HPE6-A78 Exam Dumps - Aruba Certified Network Security Associate Exam

In the context of ArubaOS Wireless Intrusion Prevention System (WIP), an authorized client is defined as a client that has successfully authenticated to an authorized Access Point (AP) and has passed encrypted traffic. This ensures that only clients which have been verified and authenticated according to the network's security policies are allowed to access network resources. Authentication typically involves credentials that are validated by a server, confirming the client's right to access the network securely.

If Access-Reject records are not showing up in the CPPM Access Tracker, one action you can take is to ensure that the CPPM cluster settings are configured to display Access-Rejects. Cluster-wide settings in CPPM can affect which records are visible in Access Tracker. Ensuring that these settings are correctly configured will allow you to view all relevant authentication records, including Access-Rejects.

When dealing with a failed 802.1X authentication attempt to a WLAN enforced by Aruba ClearPass Policy Manager (CPPM) where no record of the attempt is seen in ClearPass Access Tracker, a good next troubleshooting step is to check the CPPM Event Viewer. Since you are able to successfully ping from the Mobility Controller to CPPM, this indicates that there is network connectivity between these two devices. The lack of a record in Access Tracker suggests that the issue may not be with the RADIUS/EAP certificate or user credentials, but possibly with the ClearPass service itself or its reception of authentication requests. The Event Viewer can provide detailed logs that might reveal internal errors or misconfigurations within CPPM that could prevent it from processing authentication attempts properly.

ClearPass Policy Manager (CPPM) can receive detailed information about client device type, OS, and status from ClearPass OnGuard. ClearPass OnGuard is part of the ClearPass suite and provides posture assessment and endpoint health checks. It gathers detailed information on the status and security posture of devices trying to connect to the network, such as whether antivirus software is up to date, which operating system is running, and other details that characterize the device's compliance with the network's security policies.

Control Plane Policing (CoPP) on Aruba switches is used to mitigate Denial of Service (DoS) attacks on the switch. CoPP allows network administrators to restrict the impact of control plane traffic on the switch's CPU, thereby protecting network stability and integrity. By setting rate limits and specifying allowed traffic types, administrators can prevent malicious or malformed packets from overwhelming the switch's control plane, which could otherwise lead to a DoS condition and potentially disrupt network operations. This use case of CoPP is detailed in Aruba's network management documentation, where best practices and configurations to protect against DoS attacks are discussed.

The scenario involves AOS-CX switches tunneling client traffic to an HPE Aruba Networking Mobility Controller (MC) in an AOS-8 architecture. The MC will apply firewall policies and perform deep packet inspection (DPI) on the tunneled traffic. The MC is dedicated to receiving traffic from the AOS-CX switches, and there are 114 employees (implying 114 potential clients). The question asks about the licensing requirements for the MC.

Tunneling from AOS-CX Switches to MC: In this setup, the AOS-CX switches act as Layer 2 devices, tunneling client traffic to the MC using a mechanism like GRE or VXLAN (though GRE is more common in AOS-8). The MC treats the tunneled traffic as if it were coming from wireless clients, applying firewall policies and DPI.

Licensing in AOS-8:

AP License (Access Point License): Required for each AP managed by the MC. Since the scenario involves AOS-CX switches tunneling traffic, not APs, AP licenses are not required.

PEF License (Policy Enforcement Firewall License): Required to enable the stateful firewall and DPI features on the MC. The PEF license is based on the number of devices (e.g., switches, APs) or users that the MC processes traffic for. In this case, the MC is processing traffic from AOS-CX switches, and the license is typically per switch (not per user or employee).

WCC License (Web Content Classification License): An optional license that enhances DPI by enabling URL-based filtering and web content classification. This is not mentioned as a requirement in the scenario.

Option A, "One PEF license per switch," is correct. Since the MC is dedicated to receiving traffic from the AOS-CX switches, and the MC will apply firewall policies and DPI, a PEF license is required. In AOS-8, when switches tunnel traffic to an MC, the PEF license is typically required per switch (not per user). With 114 employees, the number of switches is not specified, but the licensing model is per switch, so one PEF license per switch is needed.

Option B, "One PEF license per switch, and one WCC license per switch," is incorrect. While a PEF license is required, a WCC license is not mentioned as a requirement. WCC is for advanced web filtering, which is not specified in the scenario.

Option C, "One AP license per switch," is incorrect. AP licenses are for managing APs, not switches. Since the scenario involves switches tunneling traffic, not APs, AP licenses are not required.

Option D, "One AP license per switch, and one PEF license per switch," is incorrect for the same reason as Option C. AP licenses are not needed, but the PEF license per switch is correct.

The HPE Aruba Networking AOS-8 8.11 User Guide states:

"The Policy Enforcement Firewall (PEF) license is required on the Mobility Controller to enable stateful firewall policies and deep packet inspection (DPI). When AOS-CX switches tunnel client traffic to the MC for firewall processing, a PEF license is required for each switch. The license is based on the number of devices (e.g., switches) sending traffic to the MC, not the number of users. For example, if 10 switches tunnel traffic to the MC, 10 PEF licenses are required." (Page 375, Licensing Requirements Section)

Additionally, the HPE Aruba Networking Licensing Guide notes:

"PEF licenses on the Mobility Controller are required for firewall and DPI features. In deployments where switches tunnel traffic to the MC, the PEF license is typically per switch. AP licenses are not required unless the MC is managing APs. The Web Content Classification (WCC) license is optional and only needed for advanced URL filtering, which is not required for basic DPI." (Page 15, PEF Licensing Section)

The Match method 'Eth-Wired-Mac-Table' suggests that the BSSID of the rogue AP has been found in the Ethernet (wired) MAC address table of the network infrastructure. This means the AP is physically connected to the LAN. If the BSSID does not match the company's authorized APs, it implies the AP is unauthorized and hence classified as a rogue.

In a wireless network deployment with Aruba Mobility Master (MM), Mobility Controllers (MCs), and Campus APs (CAPs), where a WLAN is configured to use Tunnel mode for forwarding, the user traffic is tunneled from the APs to the MCs. VLAN 301, which is assigned to the WLAN, must be present on the links from the MCs to the core routing switches because these switches act as the default router for the wireless user traffic. It is not necessary for the VLAN to be present on all campus LAN links or AP links, only between the MCs and the core routing switches where the routing for VLAN 301 will occur.