Refer to the scenario.A customer has an Aruba ClearPass cluster. The customer has AOS-CX switches that implement 802.1X authentication to ClearPass Policy Manager (CPPM).Switches are using local port-access policies.The customer wants to start tunneling wired clients that pass user authentication only to an Aruba gateway cluster. The gateway cluster should assign these clients to the “eth-internet" role. The gateway should also handle assigning clients to their VLAN, which is VLAN 20.The plan for the enforcement policy and profiles is shown below:The gateway cluster has two gateways with these IP addresses:• Gateway 1o VLAN 4085 (system IP) = 10.20.4.21o VLAN 20 (users) = 10.20.20.1o VLAN 4094 (WAN) = 198.51.100.14• Gateway 2o VLAN 4085 (system IP) = 10.20.4.22o VLAN 20 (users) = 10.20.20.2o VLAN 4094 (WAN) = 198.51.100.12• VRRP on VLAN 20 = 10.20.20.254The customer requires high availability for the tunnels between the switches and the gateway cluster. If one gateway falls, the other gateway should take over its tunnels. Also, the switch should be able to discover the gateway cluster regardless of whether one of the gateways is in the cluster.You are setting up the UBT zone on an AOS-CX switch.Which IP addresses should you define in the zone?
Refer to the scenario.A customer requires these rights for clients in the “medical-mobile” AOS firewall role on Aruba Mobility Controllers (MCs):Permitted to receive IP addresses with DHCPPermitted access to DNS services from 10.8.9.7 and no other serverPermitted access to all subnets in the 10.1.0.0/16 range except denied access to 10.1.12.0/22Denied access to other 10.0.0.0/8 subnetsPermitted access to the InternetDenied access to the WLAN for a period of time if they send any SSH trafficDenied access to the WLAN for a period of time if they send any Telnet trafficDenied access to all high-risk websitesExternal devices should not be permitted to initiate sessions with “medical-mobile” clients, only send return traffic.The exhibits below show the configuration for the role.There are multiple issues with this configuration. What is one change you must make to meet the scenario requirements? (In the options, rules in a policy are referenced from top to bottom. For example, “medical-mobile” rule 1 is “ipv4 any any svc-dhcp permit,” and rule 8 is “ipv4 any any any permit”.)
A company has an Aruba ClearPass server at 10.47.47.8, FQDN radius.acnsxtest.local. This exhibit shows ClearPass Policy Manager's (CPPM's) settings for an Aruba Mobility Controller (MC).The MC is already configured with RADIUS authentication settings for CPPM, and RADIUS requests between the MC and CPPM are working. A network admin enters and commits this command to enable dynamic authorization on the MC: aaa rfc-3576-server 10.47.47.8But when CPPM sends CoA requests to the MC, they are not working. This exhibit shows the RFC 3576 server statistics on the MC:How could you fix this issue?
Refer to the scenario.A customer requires these rights for clients in the “medical-mobile” AOS firewall role on Aruba Mobility Controllers (MCs):Permitted to receive IP addresses with DHCPPermitted access to DNS services from 10.8.9.7 and no other serverPermitted access to all subnets in the 10.1.0.0/16 range except denied access to 10.1.12.0/22Denied access to other 10.0.0.0/8 subnetsPermitted access to the InternetDenied access to the WLAN for a period of time if they send any SSH trafficDenied access to the WLAN for a period of time if they send any Telnet trafficDenied access to all high-risk websitesExternal devices should not be permitted to initiate sessions with “medical-mobile” clients, only send return traffic.The exhibits below show the configuration for the role.What setting not shown in the exhibit must you check to ensure that the requirements of the scenario are met?
Refer to the scenario.A customer has an Aruba ClearPass cluster. The customer has AOS-CX switches that implement 802.1X authentication to ClearPass Policy Manager (CPPM).Switches are using local port-access policies.The customer wants to start tunneling wired clients that pass user authentication only to an Aruba gateway cluster. The gateway cluster should assign these clients to the “eth-internet" role. The gateway should also handle assigning clients to their VLAN, which is VLAN 20.The plan for the enforcement policy and profiles is shown below:The gateway cluster has two gateways with these IP addresses:• Gateway 1o VLAN 4085 (system IP) = 10.20.4.21o VLAN 20 (users) = 10.20.20.1o VLAN 4094 (WAN) = 198.51.100.14• Gateway 2o VLAN 4085 (system IP) = 10.20.4.22o VLAN 20 (users) = 10.20.20.2o VLAN 4094 (WAN) = 198.51.100.12• VRRP on VLAN 20 = 10.20.20.254The customer requires high availability for the tunnels between the switches and the gateway cluster. If one gateway falls, the other gateway should take over its tunnels. Also, the switch should be able to discover the gateway cluster regardless of whether one of the gateways is in the cluster.Assume that you have configured the correct UBT zone and port-access role settings. However, the solution is not working.What else should you make sure to do?
You are designing an Aruba ClearPass Policy Manager (CPPM) solution for a customer. You learn that the customer has a Palo Alto firewall that filters traffic between clients in the campus and the data center.Which integration can you suggest?
