Page: 1
/ 4
Total 66 questions
Which are valid enforcement profile types? (Choose two.)
- A. ClearPass Entity Update Enforcement
- B. Aruba Script Enforcement
- C. Policy Service Enforcement
- D. RADIUS Change of Authorization (CoA)
Answer : AD
What are "known" endpoints in ClearPass?
- A. "Known" endpoints have be fingerprinted to determine their operating system and manufacturer.
- B. These are endpoints whose beacons have been detected but have never completed authentication.
- C. The label "Known" indicates rogue endpoints labeled as "friendly" or "ignore".
- D. "Known" endpoints can be authenticated based on MAC address to bypass the captive portal login.
Answer : D
Which option supports DHCP profiling for devices in a network?
- A. configuring ClearPass as a DHCP relay for the client
- B. DHCP profiling is enabled on ClearPass by default; configuration of the network access devices is not necessary
- C. enabling the DHCP server to profile endpoints and forward meta-data to ClearPass
- D. enabling DHCP relay on our network access devices so DHCP requests are forwarded to ClearPass
Answer : A
What is RADIUS Change of Authorization (CoA)?
- A. It is a mechanism that enables ClearPass to assigned a User-Based Tunnel (UBT) between a switch and controller for Dynamic Segmentation.
- B. It allows clients to issue a privilege escalation request to ClearPass using RADIUS to switch to TACACS+.
- C. It allows ClearPass to transmit messages to the Network Attached Device/Network Attached Server (NAD/NAS) to modify a userג€™s session status.
- D. It forces the client to re-authenticate upon roaming to an access point controlled by a foreign mobility controller.
Answer : C
A customer with 677 employees would like to authenticate employees using a captive portal guest web login page. Employees should use their AD credentials to login on this page.
Which statement is true?
- A. The customer needs to add second guest service in the policy manager for the guest network.
- B. The customer needs to add the AD server as an authentication source in a guest service.
- C. Employees must be taken to a separate web login page on the guest network.
- D. The customer needs to add the AD servers RADIUS certificate to the guest network.
Answer : B
What happens when a client successfully authenticates but does not match any Enforcement Policy rules?
- A. A RADIUS reject is returned for the client.
- B. A RADIUS Accept is returned with no Enforcement Profile applied.
- C. A RADIUS Accept is returned, and the default Enforcement Profile is applied.
- D. A RADIUS Accept is returned, and the default rule is applied to the device.
Answer : C
Your boss suggests configuring a guest self-registration page in ClearPass for an upcoming conference event.
What are the benefits of using guest self-registration? (Choose two.)
- A. This will allow conference employees to pre-load additional device information as guests arrive and register.
- B. This strategy effectively stops employees from putting their own corporate devices on the guest network.
- C. This will enable additional information to be gathered about guests during the conference.
- D. This allows guest users to create and manage their own login account.
- E. This will allow employee personal devices to be Onboarded to the corporate network.
Answer : AD
Which Authorization Source supports device profile enforcement?
- A. Local User Repository
- B. OnGuard Repository
- C. Endpoints Repository
- D. Guest User Repository
Answer : A
Which items can be obtained from device profiling? (Choose three.)
- A. Device Category
- B. Device Family
- C. Device Health
- D. Device Type
- E. Device Location
Answer : CDE
Which is true regarding the Cisco Device Sensor feature in ClearPass? (Choose two.)
- A. Forwards DHCP and HTTP user-agent info to ClearPass using Control and Datagram Transport Layer Security (DTLS) encapsulation.
- B. Requires the purchase of a supported Cisco Access Point licensed as an Aruba Monitor Mode AP, to then act as the sensor.
- C. Forwards DHCP and HTTP user-agent info to ClearPass using RADIUS accounting packets.
- D. Gathers raw endpoint data from Cisco Discovery Protocol (CDP) and Link Layer Discovery Protocol (LLDP).
- E. Requires a Cisco Smart Net license to be installed on the Network Access Device (NAD) utilizing the feature.
Answer : DE
Which most accurately describes the "Select All Matches" rule evaluation algorithm in Enforcement Policies?
- A. Each rule is checked, and once a match is found, the Enforcement profile assigned to that rule is applied and the rule matching stops.
- B. All rules are checked, and if there is no match, no Enforcement profile is applied.
- C. All rules are checked for any matching rules and their respective Enforcement profiles are applied.
- D. Each rule is checked, and once a match is found, the Enforcement profile assigned to that rule is applied, along with the default Enforcement profile.
Answer : C
When using Guest Authentication with MAC Caching service template, which statements are true? (Choose two.)
- A. The guest authentication is provided better security than without using MAC caching.
- B. The endpoint status of the client will be treated as "known" the first time the client associates to the network.
- C. Which wireless SSID and wireless controller must be indicated when configuring the template.
- D. The client will be required to re-enter their credentials even if still within the MAC-Auth Expiry term.
Answer : AC
Refer to the exhibit.
What is true regarding leaving the indicated option "Use cached Roles and Posture attributes from previous sessions" unchecked?
- A. A posture change applied to an endpoint is going to be lost each time the client re-authenticates.
- B. The service will make the enforcement decision based upon the updated Posture regardless of caching.
- C. Posturing will no longer be evaluated in determining the enforcement policy for current or future sessions.
- D. Cached posture results are no longer stored by ClearPass but instead are saved to the endpoint of the client.
Answer : A
What are benefits of using Network Device Groups in ClearPass? (Choose two.)
- A. Network Access Devices (NADs) only require Aruba factory installed certificates to join a Network Device Group.
- B. Allows Service selection rules to match based upon which Network Device Group the Network Access Device (NAD) belongs to.
- C. A Network Access Device is must be discovered by ClearPass prior to be added to a Network Device Group.
- D. Another way to add a customizable "attribute" field to reference when processing authentication requests.
- E. Can apply to both Network Access Devices (NADs) as well as client machines as a way to filter authentication requests.
Answer : AD
30 days access 