Free Preparation Discussions
MENU
HPE6-A84 Exam Questions
- Topic 1: Integrate Aruba solutions with ecosystem partner solutions/ Define PKI best practices and implement certificate-based authentication
- Topic 2: Design a workflow for Network Analytic Engine (NAE) script development/ Interpret and respond to endpoint classification data, as well as use it to tune policies
- Topic 3: Explain the role of device profiling and risk scoring in a company's security efforts/ Explain and implement role-based access control
- Topic 4: Design and implement Dynamic Segmentation/ Implement Aruba Zero Trust Security for the unified infrastructure using ClearPass Policy Manager
- Topic 5: Design and deploy secure client-to-site access using Aruba Central and Aruba gateways/ Design and deploy Gateway IDS/IPS
- Topic 6: Perform a comprehensive analysis in a set timeframe/ Analyze logs, alerts, and other features at an expert level to detect threats
- Topic 7: Explain how Aruba solutions map to local compliance/ Describe Aruba CloudAuth capabilities and explain how to migrate to an Aruba CloudAuth-based solution
- Topic 8: Architect complex ACLs per wired interface and VLAN/ Design a detection strategy for rogue wireless devices and other wireless threats utilizing Aruba WIPS features
- Topic 9: Design enterprise-wide firewall policies/ Articulate the Aruba Zero Trust Security Strategy
- Topic 10: Implement endpoint classification and device profiling with CPDI/ Explain and implement forensic techniques
Free HP HPE6-A84 Exam Actual Questions
Note: Premium Questions for HPE6-A84 were last updated On Jun. 16, 2025 (see below)
Refer to the scenario.
A customer requires these rights for clients in the ''medical-mobile'' AOS firewall role on Aruba Mobility Controllers (MCs):
External devices should not be permitted to initiate sessions with ''medical-mobile'' clients, only send return traffic.
The exhibits below show the configuration for the role.
There are multiple issues with this configuration. What is one change you must make to meet the scenario requirements? (In the options, rules in a policy are referenced from top to bottom. For example, ''medical-mobile'' rule 1 is ''ipv4 any any svc-dhcp permit,'' and rule 8 is ''ipv4 any any any permit''.)
Refer to the scenario.
An organization wants the AOS-CX switch to trigger an alert if its RADIUS server (cp.acnsxtest.local) rejects an unusual number of client authentication requests per hour. After some discussions with other Aruba admins, you are still not sure how many rejections are usual or unusual. You expect that the value could be different on each switch.
You are helping the developer understand how to develop an NAE script for this use case.
You are helping the developer find the right URI for the monitor.
Refer to the exhibit.
You have used the REST API reference interface to submit a test call. The results are shown in the exhibit.
Which URI should you give to the developer?
This is because this URI specifies the exact attribute that contains the number of access rejects from the RADIUS server, which is the information that the NAE script needs to monitor and trigger an alert.
A) /rest/v1/system/vrfs/mgmt/radius/servers/cp.acnsxtest.local/2083/tcp?attributes=authstatistics. This is not the correct URI because it returns the entire authstatistics object, which contains more information than the access rejects, such as access accepts, challenges, timeouts, etc. This might make the NAE script more complex and inefficient to parse and process the data.
B) /rest/v1/system/vrfs/mgmt/radius/servers/cp.acnsxtest.local/2083/tcp?attributes=authstatistics?attributes=access_rejects. This is not a valid URI because it has two question marks, which is a syntax error. The question mark is used to indicate the start of the query string, which can have one or more parameters separated by ampersands. The correct way to specify multiple attributes is to use a comma-separated list after the question mark, such as ?attributes=attr1,attr2,attr3.
C) /rest/v1/system/vrfs/mgmt/radius/_servers/cp.acnsxtest.local/2083/tcp. This is not a valid URI because it has an extra underscore before servers, which is a typo. The correct resource name is servers, not _servers. Moreover, this URI does not specify any attributes, which means it will return the default attributes of the RADIUS server object, such as name, port, protocol, etc., but not the authstatistics or access_rejects.
7of30
A customer has an AOS 10-based solution, including Aruba APs. The customer wants to use Cloud Auth to authenticate non-802.1X capable IoT devices.
What is a prerequisite for setting up the device role mappings?
Option A is incorrect because NetConductor is not related to Cloud Authentication and Policy. NetConductor is a cloud-based network management solution that simplifies the deployment and operation of Aruba Instant networks.
Option C is incorrect because integrating Aruba ClearPass Policy Manager (CPPM) and Device Insight is not a prerequisite for setting up the device role mappings. CPPM and Device Insight can work together to provide enhanced visibility and control over IoT devices, but they are not required for Cloud Authentication and Policy.
Option D is incorrect because creating global role-to-role firewall policies in Central is not a prerequisite for setting up the device role mappings. Global role-to-role firewall policies are used to define the traffic rules between different client roles across the entire network, but they are not required for Cloud Authentication and Policy.
Refer to the scenario.
A customer has an Aruba ClearPass cluster. The customer has AOS-CX switches that implement 802.1X authentication to ClearPass Policy Manager (CPPM).
Switches are using local port-access policies.
The customer wants to start tunneling wired clients that pass user authentication only to an Aruba gateway cluster. The gateway cluster should assign these clients to the ''eth-internet" role. The gateway should also handle assigning clients to their VLAN, which is VLAN 20.
The plan for the enforcement policy and profiles is shown below:
The gateway cluster has two gateways with these IP addresses:
* Gateway 1
o VLAN 4085 (system IP) = 10.20.4.21
o VLAN 20 (users) = 10.20.20.1
o VLAN 4094 (WAN) = 198.51.100.14
* Gateway 2
o VLAN 4085 (system IP) = 10.20.4.22
o VLAN 20 (users) = 10.20.20.2
o VLAN 4094 (WAN) = 198.51.100.12
* VRRP on VLAN 20 = 10.20.20.254
The customer requires high availability for the tunnels between the switches and the gateway cluster. If one gateway falls, the other gateway should take over its tunnels. Also, the switch should be able to discover the gateway cluster regardless of whether one of the gateways is in the cluster.
Assume that you have configured the correct UBT zone and port-access role settings. However, the solution is not working.
What else should you make sure to do?
The correct answer is B. Create a new VLAN on the AOS-CX switch and configure that VLAN as the UBT client VLAN.
The other options are not correct or relevant for this issue:
Option C is not correct because VIA licenses are not required for UBT. VIA licenses are required for enabling VPN services on Aruba Mobility Controllers for remote access clients using Aruba Virtual Intranet Access (VIA) software . VIA licenses are not related to UBT or wired clients.
Option D is not correct because changing the port-access auth-mode mode to client-mode on any edge ports to which tunneled clients might connect would not affect UBT. The port-access auth-mode mode determines how a port handles authentication requests from multiple clients connected to a single port . Client-mode is the default mode that allows only one client per port, while multi-client-mode allows multiple clients per port. The port-access auth-mode mode does not affect how UBT works or how traffic is tunneled from a port.
A company has an Aruba ClearPass server at 10.47.47.8, FQDN radius.acnsxtest.local. This exhibit shows ClearPass Policy Manager's (CPPM's) settings for an Aruba Mobility Controller (MC).
The MC is already configured with RADIUS authentication settings for CPPM, and RADIUS requests between the MC and CPPM are working. A network admin enters and commits this command to enable dynamic authorization on the MC:
aaa rfc-3576-server 10.47.47.8
But when CPPM sends CoA requests to the MC, they are not working. This exhibit shows the RFC 3576 server statistics on the MC:
How could you fix this issue?
In this scenario, the MC is configured with the IP address of the CPPM server (10.47.47.8) as the RFC 3576 server, but it is using the default UDP port of 3799. However, according to the exhibit, the CPPM server is using a different UDP port of 1700 for dynamic authorization . This mismatch causes the CoA requests from CPPM to fail on the MC, as shown by the statistics .
- Select Question Types you want
- Set your Desired Pass Percentage
- Allocate Time (Hours : Minutes)
- Create Multiple Practice tests with Limited Questions
- Customer Support
Dahlia
8 days agoJoana
2 months agoLinwood
3 months agoVallie
4 months agoLatia
5 months agoPeter
5 months agoKizzy
6 months agoDierdre
6 months agoIlona
6 months agoRana
7 months agoMelissia
7 months agoKatina
7 months agoRolf
8 months agoHelga
8 months agoDetra
8 months agoGoldie
9 months agoCecil
9 months agoCecilia
9 months agoNatalie
9 months agoCecilia
9 months agoEthan
10 months agoMitsue
10 months agoEvangelina
11 months agoEladia
11 months agoBlondell
12 months agoMike
1 years agoWinifred
1 years agoLavonna
1 years agoLorrine
1 years agoBrittani
1 years ago