HP HPE6-A78 - Aruba Certified Network Security Associate Exam

For an ArubaOS-CX switch enforcing 802.1X on a port without any fallback options or port-access roles configured, and where the supplicant on the connected client has not completed authentication, the only type of traffic the authenticator accepts from the client is EAP (Extensible Authentication Protocol). EAP is a universal authentication framework used in 802.1X for message exchange during the authentication process. The switch allows EAP packets because they are necessary for the client and the authentication server to perform the authentication process. This is standard behavior for 802.1X authenticators, which is to permit EAP traffic to pass through even before authentication is successful to facilitate the authentication exchange. This information is supported by the IEEE 802.1X standard and ArubaOS-CX security configuration guides.

In the context of ArubaOS-Switches, enabling Enhanced Secure mode has several benefits, one of which includes disabling insecure algorithms for protocols such as SSH. This is in line with security best practices, as older, less secure algorithms are known to be vulnerable to various types of cryptographic attacks. When Enhanced Secure mode is enabled, the switch automatically restricts the use of such algorithms, thereby enhancing the security of management access.

The recommended approach for preventing users in the "user_group1" role from using gaming and peer-to-peer applications in an ArubaOS environment is to enable Deep Packet Inspection (DPI) and add application rules that specifically deny access to these types of applications for the role. DPI allows the network system to analyze the content of network traffic in real time and apply policies based on what it detects, including blocking specific applications like gaming and peer-to-peer sharing. This capability is essential for effectively managing application usage on the network and ensuring compliance with organizational policies. Application-specific rules provide precise control over the network traffic by identifying the application regardless of the network port used, making it a more effective method than blocking based on ports or IP addresses.

A honeypot in the context of wireless networks is a rogue access point (AP) set up by an attacker to lure wireless clients into connecting to it, often to steal credentials, intercept traffic, or launch further attacks. A man-in-the-middle (MITM) attack involves the attacker positioning themselves between the client and the legitimate network to intercept or manipulate traffic.

Option D, "It examines wireless clients' probes and broadcasts the SSIDs in the probes, so that wireless clients will connect to it automatically," is correct. Wireless clients periodically send probe requests to discover available networks, including SSIDs they have previously connected to (stored in their Preferred Network List, PNL). A honeypot AP can capture these probe requests, identify the SSIDs the client is looking for, and then broadcast those SSIDs. If the honeypot AP has a stronger signal or the legitimate AP is not available, the client may automatically connect to the honeypot AP (especially if the SSID is in the PNL and auto-connect is enabled). Once connected, the attacker can intercept the client’s traffic, making this an effective MITM attack.

Option A, "It uses ARP poisoning to disconnect wireless clients from the legitimate wireless network and force clients to connect to the hacker’s wireless network instead," is incorrect. ARP poisoning is a technique used on wired networks (or within the same broadcast domain) to redirect traffic by spoofing ARP responses. In a wireless context, ARP poisoning is not typically used to disconnect clients from a legitimate AP. Instead, techniques like deauthentication attacks or SSID spoofing (as in Option D) are more common.

Option B, "It runs an NMap scan on the wireless client to find the client's MAC and IP address. The hacker then connects to another network and spoofs those addresses," is incorrect. NMap scans are used for network discovery and port scanning, not for launching an MITM attack via a honeypot. Spoofing MAC and IP addresses on another network does not position the attacker as a honeypot to intercept wireless traffic.

Option C, "It uses a combination of software and hardware to jam the RF band and prevent the client from connecting to any wireless networks," is incorrect. Jamming the RF band would disrupt all wireless communication, including the attacker’s honeypot, and would not facilitate an MITM attack. Jamming might be used in a denial-of-service (DoS) attack, but not for MITM.

The HPE Aruba Networking AOS-8 8.11 User Guide states:

"A common technique for launching a man-in-the-middle (MITM) attack using a honeypot AP involves capturing wireless clients’ probe requests to identify SSIDs in their Preferred Network List (PNL). The honeypot AP then broadcasts these SSIDs, tricking clients into connecting automatically if the SSID matches a known network and auto-connect is enabled. Once connected, the attacker can intercept the client’s traffic, performing an MITM attack." (Page 422, Wireless Threats Section)

Additionally, the HPE Aruba Networking Security Guide notes:

"Honeypot APs can be used to launch MITM attacks by spoofing SSIDs that clients are probing for. Clients often automatically connect to known SSIDs in their PNL, especially if the legitimate AP is unavailable or the honeypot AP has a stronger signal, allowing the attacker to intercept traffic." (Page 72, Wireless MITM Attacks Section)

In a wireless network deployment with Aruba Mobility Master (MM), Mobility Controllers (MCs), and Campus APs (CAPs), where a WLAN is configured to use Tunnel mode for forwarding, the user traffic is tunneled from the APs to the MCs. VLAN 301, which is assigned to the WLAN, must be present on the links from the MCs to the core routing switches because these switches act as the default router for the wireless user traffic. It is not necessary for the VLAN to be present on all campus LAN links or AP links, only between the MCs and the core routing switches where the routing for VLAN 301 will occur.

Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks are both designed to disrupt the availability of a network, service, or device by overwhelming it with traffic or requests. HPE Aruba Networking documentation, particularly in the context of Wireless Intrusion Prevention (WIP) and network security, often discusses these attacks to help administrators mitigate them.

DoS Attack: A DoS attack is launched from a single source (e.g., one device or IP address) and aims to overwhelm a target (e.g., a server, network, or device) with traffic, making it unavailable to legitimate users. For example, a DoS attack might flood a server with SYN packets to exhaust its resources.

DDoS Attack: A DDoS attack is a more sophisticated version of a DoS attack, where the attack is launched from multiple sources (e.g., a botnet of compromised devices). These sources work together to overwhelm the target, making the attack harder to mitigate because the traffic comes from many different IP addresses.

Option A, "A DDoS attack originates from external devices, while a DoS attack originates from internal devices," is incorrect. Both DoS and DDoS attacks can originate from external or internal devices. The distinction is not about the location of the devices but the number of sources involved.

Option B, "A DoS attack targets one server; a DDoS attack targets all the clients that use a server," is incorrect. Both DoS and DDoS attacks typically target a single entity (e.g., a server, network, or device) to disrupt its availability. They do not target "all the clients that use a server."

Option C, "A DDoS attack targets multiple devices, while a DoS is designed to incapacitate only one device," is incorrect. Both DoS and DDoS attacks usually target a single device or service to overwhelm it. The difference lies in the source of the attack, not the number of targets.

Option D, "A DDoS attack is launched from multiple devices, while a DoS attack is launched from a single device," is correct. This is the primary distinction between the two: a DDoS attack involves multiple sources (e.g., a botnet), while a DoS attack originates from a single source.

The HPE Aruba Networking Security Guide states:

"A Denial of Service (DoS) attack is launched from a single device to overwhelm a target, such as a server or network, making it unavailable to legitimate users. A Distributed Denial of Service (DDoS) attack, in contrast, is launched from multiple devices, often a botnet of compromised systems, to flood the target with traffic from many sources, making it harder to mitigate." (Page 20, DoS and DDoS Attacks Section)

Additionally, the HPE Aruba Networking AOS-8 8.11 User Guide notes:

"The Wireless Intrusion Prevention (WIP) system can detect DoS and DDoS attacks. A DoS attack originates from a single source, while a DDoS attack involves multiple sources working together to overwhelm the target, such as a server or network infrastructure." (Page 423, WIP Threat Detection Section)

Setting up a packet capture on an Aruba Mobility Controller (MC) is particularly useful in scenarios where detailed analysis of network traffic is necessary to identify and address security concerns. Option B is the correct answer because it directly addresses the need to closely examine the traffic of a potentially malicious wireless endpoint. Packet capture on the MC allows the security team to collect and analyze traffic to/from specific endpoints in real-time, providing valuable insights into the nature of the traffic and potentially identifying harmful activities. This capability is essential for forensics and troubleshooting security incidents, enabling administrators to respond effectively to threats.

To enable an ArubaOS Mobility Controller (MC) to accept Change of Authorization (CoA) messages from a RADIUS server for wireless sessions on a WLAN, part of the setup on the MC involves creating a dynamic authorization, or RFC 3576, server with the provided IP address (10.5.5.5) and the correct shared secret. This setup allows the MC to handle CoA requests, which are used to change the authorization attributes of a session after it has been authenticated, such as disconnecting a user or changing a user's VLAN assignment.

HPE Aruba Networking ClearPass OnGuard: This is a component of the ClearPass Policy Manager platform specifically designed for endpoint posture assessment and health checks. It can identify and classify a wide range of devices connecting to the network, including traditional endpoints, mobile devices, and importantly, IoT devices. It analyzes device attributes and behaviors to determine their type and security posture.

Let's look at why the other options are less suitable for this specific requirement:

HPE Aruba Networking EdgeConnect SD-WAN: This solution focuses on optimizing wide area network (WAN) connectivity, improving application performance, and providing secure branch-to-branch and branch-to-cloud connections. While it can identify traffic from different devices, its primary function isn't detailed device classification at the network access layer.

HPE Aruba Networking Central: This is a cloud-based network management platform that provides visibility, configuration, and management for Aruba network devices (APs, switches, gateways). While it offers insights into connected devices, its core function isn't the deep classification of diverse endpoint types like IoT devices.

HPE Aruba Networking ClearPass Onboard: This component of ClearPass Policy Manager focuses on simplifying the secure onboarding of personal or unmanaged devices (BYOD). While it involves device identification during the onboarding process, its primary goal isn't continuous and comprehensive classification of all device types, especially the detailed classification needed for diverse IoT devices.

Therefore, HPE Aruba Networking ClearPass OnGuard is the most appropriate solution for classifying a wide range of devices, including IoT devices, within an AOS-10 network infrastructure.

In an AOS-8 Mobility Controller (MC) environment, a WLAN is configured with WPA3-Enterprise security, using HPE Aruba Networking ClearPass Policy Manager (CPPM) for authentication. The WLAN’s default role is set to "guest," which would be applied if no specific role is assigned after authentication. The MC has several roles configured, including "general-access" (note the underscore in the question: "general_access").

The client successfully authenticates, and CPPM sends an Access-Accept message with an Aruba-User-Role Vendor-Specific Attribute (VSA) set to "general_access." In AOS-8, the Aruba-User-Role VSA is used to assign a specific role to the client, overriding the default role configured on the WLAN. The role specified in the VSA must match a role that exists on the MC. Since "general-access" (or "general_access" as written in the question) is listed among the roles configured on the MC, the MC will apply this role to the client.

The underscore in "general_access" in the VSA versus the hyphen in "general-access" in the MC’s role list is likely a typographical inconsistency in the question. In practice, AOS-8 role names are case-insensitive and typically use hyphens, not underscores, but for the purpose of this question, we assume "general_access" matches "general-access" as the intended role.

Option A, "guest," is incorrect because the guest role is the default 802.1X role for the WLAN, but it is overridden by the Aruba-User-Role VSA specifying "general_access."

Option B, "logon," is incorrect because the logon role is typically applied during the authentication process (e.g., to allow access to DNS or RADIUS servers), not after successful authentication when a specific role is assigned.

Option C, "general-access," is correct because the MC applies the role specified in the Aruba-User-Role VSA ("general_access"), which matches the "general-access" role configured on the MC.

Option D, "authenticated," is incorrect because the "authenticated" role is not specified in the VSA, and there is no indication that it is the default role for successful authentication in this scenario.

The HPE Aruba Networking AOS-8 8.11 User Guide states:

"When a client authenticates successfully via 802.1X, the Mobility Controller checks for an Aruba-User-Role VSA in the RADIUS Access-Accept message. If the VSA is present and the specified role exists on the controller, the controller assigns that role to the client, overriding the default 802.1X role configured for the WLAN. For example, if the VSA specifies ‘general-access’ and this role is configured on the controller, the client will be assigned the ‘general-access’ role." (Page 305, Role Assignment Section)

Additionally, the HPE Aruba Networking ClearPass Policy Manager 6.11 User Guide notes:

"The Aruba-User-Role VSA allows ClearPass to assign a specific role to a client on an Aruba Mobility Controller. The role name sent in the VSA must match a role configured on the controller, and the controller will apply this role to the client session, ignoring the default role for the WLAN." (Page 289, RADIUS Enforcement Section)