Deck 16: Aruba Certified ClearPass Professional (ACCP) V6.7

A) Upgrade Client Match as part of a global software upgrade, and upgrade AirMatch separately as a loadable service module (LSM).
B) Upgrade Client Match and AirMatch separately as loadable service modules (LSMs).
C) Upgrade AirMatch and Client Match through a global software upgrade.
D) Upgrade AirMatch as part of a global software upgrade, and upgrade Client Match separately as a loadable service module (LSM).

A) An AM detects threats such as rogue APs, while an SA analyzes RF conditions.
B) An AM detects rogue APs and provides data services to clients, while an SA only detects rogue APs.
C) An AM scans on only one 802.11 frequency band, while an SA scans on both 802.11 frequency bands.
D) An AM both detects wireless intrusion attempts and mitigates them, while an SA only detects wireless intrusion attempts.

A) 802.11a
B) 802.11ac
C) 802.11g
D) 802.11n

A) In the master-local architecture, traffic is tunneled to a local Mobility Controller (MC) to handle. In a MM architecture, all traffic is tunneled to the MM to handle.
B) In the master-local architecture, all traffic is tunneled to the master controller to handle. In a MM architecture, all traffic is tunneled to the MM to handle.
C) In both architectures, traffic is tunneled to a Mobility Controller (MC) to handle.
D) In both architectures, APs forward corporate user traffic locally and tunnel guest user traffic to a Mobility Controller (MC) to handle.

A) The configuration is not deployed.
B) The WLAN is configured at a lower level in the Managed Network hierarchy.
C) The Mobility Master (MM) does not have an active PEFNG license.
D) The WLAN is configured as a hidden SSID.

A) Set up MAC Authentication on the WLAN.
B) Set up Machine Authentication on the WLAN.
C) Import the computer names from AD to the MM internal database.
D) Bind individual Mobility Controllers (MCs) to AD at the device level.

A) It sends all user traffic in a GRE tunnel to a central Mobility Controller (MC), and it sends control traffic in an IPsec tunnel to the controller.
B) It sends user and control traffic in two separate IPsec tunnels to the Mobility Controller (MC).
C) It sends all employee and control traffic in a GRE tunnel to a central Mobility Controller (MC), and it bridges all guest traffic locally.
D) It sends traffic designed to the corporate network in an IPsec tunnel to a central Mobility Controller (MC), and it bridges other traffic locally.

A) Move the user any svc-dhcp permit rule to the bottom of the list. Move the user any svc-dhcp permit rule to the bottom of the list.
B) Remove the deny rule from the policy. Remove the deny rule from the policy.
C) Use the correct service alias in the user any svc-dhcp permit rule. Use the correct service alias in the rule.
D) Change user to any in the user any svc-dhcp permit rule. Change user to any in the

A) the top banner
B) the MM Maintenance pages
C) the Performance dashboard
D) the Potential issues dashboard

A) Virtual AP
B) SSID
C) AAA
D) L2 Authentication

A) to check license usage and determine the need for additional licenses
B) to generate reports about traffic patterns and network usage over the past several months
C) to view system usage statistics for the MM and troubleshoot potential issues
D) to analyze short term trends in network usage by client, AP, and application

A) Performance
B) Network
C) Traffic Analysis
D) Security

A) No APs broadcast the SSID. Clients cannot connect to the WLAN until administrators activate it.
B) APs in the default group broadcast the SSID. Clients can connect to the WLAN on APs in any group.
C) No APs broadcast the SSID. Clients can connect to the WLAN on APs in the default group only.
D) APs in the default group broadcast the SSID. Clients can connect to the WLAN on APs in the default group only.

A) redirection of guests to an external captive portal
B) customization of the internal captive portal login page
C) addition of custom rules to control access for authenticated guests
D) provision of DHCP services to unauthenticated guests

A) Assign switch ports connected to APs to VLANs associated with the desired subnets.
B) Set the VLANs associated with desired subnets in the WLAN settings.
C) Configure firewall policies that permit the desired subnet, and add them to the initial role for the WLAN.
D) In the WLAN settings, configure User role rules with the desired subnet addresses as match criteria.

A) cellular phone
B) AP operating on channel 11
C) wireless security camera operating on channel 8
D) weather radar

A) with AirMatch
B) with Rule Based Client Match
C) with legacy ARM
D) with legacy Client Match

A) It synchronizes the configuration with templates on Aruba AirWave.
B) It removes any commands that are not supported on that MC or have dependency errors.
C) It obtains the current configuration, encrypts it, and backs it up to a secure archive.
D) It encrypts the configuration to be deployed and backs it up to a secure archive.

A) 802.1X authentication always authenticates the wireless client, while captive portal authentication always authenticates the wireless user.
B) 802.1X authentication is typically implemented without encryption, while captive authentication is often combined with WPA or WPA2.
C) 802.1X authentication occurs at Layer 2, while captive portal authentication occurs at Layer 3.
D) 802.1X authentication must use an LDAP server, while captive portal authentication can use a RADIUS server or an LDAP server.

A) Authorization Source
B) Enforcement
C) Profiler
D) Role Mapping Policy
E) Posture

A) 40 AP licenses on the MM and no licenses on the MC
B) 400 AP licenses on the MM and no licenses on the MC
C) 800 AP licenses on each MC and no licenses on the MM
D) 800 AP licenses on the MM and 40 AP licenses on each MC

A) The MC maintains its current licenses for 30 days.
B) The MC loses all licenses and cannot support APs or clients.
C) The MC contacts Aruba Activate and uses the licensing limits defined there.
D) The MC maintains only licenses that have been locally installed on it.

A) They will use WPA2-PSK with AES when connecting to the SSID.
B) They will to Employee_Secure SSID for provisioning their devices.
C) They will to Employee_Secure SSID after provisioning.
D) They will perform 802.1 authentication when connecting to the SSID.
E) They will connect to secure_emp SSID after provisioning.

A) users who have connected to the SSID, but have not yet attempted authentication
B) users who successfully authenticate and are assigned to the default role by the RADIUS server
C) users who successfully authenticate and are not assigned a different role by the RADIUS server
D) users who fall authentication

A) The Onboard Authorization service is triggered when the user connects to the secure SSID.
B) The Onboard Authorization service is triggered during the Onboarding process.
C) The Onboard Authorization service is never triggered.
D) The device connects to the secure SSID for provisioning.
E) The Onboard Provisioning service is triggered when the user connects to the provisioning SSID to Onboard their device.

A) Onguard uses TACACS so an additional service must be created.
B) 802.1x is already secure so Onguard is not needed.
C) Health Checks can't be used with 802.1x.
D) Onguard uses RADIUS so an additional service must be created.
E) Onguard uses HTTPS so an additional service must be created.

A) Configuration of the Enforcement Policy.
B) An error in the role mapping policy.
C) Failure to select an appropriate authentication method for the authentication request.
D) Implementation of a firewall policy on ClearPass.
E) Failure to find an appropriate service to process the authentication request.

A) It permits them to send any DHCP traffic and DNS and web traffic to the Internet. It redirects web traffic destined to the private network to a login portal.
B) It does not permit them to send any traffic until they are authenticated.
C) It permits them to send any DHCP and DNS traffic, and it redirects all web traffic to a login portal.
D) It permits them to send any DHCP and RADIUS traffic. It redirects all web traffic destined to the Internet to a login portal and drops web traffic destined to the private network.

A) Radio PHY of HT 20MHz
B) Goodput data rate of 12Mbps
C) Max speed of 72Mbps
D) Usage of 10 MB

A) when the MM detects that a different channel has significant better quality
B) when the AP detects a large amount of interference on its channel
C) when the Mobility Controller (MC) detects a rogue AP on the channel
D) when the Client Match rules indicate that nearby clients do not support the current channel

A) to ensure server certificate validation does not fail due to client clock sync issues
B) to set expiry time in client certificate to a few minutes longer that the default setting
C) to adjust clock time on client device to a few minutes before current time
D) to ensure client certificate validation does not fail due to client clock sync issues
E) to set start time in client certificate to a few minutes before current time

A) It denies both packets.
B) It denies the packet from Client 1 and permits the packet from Client 2.
C) It permits both packets.
D) It permits the packet from Client 1 and denies the packet from Client 2.

A) Enforcement Policy
B) Posture token derivation
C) Role Mapping
D) Endpoint Profiler
E) Chained simulation

A) The attribute values of department, title, memberOf, telephoneNumber, mail are directly applied as ClearPass roles.
B) The attribute values of department and memberOf are directly applied as ClearPass roles.
C) Only the attribute value of company can be used in role mapping policies, not other attributes.
D) Only the attribute value of department and memberOf can be used in role mapping policies.
E) Only the attribute value of title, memberOf, telephoneNumber can be used in role mapping policies.

A) Entries in the guest user database do not expire.
B) A Static host list can only contain a list of IP addresses.
C) Entries in the guest user database can be deleted.
D) Entries in the local user database cannot be modified.
E) The endpoints database can only be populated by manually adding MAC addresses to the table.

A) If the user is not found in the local user repository and remotelab AD, a reject message is sent back to the NAD.
B) If the user is not found in the local user repository but is present in the remotelab AD, a reject message is sent back to the NAD.
C) If the user is not found in the local user repository, a reject message is sent back to the NAD.
D) If the user is not found in the remotelab AD but is present in the local user repository, a reject message is sent back to the NAD.

A) These show the total amount of traffic the guest transmitted, as seen through RADIUS CoA packets from the NAD to ClearPass.
B) These show the total amount of traffic the NAD transmitted to ClearPass, as seen through RADIUS accounting messages from the NAD to ClearPass.
C) These show the total amount of traffic the guest transmitted after account expiration, as seen through RADIUS accounting messages sent from the NAD to ClearPass.
D) These show the total amount of traffic the guest transmitted, as seen through RADIUS CoA packets from the client to ClearPass.
E) These show the total amount of traffic the guest transmitted, as seen through RADIUS accounting messages sent from the NAD to ClearPass.

A) Run a Traffic Analysis report on the MM.
B) Add Aruba AirWave to the solution.
C) Enable archival from the MM interface Maintenance windows.
D) Make sure that MM has sufficient AppRF licenses.

A) Onboard Provisioning, Onboard Authorization, Onboard Pre-Auth
B) Onboard Authorization, Onboard Provisioning, Onboard Authorization
C) Onboard Provisioning, Onboard Pre-Auth, Onboard Authorization
D) Onboard Provisioning, Onboard Authorization, Onboard Provisioning
E) Onboard Provisioning, Onboard Pre-Auth, Onboard Authorization, Onboard Provisioning