NEW QUESTION 1
Which authentication method requires a client certificate?

• A. PEAP
• B. Guest serf-registration
• C. EAP-TLS
• D. MAC Authentication

Answer: C

NEW QUESTION 2
A customer is setting up Guest access with ClearPass. They are considering using 802.1X for both the
Employee network and the Guest network. What are two issues the customer may encounter when deploying 802.1X with the Guest network? (Select two)

• A. the lack of encryption during the authentication process
• B. ClearPass win not be able to enforce individual Access Control policies.
• C. the high level of complexity for users to join the guest network
• D. Guests will not be able to be uniquely identified.
• E. difficult to maintain in an environment with a large number of transient guest users

Answer: CE

NEW QUESTION 3
Which must be taken into account if a customer wants to use the DHCP collector with 802.1X authentication?

• A. Because DHCP fingerprinted is a Layer-3 function, it cannot t>e used with an 802 1X authentication service.
• B. The client needs to be granted limited access before the enforcement policy can take into account the device type
• C. When a client sends an authentication request to ClearPass, the profiler will also gather DHCPinformation
• D. The client needs to connect to an open network first to be profiled, then shifted to the secure 802.1x network.

Answer: C

NEW QUESTION 4
What are two ways to add guest accounts to ClearPass? (Select two.)

• A. Using the "Import Accounts" under ClearPass Guest
• B. Using the "Create Account" or "Create Multiple'' options under ClearPass Guest
• C. Assigning the default role "Lobby Ambassador to a receptionist to then add the accounts
• D. Using the "Sync Accounts'' under ClearPass Guest
• E. importing accounts from Active Directory once ClearPass is added with Admin credentials

Answer: AB

NEW QUESTION 5
When ClearPass is communicating with external context servers, which connection protocol is typically used?

• A. YAML
• B. SOAP and XML
• C. REST APIs over HTTPS
• D. FTP over SSH

Answer: B

NEW QUESTION 6
Which option supports DHCP profiling for devices in a network?

• A. configuring ClearPass as a DHCP relay for the client
• B. DHCP profiling is enabled on ClearPass by default; configuration of the network access devices is not necessary
• C. enabling the DHCP server to profile endpoints and forward meta-data to ClearPass
• D. enabling DHCP relay on our network access devices so DHCP requests are forwarded to ClearPass

Answer: A

NEW QUESTION 7
Which option support DHCP profiling for devices in a network?

• A. enabling DHCP relay on our network access devices so DHCP requests are forwarded to ClearPass
• B. enabling the DHCP server to profile endpoints and forward meta-data to ClearPass
• C. DHCP profiling is enabled on ClearPass by default configuration of the network access devices is not necessary
• D. configuring ClearPass as a DHCP relay for the client

Answer: A

NEW QUESTION 8
What is RADIUS Change of Authorization (CoA)?

• A. It allows ClearPass to transmit messages to the Network Attached Device/Network Attached Server (NAD/NAS) to modify a user’s session status
• B. It allows clients to issue a privilege escalation request to ClearPass using RADIUS to switch to TACACS+
• C. It is a mechanism that enables ClearPass to assigned a User-Based Tunnel (UBT) between a switch and controller for Dynamic Segmentation
• D. It forces the client to re-authenticate upon roaming to an access point controlled by a foreign mobility controller.

Answer: A

Explanation:
Referencehttp://www.arubanetworks.com/techdocs/ClearPass/Aruba_CPPMOnlineHelp/Content/CPPM_UserG

NEW QUESTION 9
What happens when a client successfully authenticates but does not match any Enforcement Policy rules?

• A. A RADIUS Accept is returned and the default Enforcement Profile is applied.
• B. A RADIUS reject is returned for the client.
• C. A RADIUS Accept is retuned, and the default rule is applied to the device.
• D. A RADIUS Accept is returned with no Enforcement Profile applied

Answer: A

NEW QUESTION 10
Your boss suggests configuring a guest self-registration page in ClearPass for an upcoming conference event. What are the benefits of using guest serf-registration'? (Select two)

• A. This will allow conference employees to pre-load additional device information as guests arrive and register.
• B. This strategy effectively stops employees from putting their own corporate devices on the guest network.
• C. This will enable additional information to be gathered about guests during the conference.
• D. This allows guest users to create and manage their own login account.D18912E1457D5D1DDCBD40AB3BF70D5D
• E. This will allow employee personal devices to be Onboarded to the corporate network

Answer: AD

NEW QUESTION 11
Which Authorization Source support device profile enforcement?

• A. Local user Repository
• B. Endpoint Repository
• C. OnGuard Repository
• D. Gust User Repository

Answer: A

NEW QUESTION 12
Refer to the Endpoint in the screenshot.

What are possible ways that it was profiled? (Select two)

• A. Cisco Device Sensor
• B. Exchange Plugging agent
• C. 3rd part MDM
• D. DNS fingerprinting
• E. NAD ARP listening handler

Answer: CE

NEW QUESTION 13
Refer to the exhibit.

what will be the enforcement for the user "neil"?

• A. Corp Secure Contractor
• B. Allow Full Access
• C. Secure Corp BYOD Access
• D. Allow internet Only Access

Answer: B

NEW QUESTION 14
Which two are required to add a Network Access Device (NAD) into ClearPass? (Select two.)

• A. ClearPass Admin login credentials
• B. SSH password
• C. Shared Secret
• D. HTTPS certificate
• E. NAD IP address

Answer: CE

NEW QUESTION 15
A customer with 985 employees would like to authenticate employees using a captive portal guest web login page Employees should use their AD credentials to login on this page
Which statement is true?

• A. The customer needs to add second guest service in the policy manager for the guest network.
• B. The customer needs to add the AD server as an authentication source in a guest service
• C. Employees must be taken to a separate web login page on the guest network
• D. The customer needs to add the AD servers RADIUS certificate to the guest network.

Answer: B

NEW QUESTION 16
Which Authorization Source supports device profile enforcement?

• A. OnGuard Repository
• B. Endpoints Repository
• C. Guest User Repository
• D. Local User Repository

Answer: D

NEW QUESTION 17
Which are valid enforcement profile types? (Select two)

• A. Policy Service Enforcement
• B. RADIUS Change of Authorization (CoA)
• C. Aruba Script Enforcement
• D. ClearPass Entity Update Enforcement

Answer: BD

NEW QUESTION 18
What is a function of the posture token in ClearPass OnGuard? (Select two )

• A. Identifies clients that are not security compliant
• B. Initiates the Auto-Remediation process
• C. Controls access to network resources
• D. Denies access to unhealthy clients
• E. indicates the Health Status of the Client

Answer: CD

NEW QUESTION 19
Aruba self-registration with sponsorship is a solution best applied to which type of network?

• A. a chain of auto part stores where employees are assigned mobile devices using a Mobile Device Manager (MDM) and public wireless is available for customers
• B. a large corporate environment with hundreds of contractors requiring wireless access to printers and internet but no other guest access is allowed
• C. a hotel where hundreds of guests are checked in and out of the building daily that may want access to wireless internet
• D. a chain of coffee shops using in a public downtown area with a high amount of guest turnover needing access to public wireless

Answer: B

NEW QUESTION 20
When using Guest Authentication with MAC Caching service template, which statements are true? (Select two.)

• A. The guest authentication is provided better security than without using MAC caching
• B. The guest authentication is provided better security than without using MAC caching
• C. The endpoint status of the client will be treated as "known" the first time the client associates to the network
• D. Which wireless SSID and wireless controller must be indicated when configuring the template
• E. The client will be required to re-enter their credentials even if still within the MAC-Auth Expiry term

Answer: AD

NEW QUESTION 21
What is an effect of the Cache Timeout setting on the authentication source settings for Active Directory?

• A. ClearPass will validate the user credentials, then, for the duration of the cach
• B. ClearPass will just fetchaccount attributes.
• C. The Cache Timeout is designed to reduce the amount of traffic between ClearPass and the A/D server by caching the credentials
• D. The Cache Timeout is designed to reduce the amount of traffic between ClearPass and the A/D server by caching the attributes.
• E. ClearPass will validate the user credentials on the first attempt, then will always fetch the account attributes

Answer: C

Explanation:
https://community.arubanetworks.com/blogs/arunkumar1/2020/10/20/what-is-the-differencebetween- authentication-cache-timeout-and-machine-authentication-cache-timeout

NEW QUESTION 22
What is true regarding Posturing and Profiling?

• A. Both Posturing and Profiling describe the same thing, what is the health of the client endpoinst?
• B. Profiling describes categorizing the user based on their department while Posturing validates the user as authenticated
• C. Posturing and Profiling are role assignments in ClearPass used internally to map to enforcement policies.
• D. Profiling is the act of identifying the endpoint type while Posturing is assigning a status as to the health of the endpoint

Answer: A

NEW QUESTION 23
An organization has configured guest self-registration with internal sponsorship Which options can be configured to send guest users their credentials outside of the initial login web-page? (Select two )

• A. Configure a Short Message Service (SMS) Gateway under ClearPass Guest configuration.
• B. Configure the self-registration page for the guest to receive a Simple Mali Transport Protocol (SMTP) receipt
• C. Configure a Short Message Service (SMS) Gateway in ClearPass Policy Manager administration.
• D. Configure a Simple Mail Transport Protocol (SMTP) server in ClearPass Guest administration.
• E. Configure a Simple Man Transport Protocol (SMTP) server in ClearPass Policy Manager administration

Answer: BE

NEW QUESTION 24
Which items can be obtained from device profiling'? (Select three )

• A. Device Category
• B. Device Family
• C. Device Health
• D. Device Type
• E. Device Location

Answer: CDE

NEW QUESTION 25
When should a role mapping policy be used in an 802.1x service with Active Directory as the authentication source?

• A. When you want to match Active Directory attributes directly to an enforcement policy.
• B. When you want to enable attributes as roles directly without combining multiple attributes
• C. When you want to translate and combine Active Directory attributes into ClearPass roles.
• D. When you want to match Active Directory attributes to a Aruba firewall role on a Aruba Network Access Device.

Answer: A

NEW QUESTION 26
......