HP Exam HPE6-A84 Topic 2 Question 15 Discussion

Actual exam question for HP's HPE6-A84 exam

Question #: 15
Topic #: 2

You are setting up Aruba ClearPass Policy Manager (CPPM) to enforce EAP-TLS authentication with Active Directory as the authentication source. The company wants to prevent users with disabled accounts from connecting even if those users still have valid certificates.

As the first part of meeting these criteria, what should you do to enable CPPM to determine where accounts are enabled in AD or not?

AAdd an Endpoint Context Server to the domain controller with actions for querying the domain controller for account status.

BEnable OCSP in the EAP-TLS authentication method settings and configure an OCSP override to the domain controller FQDN.

CAdd a custom attribute for userAccountControl to the filters in the AD authentication source.

DInstall a Microsoft Active Directory extension in Aruba ClearPass Guest and set up an HTTP authentication source that points to that extension.

Show Suggested Answer

Suggested Answer: C

According to the ClearPass Policy Manager User Guide1, userAccountControl is a custom attribute in Active Directory that contains a set of flags that define the properties and behavior of user accounts. One of these flags is ACCOUNTDISABLE, which indicates whether the account is disabled or not. By adding this attribute to the filters in the AD authentication source, CPPM can retrieve this attribute for each user and use it as a condition in the enforcement policies to prevent users with disabled accounts from connecting even if they have valid certificates. Therefore, option C is the correct answer.

by Paz at Apr 09, 2024, 11:47 PM

Limited Time Offer

25%

17 days ago

Whoa, this question is tricky! We need to figure out how to get CPPM to check the AD account status, but it's not straightforward. I'm going to have to think this through.

upvoted 0 times

...