The core issue is the high frequency of repeat email notifications for a single, ongoing threat, leading to alert fatigue. In Aruba Central, the Alert duration and threshold settings are specifically designed to manage this. By adjusting these parameters, an administrator can define conditions for triggering notifications, such as setting a time duration during which repeat instances of the same event are consolidated into a single alert, or a threshold that must be met before a notification is sent. This directly reduces notification volume for persistent threats without disabling the underlying threat detection.

A. Report scheduling settings: This configures the generation and delivery of periodic summary reports, not the real-time, event-driven alert notifications described in the scenario.

C. The IDS policy setting (strict, medium, or lenient): This adjusts the sensitivity of the IDS engine itself, determining what is considered a threat. It does not control the frequency of notifications for an already-detected threat.

D. The allowlist settings in the IDS policy: An allowlist (whitelist) would completely suppress all alerts for a specific signature or traffic flow, preventing admins from investigating a potentially valid threat, which contradicts the scenario's requirements.

1. Aruba Central User Guide: In the section on "Alerts & Events

" the configuration options for alerts are detailed. The documentation explains that administrators can configure alert notifications based on severity

device

and label. Advanced settings often include thresholds and time-based conditions to prevent "alert storms" from a single

persistent event. This directly supports adjusting duration and threshold settings to control notification frequency. (See the "Configuring Alerts and Notifications" section in the relevant Aruba Central User Guide version).

2. Aruba Central User Guide: The "Intrusion Detection and Prevention" section under the Gateway or Security configuration details the IDS policies (Strict

Medium

Lenient) and the use of allowlists. This documentation clarifies that these settings control detection rules and exceptions

respectively

not the notification logic for triggered events

thereby differentiating them from the correct answer. (See the "Configuring Security Policies for SD-WAN" or similar sections in the Aruba Central User Guide).

The most efficient and scalable solution is to leverage the VLAN name feature in AOS-CX downloadable user roles. This involves creating a VLAN on each access switch with the same name (e.g., "reception-vlan") but assigning it the appropriate local VLAN ID (14 on switch 1, 24 on switch 2, etc.). In ClearPass, a single enforcement profile for the "reception-domain" role is created. This profile specifies the VLAN by its name rather than a numeric ID. When a switch downloads this role, it resolves the VLAN name to its locally configured VLAN ID, thus achieving the per-switch VLAN assignment requirement with a single, centralized policy.

B: This describes locally defined roles, which contradicts the explicit requirement for the switch to download role settings from CPPM.

C: Using a variable expression like %(NAS-ID]4 to dynamically construct a VLAN ID is not a standard or supported method in ClearPass enforcement profiles for this purpose.

D: Creating separate enforcement profiles and policies for each switch is operationally inefficient, creates administrative overhead, and does not scale for larger deployments.

1. ArubaOS-CX 10.12 Security Guide

Page 229

Chapter "Configuring port access"

Section "Downloadable user roles": "The VLAN ID or name to be assigned to the user role. When a VLAN name is used

the VLAN name must be configured on the switch. The VLAN ID associated with the name on the switch is assigned to the client." This directly supports using a consistent name that maps to different local IDs.

2. Aruba ClearPass Policy Manager 6.11 User Guide

Page 1

Chapter "Enforcement > Enforcement Profiles"

Section "Aruba Downloadable Role Enforcement Profile": The configuration template for this profile includes an attribute Aruba-Vlan-Name

which is used to send a VLAN name to the network access device. This confirms ClearPass's capability to send a VLAN name as part of the role.

The exhibit displays the ArubaOS-CX REST API documentation interface, which indicates that authorization is required before executing an API call (Available authorizations: cookieAuth). The "Authorize" button signifies that the user has not yet authenticated their session. To proceed, the user must log in to the switch to generate a session cookie. This cookie acts as an authentication token for all subsequent API requests made from the browser. Option B describes this necessary action of authenticating to acquire a credential (token/cookie) to use the API. While the term "Aruba passport account" is imprecise for on-premises switch authentication (which uses the local user database), the core action of collecting a token via authentication is correct and essential.

A: Switching to an older API version like v1 will not resolve an authentication issue. The problem is a lack of credentials, not an incorrect API endpoint version.

C: The ability to load the API documentation page proves that the switch's HTTPS server is already enabled and listening on the VRF being used for access.

D: While the browser must be configured to store cookies for cookieAuth to work, this is a passive prerequisite, not the active step of authenticating to solve the "unauthorized" state.

1. ArubaOS-CX 10.10 REST API Guide (5200-8207 Edition 1)

Chapter 2: "Using the REST API"

Section: "Logging in to the REST API"

Page 8. This section details the login process: "To log in to the REST API

you must send a POST request to the login resource... The switch authenticates the credentials against the local user database... The response includes a cookie that must be used in all subsequent REST API requests to the switch."

2. ArubaOS-CX 10.10 REST API Guide (5200-8207 Edition 1)

Chapter 2: "Using the REST API reference"

Section: "Using 'Try it out'"

Page 11. This section states: "To use the 'Try it out' feature

you must first log in to the switch through the Web UI. The login process creates a session cookie that is used to authenticate your requests from the API reference page." This confirms that a login action to create the cookie (token) is the required step.

The most precise and direct method to meet the customer's requirement is to configure the switch's SNMP agent to operate exclusively in SNMPv3 mode. The snmp-server v3-only command in ArubaOS-CX is specifically designed for this purpose. It disables the processing of SNMPv1 and SNMPv2c requests, thereby remediating the vulnerability of responding to a public community string. This command directly addresses the root cause and enforces the security policy, resolving the issue the administrator faced when attempting to remove the default community while older SNMP versions were still implicitly enabled.

A. Enabling control plane policing to automatically drop SNMP GET requests: This is an indirect, network-layer control. It is not the intended method for managing SNMP protocol versions and could unintentionally block legitimate SNMPv3 traffic if not configured precisely.

C. Adding an SNMP community with a long random name: This is a hardening technique for SNMPv2c, but it does not disable it. The switch would still be running SNMPv2c, failing to meet the customer's requirement to permit only SNMPv3.

D. Enabling SNMPv3, which implicitly disables SNMPv1/v2: This is incorrect. On ArubaOS-CX switches, SNMPv1/v2c and SNMPv3 can operate concurrently. Enabling SNMPv3 does not automatically disable the older, less secure versions.

1. ArubaOS-CX 10.12 Security Guide

Page 289

"SNMPv3" section. The guide states

"By default

the switch responds to SNMPv1

SNMPv2c

and SNMPv3 requests. To configure the switch to respond only to SNMPv3 requests

enter the snmp-server v3-only command." This directly supports option B and refutes option D.

2. ArubaOS-CX 10.10 Command-Line Interface Reference Guide

Page 5881. The documentation for the snmp-server v3-only command confirms its function: "Enables SNMPv3 only mode. In this mode

the SNMP agent will not respond to any SNMPv1 and SNMPv2c requests." This validates the explanation for the correct answer.

3. ArubaOS-CX 10.12 Security Guide

Page 288

"SNMPv1 and SNMPv2c" section. This section details the configuration of community strings

showing that adding a new one (as in option C) is part of configuring SNMPv2c

not disabling it. It also explains that a default "public" community exists.

The scenario describes a User-Based Tunneling (UBT) implementation where ClearPass provides authentication and authorization attributes. The provided ClearPass enforcement profile sends both Aruba-User-Role and Aruba-User-Vlan. The requirement states the gateway should assign the role and the VLAN.

In a centralized policy model using ClearPass, it is best practice for ClearPass to be the single source of truth for policy decisions like VLAN assignment. If the gateway's local user-role configuration also contains a static VLAN assignment, it creates a redundant policy that can lead to conflicts or management overhead. By removing the VLAN assignment from the gateway's role configuration, the gateway will dynamically use the Aruba-User-Vlan attribute sent from ClearPass, ensuring a consistent, centrally managed policy.

A. Change the ubt-client-vlan to VLAN 13: The ubt-client-vlan is a transient VLAN on the switch for unauthenticated traffic and is irrelevant to the final user VLAN (20) assigned by the gateway post-tunneling.

B. Configure edge ports in VLAN trunk mode: Edge ports for single-client 802.1X authentication are correctly configured as access ports. Trunking is not required for UBT to function.

D. Configure the UBT solution to use VLAN extend mode: VLAN extend mode contradicts the requirement. It extends the switch-side VLAN across the tunnel, whereas the goal is for the gateway to assign a new VLAN (local mode).

ArubaOS-CX 10.12 Security Guide (Document Number: MN000016933-R012): In the "User-Based Tunneling" chapter

the guide explains that the gateway assigns the VLAN based on the user role it receives from the switch. It states

"The switch forwards the user role name received from the authentication server to the gateway. The gateway applies policies based on the user role." While the gateway's local role is the default source

it will prioritize RADIUS-derived attributes if present

making ClearPass the central policy point. Removing the local gateway VLAN configuration prevents conflicts. (See Chapter: "User-Based Tunneling"

Section: "UBT Concepts").

Aruba Validated Solution Guide - Campus Access for Small and Midsize Businesses (April 2021): This guide illustrates architectures where ClearPass provides comprehensive enforcement profiles

including VLANs

for wired and wireless clients

which are then enforced by network devices (switches

gateways). This supports the principle of centralizing policy on ClearPass. (See Chapter 3: "Aruba ESP Campus Access Architecture").

The question requires identifying the correct trust usages for the imported Windows CA root certificate in ClearPass. Based on the scenario:

1. EAP Usage: The network must support TEAP with an inner EAP-TLS method for Windows domain computers and users. These clients present certificates issued by the internal Windows CA. For ClearPass to validate these client certificates during the EAP-TLS exchange, the issuing CA's root certificate must be trusted for "EAP" usage.

2. AD/LDAP Server Usage: The scenario explicitly requires that "Communications between ClearPass servers and on-prem AD domain controllers must be encrypted." This is achieved using LDAPS. The domain controllers will present their server certificates (issued by the Windows CA) to ClearPass. To establish a trusted, encrypted connection, ClearPass must validate this server certificate, which requires the "AD/LDAP Server" usage to be enabled for the Windows CA root.

B. LDAP and Aruba infrastructure: "Aruba infrastructure" is incorrect as the scenario does not state that Aruba network devices use certificates from the Windows CA for any function that ClearPass must validate.

C. Radsec and Aruba infrastructure: "Radsec" is incorrect because RadSec (RADIUS over TLS) is not mentioned as a requirement. "Aruba infrastructure" is also incorrect for the reason stated above.

D. EAP and Radsec: "Radsec" is incorrect as it is not a required communication protocol in this scenario.

1. Aruba ClearPass Policy Manager 6.9 User Guide

Page 238

"Trust List Page":

EAP: "Allows the certificate to be used for EAP-TLS

PEAP-TLS

and EAP-TTLS authentication." This directly supports the need to validate client certificates for the required TEAP/EAP-TLS method.

AD/LDAP Server: "Allows the certificate to be used for secure AD/LDAP connections." This directly supports the requirement for encrypted communication with the Active Directory domain controllers.

RadSec: "Allows the certificate to be used for RadSec connections." This confirms RadSec is a distinct usage not required by the scenario.

Aruba Infrastructure: "Allows the certificate to be used for Aruba infrastructure." This confirms it is for trusting Aruba devices

which is not a stated requirement for the Windows CA.

The exhibit shows a series of DNS queries from a client (10.1.7.101) for extremely long, non-standard subdomains of a single domain (evil.com). This pattern is a classic indicator of DNS tunneling. In this technique, data is encoded into the subdomain portion of a DNS query. This creates a covert channel, often used by malware to communicate with a Command and Control (C2) server for receiving instructions or exfiltrating data. The client is likely compromised and is using the DNS protocol to bypass firewall restrictions and establish this C2 channel.

A: The traffic pattern does not resemble a Denial-of-Service (DoS) attack, which typically involves a high volume of traffic, not a few structured queries.

B: A port scan involves probing many different ports on a host or subnet; this capture only shows traffic on the DNS port (53).

D: This capture contains DNS packets, not ARP packets. ARP poisoning involves manipulating MAC-to-IP address mappings using ARP messages, which are not present here.

1. Aruba Threat Labs. (2020

May 20). Detecting DNS Tunneling with Aruba IntroSpect. Aruba Blogs. This official vendor blog post provides examples of DNS tunneling traffic used for C2

which are visually identical to the traffic in the exhibit

and explains how Aruba security solutions detect this threat.

2. National Institute of Standards and Technology (NIST). (2013). Special Publication 800-81-2: Secure Domain Name System (DNS) Deployment Guide. Section 3.4.2

"DNS Tunneling". This section states

"An attacker can use DNS tunneling to...establish a command and control channel with a compromised host... The data to be tunneled is encoded within the labels of a DNS query for a domain name controlled by the attacker."

3. Dusi

M.

Gringoli

F.

& Salgarelli

L. (2015). A preliminary look at DNS-based covert channels. 2015 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS). https://doi.org/10.1109/INFCOMW.2015.7179398. This academic paper analyzes DNS covert channels

noting that encoding information in query names is a common method for C2 and data exfiltration

matching the exhibit's scenario.

When Aruba ClearPass Policy Manager (CPPM) is integrated with Aruba Central for Device Insight, the tags assigned in Central are automatically synchronized to the CPPM Endpoints Repository as an attribute of the endpoint. To use these tags for policy decisions, you create a rule condition of the type "Endpoint" and select the "Tags" attribute. The Endpoints Repository is an implicit authorization source for all services, so it is not necessary to explicitly add it to the service's authorization sources list for this functionality to work.

A: This describes a manual, non-standard method. The native integration synchronizes tags automatically, eliminating the need to create a separate HTTP authentication source to query the API for tags.

B: The "Application" type is incorrect. This type is used for conditions related to application-level attributes (e.g., from OnGuard), not device-level tags from Device Insight.

C: The rule type is "Endpoint," not "Endpoints Repository." Furthermore, the Endpoints Repository is an authorization source, not an authentication source, and it is used by default.

1. Aruba Central and ClearPass Integration Guide: In the section "Using Tags in Enforcement Profiles

" the guide explicitly shows the procedure for creating enforcement policy rules based on tags. It demonstrates creating a rule with Type: Endpoint

Name: Tags

and an appropriate operator. This confirms that "Endpoint" is the correct type and that the process is direct

without requiring additional authorization sources. (Refer to the configuration examples for "Creating an Enforcement Policy" within the guide).

2. ClearPass Policy Manager 6.11 User Guide: In the chapter on "Configuring Enforcement Policies

" the process of adding rules is detailed. The "Type" dropdown menu for a rule condition includes "Endpoint

" which allows access to all attributes stored for a device in the Endpoints Repository

including synchronized tags from Device Insight. The guide clarifies that the Endpoints Repository is a built-in authorization source. (Refer to the section "Adding and Modifying Rules for an Enforcement Policy").

Aruba ClearPass can integrate with third-party security and IT systems through ClearPass Exchange. A common integration with next-generation firewalls like Palo Alto is to use the firewall's threat intelligence to trigger network access enforcement. When the Palo Alto firewall detects malicious activity or a policy violation from a specific client IP address, it can send a Syslog message to ClearPass. ClearPass can then parse this message and initiate a Change of Authorization (CoA) to modify the client's access, such as moving them to a quarantine VLAN or disconnecting them from the network entirely. This creates a dynamic, automated threat response system.

B: A firewall is not the authoritative source for a list of known client MAC addresses; this information is typically imported from an asset database or MDM.

C: This describes a network security architecture (defense-in-depth) rather than a specific, direct technical integration between the ClearPass and firewall platforms.

D: Firewall rules and switch downloadable user roles are distinct constructs. You cannot directly import firewall rules to create switch roles; they serve different purposes at different network layers.

1. Aruba ClearPass & Palo Alto Networks Firewall Integration Guide: This guide details the integration process. It states

"The integration between ClearPass and Palo Alto Networks (PAN) Next-Generation Firewalls (NGFWs) provides a comprehensive NAC and security solution... PAN-OS can send syslog messages to ClearPass when a threat is detected. ClearPass can then take an action on the endpoint that is the source of the threat." (See "Solution Overview" and "Threat-Based Enforcement Workflow" sections).

2. ClearPass Policy Manager 6.11 User Guide: This document describes how ClearPass can act as a Syslog server to receive messages from external devices and trigger enforcement. "ClearPass can be configured as a syslog server to receive messages from network devices... Based on the content of the syslog message

ClearPass can change the state of the endpoint in the Endpoint Repository and initiate a Change of Authorization (CoA)." (See Chapter: "Configuration > Enforcement > Profiles"

Section: "Syslog Export Enforcement Profile").

The scenario requires the Certificate Authority (CA) certificate to be trusted for two distinct purposes. First, for validating the certificates presented by domain users and computers during 802.1X authentication, the EAP (Extensible Authentication Protocol) usage is necessary. This allows ClearPass to act as a RADIUS server and validate the client's certificate chain in EAP-TLS or PEAP-EAP-TLS.

Second, the requirement for encrypted communication between ClearPass and the domain controllers for account lookups implies the use of LDAPS (LDAP over SSL/TLS). For ClearPass to establish a secure LDAPS session, it must trust the server certificate presented by the domain controller. Enabling the AD/LDAP Server usage for the imported root CA certificate allows ClearPass to validate the domain controller's certificate.

A. Radec and Aruba infrastructure: Radsec is for secure RADIUS-to-RADIUS communication, and Aruba Infrastructure is for device management; neither is relevant for client authentication or AD lookups in this context.

C. EAP and Radsec: Radsec is incorrect. The encrypted communication is with an Active Directory domain controller (which uses LDAPS), not another RADIUS server.

D. LDAP and Aruba infrastructure: The Aruba Infrastructure usage is not required. While AD/LDAP Server usage is correct, this option pairs it with an incorrect one.

1. HPE Aruba ClearPass Policy Manager 6.9 User Guide

Page 288

"Trust List Page". This section details the certificate usages.

EAP: "Select this check box to use this certificate for EAP." This directly supports the requirement to validate client certificates.

AD/LDAP Server: "Select this check box to use this certificate for AD/LDAP Server." This supports the requirement to trust the domain controller's certificate for a secure connection.

Radsec: "Select this check box to use this certificate for Radsec." This defines Radsec for secure RADIUS proxying

which is not the scenario described.

2. HPE Aruba ClearPass Policy Manager 6.9 User Guide

Page 111

"Adding Active Directory Authentication Sources". This section describes the "Connection Security" setting for an AD authentication source.

To meet the requirement for encrypted communication

the "AD over SSL" option would be selected

which uses port 636 (LDAPS). The guide states

"To use this option

the root CA of the AD server certificate must be available in the Certificate Trust List." This confirms the need for the AD/LDAP Server usage.