication
• 1.000 guest endpoints at peak usage that use guest self-registration
• 1500 BYOD devices estimated as 3 devices per User (500 users)
• 2.500 endpoints that have OnGuard installed and connect on a daily basis
What licenses should be installed to meet customer requirements?
- A . 11.500 Access. 1.500 Onboard. 2.500 OnGuard
- B . 13.000 Access. 1.500 Onboard. 2.500 OnGuard
- C . 9.000 Access. 500 Onboard. 2.500 OnGuard
- D . 11.500 Access. 500 Onboard. 2.500 OnGuard
Where is the following information stored in Clear Pass?
– Roles and Posture for Connected Clients
– System Health for OnGuard
– Machine authentication State
– CoA session info
– Mapping of connected clients to NAS/NAD
- A . ClearPass system cache
- B . Multi-Master cache
- C . Insight database
- D . Endpoint database
When building an SNMP-based enforcement profile what option can you assign to the user as actions? (Select three).
- A . Enforce a VLAN ID for the client
- B . Set a session timeout for the client
- C . Enforce Firewall policies
- D . Send captive portal web re-direct URL
- E . ClearPass Downloadable Role
- F . Reset the connection after the settings has been pushed
The customer has configured the guest self-registration with sponsor approval. The guest users that the sponsor email and the other requested details while registering the account but the users were able to complete the authentication and access the internet without the sponsor’s approval.
What configuration settings will you check to make this setup work?
- A . Check if sponsor name field is enabled in the register form page
- B . Check if sponsor email field is enabled in the register form page
- C . Check if authentication option n is enabled in the self-registration page enabled.
- D . Check if sponsor confirmation is enabled in the self-registration page
You have configured a factory default Aruba controller with Clear Pass for guest access and the NAS vendor settings – Address field in the guest weblogin page is configured with
Aruba controller’s default self-signed certificate common name "securelogin.arubanetworks.com" that the client will use to submit the authentication request.
What happens when the client sends a DNS request to securelogin aruba networks com?
- A . The controller will intercept the ONS request sent to its HTTPS certificate common name and return its own IP address.
- B . Address field in the web login vendor settings should be set to IP address of the controller instead of certificate CN name.
- C . Client does not send the DNS request, the ClearPass resolves the hostname in the NAS vendor settings Address field.
- D . The controller will pass the request to the DNS server and server returns the IP of the controller from the DNS records.