HPE6-A88 HPE Aruba Networking ClearPass Exam Questions and Answers

Posture is a highly dynamic state—a device can move from "Healthy" to "Infected" in seconds. Role mapping occurs early in the service processing logic. If posture is evaluated during the role mapping phase, ClearPass may rely on a cached posture token from a previous session. Best practice is to perform posture evaluation within the Enforcement Rules . This ensures that the system checks the most recent "Health" status reported by the OnGuard agent at the exact moment the access decision is being made, preventing a non-compliant device from gaining access based on old data.

Custom Operator Profiles (which define what a Guest administrator can see and do) are mapped to users during their login to the ClearPass Guest/Workflows interface. For a new profile to be active, the administrator must navigate to the Guest Operator Login policy and add a rule that assigns that specific profile based on the user's ClearPass Role. Without this mapping in the login policy, the system will fall back to a default profile or deny access.

As discussed in Q5, RadSec utilizes TLS for security, which renders the traditional RADIUS MD5 shared secret obsolete. In the ClearPass interface, when RadSec is selected as the protocol, the system automatically defaults the PSK to 'radsec' because the underlying communication is now secured by certificates, not a password. This is a standard behavior of the protocol implementation in HPE Aruba products to indicate that certificate-based trust is now the priority.

The search bar in the ClearPass Endpoints and Access Tracker views supports partial-string matching. To find all devices in the 10.x.x.x (10/8) range, simply typing "10." will filter the list to show every entry where the IP address field begins with those two characters. This is the most efficient way to perform broad subnet filtering without using complex query syntax.

The Pre-Authentication Check is a feature of the ClearPass Guest web page logic. It is configured within the Web Login editor under the Login Form settings. This feature allows ClearPass to verify the user's credentials locally or against an external source before the user's browser is redirected back to the controller to finish the process, ensuring that only valid attempts reach the network device.

To manage certificates in ClearPass Onboard, the administrator must drill down into the specific Certificate Authority (CA) that issued the credentials. From there, they can view a list of all issued certificates , search for the one belonging to the lost device (using the username or MAC address), and perform the Revoke action. This immediately invalidates the certificate for future 802.1X authentications.

When an account is pending approval (either by a sponsor or via email verification), it is created in a "Disabled" state in the Guest Repository. ClearPass Guest receipt pages are context-aware; they check the account status before rendering. If the account is disabled, the Log In button will be grayed out and unclickable, informing the user that they must wait for further action before they can access the network.

A common cause of certificate errors is a "broken trust chain". When uploading a new server certificate, the engineer must include the entire certificate bundle . This bundle should contain the server's certificate, any Intermediate CAs , and the Root CA certificate. This allows the ClearPass server to present the full chain to client browsers, ensuring they can verify the certificate's authenticity back to a trusted source.

When an OnGuard agent finishes its scan, it sends the results to ClearPass. If the status has changed (e.g., from "Healthy" to "Unhealthy"), ClearPass evaluates its Enforcement Policy and selects a profile that includes a CoA (Change of Authorization) action. ClearPass sends this Disconnect-Request to the switch (NAD), which drops the client session. The device's supplicant immediately reconnects, triggering a new authentication that places the user in the correct, updated role.

The primary benefit of profiling is the transition from "MAC-only" visibility to "Context-aware" visibility. By using multiple collectors (DHCP, SNMP, HTTP, SSH, etc.), ClearPass builds a high-fidelity profile of the endpoint. This allows the administrator to write fine-grained policies—for example, allowing a "Workstation" to access the production server but only allowing an "IoT Camera" to access the NVR. Without this profiling context, the system cannot distinguish between different security levels required for diverse hardware.

Non-AAA enforcement (often called Web-based authentication or MAC-based profiling without 802.1X ) is chosen for ease of deployment. 802.1X is highly secure but requires a "Supplicant" (software) configuration on every client device. By using a non-AAA method, the engineer can secure the network using the device's MAC address and a redirect to a web portal, which works on any device with a browser without needing to touch the client's internal network settings.

ClearPass is built on an object-oriented configuration model. Elements such as Role Mappings, Enforcement Profiles, and Service Rules are modular. This reusability means an engineer can define a "Corporate-User" enforcement profile once and apply it to a dozen different services (Wireless, Wired, VPN). This ensures policy consistency across the organization, significantly reduces administrative overhead, and minimizes the risk of configuration errors.

By polling an EMM/MDM server, ClearPass pre-synchronizes its endpoint database with managed device information. This "Advanced Context" means that when a device eventually connects for the first time, ClearPass already knows its serial number, compliance status, and owner. This eliminates the need for manual profiling or initial "limited access" phases, allowing the system to grant appropriate access levels immediately upon the first authentication attempt.

To differentiate security levels based on device type (e.g., giving a VoIP phone different access than a laptop), ClearPass must use Profiling . The service first identifies the device type using various collectors and then evaluates this information in the Enforcement Policy . This allows the administrator to select specific Enforcement Profiles (VLANs/ACLs) that are dynamically assigned based on the high-fidelity profile data gathered at connection time.

The Dissolvable Agent is ideal for BYOD and Guest scenarios where you cannot mandate that users install permanent software on their personal devices. When a user connects to the guest portal, the agent is downloaded as a temporary executable, runs the required Health Checks , reports the results back to ClearPass, and then removes itself from the system. This provides security without the administrative overhead of managing software installations on non-corporate hardware.

For high-density events like conferences, manual account creation by IT staff is unscalable. Self-registration allows guests to navigate to a portal, enter their own details, and receive credentials without any administrative intervention. This offloads the entire management burden from the internal staff while still allowing the organization to collect visitor data and enforce terms of service.

RadSec (RADIUS over TLS) replaces the traditional MD5-based Pre-Shared Key (PSK) with a secure TLS tunnel. While the UI might show a placeholder "radsec" PSK, the actual security relies on Mutual Authentication via certificates. For the TLS handshake to succeed, ClearPass must trust the Certificate Authority (CA) that signed the NAD's certificate, and vice versa. Therefore, verifying that the NAD's trust chain is uploaded to the ClearPass Trust List is the most critical step for a successful connection.

ClearPass OnGuard provides the framework for endpoint health checks. In the service selection rules, enabling Posture Compliance tells ClearPass to look for a health token from the OnGuard agent. By selecting auto-remediation , the administrator allows the system to automatically trigger fixes (like starting a disabled firewall) or redirect the user to a Remediation URL where they can find instructions or software updates needed to become compliant.

ClearPass can extract location context from the NAD's RADIUS attributes. Common attributes used include NAS-Port-Id (for wired switches to show the specific port/closet) or Called-Station-Id (for wireless to show the AP Name or MAC). By configuring the Network Device attribute settings in ClearPass, these raw strings can be mapped to human-readable locations (e.g., "Building 5, 2nd Floor").

In a ClearPass cluster, the Publisher is the central "Source of Truth" for all configuration and licensing data. While Subscriber nodes handle the actual authentication traffic, they receive their policy and license updates via replication from the Publisher. Therefore, all license management —including adding new license keys or re-allocating capacity—must be performed on the Publisher's web interface.

Using AD for authentication confirms who the user is, while using it for authorization allows ClearPass to pull group memberships (e.g., "Finance Team") to determine access levels. Adding MDM integration provides "Rich Context"—letting ClearPass know if that specific user is connecting from a corporate-managed device that is encrypted and not jailbroken. This combination ensures that only the right person on a secure device can enter the network.

While RADIUS requests (for network access) are almost always found in the Access Tracker, TACACS+ requests (for device administration) that fail early in the process—such as those from an unauthorized source IP—may not appear there. In these cases, the Event Viewer is the correct diagnostic tool. The Event Viewer captures system-level errors, including "Unknown NAD" alerts for TACACS+ attempts, which will help the administrator identify why the request isn't being processed by a service.

Policy cache entries in ClearPass typically have a default life-cycle of 5 minutes . If the cache was updated three minutes ago , it has two minutes of validity remaining. During this time, ClearPass will use the cached roles and posture status for any incoming requests from that device. Once the 5-minute mark is reached, the cache expires, and ClearPass will perform a full re-evaluation on the next request.

Client devices (supplicants) have their own internal RADIUS timers, often defaulting to 5–10 seconds. If ClearPass is configured with a long 20-second timeout for its primary AD source, and that server is unresponsive, ClearPass will wait the full 20 seconds before failing over to a backup source. By that time, the client device has likely already timed out and given up on the connection, resulting in an authentication failure for the user. Standard practice is to keep AD timeouts short (e.g., 3–5 seconds).

SMS delivery of guest credentials requires explicit configuration within ClearPass Guest . This involves two main components: integrating ClearPass with a functional SMS Gateway and configuring the Self-Registration receipt to trigger an SMS action. The system must be told exactly what information to send (e.g., username and password) and which field in the registration form contains the guest's mobile number.

ClearPass Profiling is a foundational feature used to gain visibility into every device on the network. It uses various "collectors" (such as DHCP fingerprints, HTTP User-Agents, and MAC OUIs) to determine the Category, OS Family, and Name of an endpoint. In a high-density environment like a university, profiling allows administrators to generate reports on specific device types. When an upgrade is required for a specific model (e.g., a specific version of Android or a certain laptop brand), the administrator can instantly see exactly how many of those devices are currently active, allowing for better capacity planning and impact analysis.

In a Pre-Authentication workflow (often used in Captive Portals), ClearPass first checks the user's credentials locally or against an external source before the actual NAD (switch/controller) sends the final RADIUS request. For this to work seamlessly, the same service or logic in ClearPass must be able to handle the initial check and the subsequent NAD request to ensure consistency in role assignment and session tracking.

Beyond traditional RADIUS/TACACS, ClearPass acts as a Context Broker . It uses a robust set of REST APIs and HTTP-based outbound notifications to share data with "non-authentication" systems like SIEMs, Next-Generation Firewalls, and Asset Management databases. This allows the entire security infrastructure to benefit from the rich identity and profiling context that ClearPass gathers, enabling a coordinated response to threats across the entire network.

Visual branding in ClearPass Guest is handled through Skins . While the Content Manager stores the physical file (the logo), the Skin defines where and how that logo appears on the page. After uploading the logo, the administrator must configure or edit a skin to reference that specific JPEG, and then apply that skin to the desired guest registration or login pages.

IETF Attributes (like Service-Type or Tunnel-Private-Group-ID) are standard RADIUS attributes that every vendor (Cisco, Aruba, Juniper) must support. Vendor-Specific Attributes (VSAs) are unique (e.g., an Aruba-User-Role won't work on a Cisco switch). By using IETF attributes for common tasks like VLAN assignment, an engineer can create a single Enforcement Profile that works across all hardware in the building, significantly reducing administrative overhead.