HP HPE7-A02 - Aruba Certified Network Security Professional Exam

When Wireless IDS/IPS infrastructure detection reports RTS (Request to Send) and CTS (Clear to Send) rate anomalies triggered by neighboring APs, it is often an indication of unusual, but not necessarily malicious, behavior. These anomalies can be caused by neighboring APs operating normally but under specific conditions that trigger the alerts. Before assuming a security threat, it is recommended to tune the event thresholds to better match the environment and reduce false positives. This approach helps to distinguish between normal operations and potential DoS attacks.

After installing an HPE Aruba Networking Network Analytic Engine (NAE) script on an AOS-CX switch, the additional step required to start the monitoring is to create an agent from the script. The agent is responsible for executing the script and collecting the monitoring data as defined by the script parameters.

1.Script Installation: Installing the script provides the logic and parameters for monitoring.

2.Agent Creation: Creating an agent from the script activates the monitoring process, allowing the NAE to begin tracking the specified function.

3.Operational Step: This step ensures that the monitoring logic is applied and the data collection starts as per the script’s configuration.

Packet Capture in Aruba Central:

Aruba Central provides tools for remote packet captures directly from the APs.

On the " Security " page for the AP, you can initiate a packet capture session, specifying the client device and capture duration.

The traffic is captured into a PCAP file, which can be downloaded and analyzed using tools like Wireshark.

Option Analysis:

Option A: Incorrect. While possible via CLI, Aruba Central provides a simpler method for packet captures.

Option B: Correct. Aruba Central’s " Security " page allows you to capture and export client traffic efficiently.

Option C: Incorrect. The " Live Events " page focuses on monitoring events, not packet captures.

Option D: Incorrect. Port mirroring on the switch captures AP traffic but requires more manual configuration and does not isolate client-specific wireless traffic easily.

Policy Analysis:

Rule Evaluation Order: Rules are applied in sequential order until a match is found.

Key Points:

DHCP traffic (UDP 67) is permitted.

DNS traffic (UDP 53) is permitted.

Traffic to 10.5.5.0/24 is explicitly denied.

HTTP traffic (TCP 80) is allowed only to 10.5.0.0/16.

HTTPS traffic (TCP 443) is allowed only to 10.5.0.0/16.

All other traffic to 10.5.0.0/16 is denied.

Any other traffic not matching the above rules is permitted.

Scenario Analysis:

The client IP 10.2.2.2 does not fall within the 10.5.0.0/16 subnet.

Rule 3 denies traffic to 10.5.5.5, regardless of the source IP.

Option A: Correct. HTTPS traffic to 10.5.5.5 is explicitly denied by Rule 3.

Option B: Incorrect. Traffic to 203.0.113.12 is permitted due to the final " permit any " rule.

Option C: Incorrect. The client (10.2.2.2) does not belong to the subnet 10.5.0.0/16, so traffic to 10.5.3.3 is not permitted by Rule 5.

Option D: Incorrect. HTTP traffic to 198.51.100.12 is allowed by the last " permit any " rule.

HPE Aruba Networking ZTNA (delivered as part of Aruba SSE) replaces traditional network-level VPN access with application-level access. Key security advantages highlighted in Aruba ZTNA/SSE collateral include:

Applications are no longer exposed directly to the internet; instead, they are fronted by the ZTNA service.

Inbound connectivity to private apps is outbound-only via connectors, eliminating open listening ports and shrinking the external attack surface. www6.h3c.com

Users are granted access only to specific applications, not entire subnets, thereby limiting lateral movement and the blast radius of a compromise.

Aruba documentation explicitly notes that ZTNA “reduces the overall attack surface” and avoids the broad network exposure inherent in classic client-to-site VPNs.

Thus, the most accurate advantage is: ZTNA shrinks the attack surface, eliminating publicly exposed ports and reducing the extent of the private network exposed to remote users → Option D.

Centralized Role Configuration on CPPM:

CPPM can assign roles to clients dynamically during authentication.

However, the actual ACL policies (e.g., firewall policies) must already exist and be referenced locally on the switch.

CPPM cannot directly configure ACL details on AOS-CX switches.

Option Analysis:

Option A: Correct. The role is defined on CPPM, but it references a policy pre-configured on the switch.

Option B: Incorrect. This does not align with Aruba ' s centralized role-based access control design.

Option C: Incorrect. CPPM cannot configure the ACL policies and classes directly; they must exist locally.

Option D: Incorrect. Policies can be referenced centrally but not fully configured on CPPM.

1. Understanding the Role Mapping Evaluation:

Role mapping is set to " Evaluate: Select first, " meaning the first rule that matches the client attributes will determine the role(s) assigned.

Contractors group: Since the client is in the Contractors group (not Managers), Rule 1 in the Role Mapping Policy does not match.

TEAP-Method-1-Status EQUALS Success: This condition matches Rule 2, so the client is assigned the domain-comp role.

No other rules match, so the default role [Other] is not applied.

2. Resulting Role from Role Mapping Policy:

The client is assigned the domain-comp role.

3. Enforcement Policy Evaluation:

Enforcement policy is also set to " Evaluate: Select first, " so the first matching rule determines the enforcement profile.

Rule 1 (Tips Role = manager AND domain-comp):

The client only has the domain-comp role, not manager, so this rule does not match.

Rule 2 (Tips Role = manager):

The client does not have the manager role, so this rule does not match.

Rule 3 (Tips Role = domain-comp):

This rule matches the client ' s role, but it is not evaluated because the enforcement policy already skipped to the default action after failing the first two rules.

4. Default Enforcement Profile:

Since no rule explicitly matches and the policy evaluation stops at the default, the default profile [Deny Access Profile] is applied.

Final Outcome:

The client is denied access because none of the matching rules satisfy the conditions.

References

Aruba ClearPass Policy Manager Role Mapping and Enforcement Policies Guide.

Role and Policy Evaluation Logic for ClearPass Authentication Services.

To control which commands managers are allowed to enter on AOS-CX switches using HPE Aruba Networking ClearPass Policy Manager (CPPM) as a TACACS+ server, you need to add the Shell service to the TACACS+ enforcement profiles for the managers. This service allows you to define and enforce specific command sets and access privileges for users authenticated via TACACS+. By configuring the Shell service in the enforcement profile, you can specify the commands that are permitted or denied for the managers, ensuring controlled and secure access to the switch ' s command-line interface.

RAPIDS Ad-Hoc Detection:

The alert " Detect ad-hoc using Valid SSID " indicates that a device is broadcasting an SSID that matches a valid network SSID in ad-hoc mode. This can be an indication of an infrastructure attack or misconfiguration.

Next Steps:

Use Aruba Central floorplans or AP location data to identify the physical area where the offending device is detected.

Locate and investigate the device to determine if it is malicious or simply misconfigured.

Option Analysis:

Option A: Incorrect. While tuning thresholds is useful for reducing false positives, this step does not directly address a potential threat.

Option B: Incorrect. Faulty drivers can cause similar behavior, but this step is not immediately actionable without locating the device first.

Option C: Correct. Floorplans or AP identities help locate the threat ' s physical area for further investigation.

Option D: Incorrect. RAPIDS focuses on detecting devices via SSID and MAC, not IP addresses, making this approach less relevant.

ClearPass Device Insight Integration:

To integrate ClearPass Device Insight (CPDI) with ClearPass Policy Manager (CPPM), you must enable the Insight feature in the CPPM server configuration settings.

This ensures CPPM can share and receive profiling data with CPDI for device identification.

Option Analysis:

Option A: Incorrect. Root CA certificates are not required for this integration.

Option B: Correct. Enabling Insight on CPPM is essential for the integration to function.

Option C: Incorrect. WMI, SSH, and SNMP are not part of the CPDI integration prerequisites.

Option D: Incorrect. The Data Collector token is relevant to Aruba Central, not CPDI integration.