Which of the following core components of ARM enables intelligent distribution of clients across available channel capacity?
Multi-band scan
Spectrum load balancing
Rogue AP detection
Band steering
Which one of the following file types cannot be imported to Visual RF Plan?
dwg
jpg
TIFF
gif
When adding licenses in the startup wizard license screen a reboot is required:
After each license is installed
Before any other configuration can take place
Only if the Policy Enforcement Firewall license is installed
A reboot is not required until you have completed the configuration wizard
When looking at clients in the ‘Monitoring Clients’ section of the Controller, which of the following information is not visible?
Role
MAC Address
Output power of client radio
Method of authentication
When configuring a guest WLAN via the WLAN section of the startup wizard which security option is not available?
WEP encryption
Direct access to the internet with no captive portal
Captive portal with authentication via credentials
Captive portal with email registration
What information is required by an AP in order to boot? (select all that apply)
AP’s IP Address, Netmask, Default Gateway
AP’s Name and Group
Aruba Controller’s Master IP Address
An established NTP connection to the Master Controller
Which of the following statements about management accounts is false?
The root account can be used to monitor access points connected to the controller
The guest-provisioning account can see the controller’s configuration but cannot change it
The read-only account cannot delete internal database entries
The guest-provisioning account can make changes to the internal database
The Guest Provisioning user account has the ability to do which of the following?
Add a new employee to the internal database
Change the “look” and “feel” of the guest provisioning page
Change the available data fields on the guest provisioning page
Add a guest user to the internal database
In a Campus AP deployment, what is the difference between a Direct and an Overlay deployment?
In an overlay deployment APs are connected directly to the Controller while in a direct deployment, APs are connected to other Layer 2 or Layer 3 devices.
The Controller supplies PoE to APs in an Overlay Deployment while APs draw power from other PoE switches in a Direct deployment
In a direct deployment, APs are directly connected to the controller while in an overlay deployment APs are connected to other Layer 2 or Layer 3 devices.
In an overlay deployment, the APs cannot terminate their GRE tunnels at the controller, while in a direct deployment they can.
What does SET ORIENTATION option do in the Visual RF Plan edit tool?
Set the horizontal plane on each floor
Give the option to resize a floor
Sets the North/South orientation of the building
Sets the proper vertical floor plan alignment
How many roles should be created on a controller?
As many as necessary
the same number as firewall policies
one less than the number of firewall policies
the same number as SSIDs
802.1X authentication takes place
Prior to granting access to L2 media
After the user has an IP address
After the user sees the captive portal page
Prior to the user associating with the AP
Firewall policy should be written from:
Least specific to most specific
Most specific to least specific
Most important resources first
Order is not important
Which role is assigned prior to launching the captive portal splash screen?
Pre-authentication role
Post-authentication role
AAA role
AAA-CP role
When local controller is selected as the controller’s operation mode in the startup wizard, which is no longer configurable?
Licenses
WLANs
VLANs and IP addressing
Controller country code
The characteristics of 802.1X Authentication include (select all that apply):
L3 Authentication
Extensible Authentication Protocol
Support of RADIUS external authentication
Port based authentication
A reboot of the controller is necessary in which of the following scenarios? (Select all that apply)
Changing controller IP
Changing the VLAN of a Virtual AP Profile
Creating of a new AP Group
Changing of Controller Roles
Which of the following parameters are not needed by Visual RF Plan in order to Plan APs on a floor region?
AP Type
PHY Type
Distance to Controller
Environment
In decrypt-tunneled forwarding mode, which of the following is true?
Client sets up an IPSEC tunnel with the controller
The AP converts the 802.11 frame to an Ethernet frame and sends this in a GRE tunnel to the controller
The AP decrypts the 802.11 frame and bridges it on the wire
The AP decrypts the 802.11 frame, encrypts it as an Ethernet frame and sends it to the controller
When a client is blacklisted, the controller will:
Send a message telling the client it has been blacklisted
De-authenticate the client from the network but allow it to keep transmitting data
Only block the client if it hasn’t yet associated with an AP
Stop the client from associating with any SSID on the controller
Remote AP in tunnel mode, by default, uses which of the following to encrypt user traffic back to the mobility controller:
L2TP over IPSec is used to carry user traffic and control traffic
PPTP is used to tunnel user traffic
The AP does not encrypt user traffic. The user's link layer encryption is used.
Remote AP traffic is unencrypted
The AP Wizard allows the selection of APs to be provisioned using which of the following methods (select all that apply)?
APs in particular AP Group
All APs
APs designated as Air Monitors
APs meeting specified search criteria
What is the purpose of the validuser ACL?
When a user transmits data through the controller, the validuser ACL is used to check if the user is in the layer 3 user-table
Before a client is added to the controller’s user table, the validuser ACL is checked to make sure the client has a valid IP address
The validuser ACL is used during 802.1X authentication to check that the client is in the layer 3 user-table
When an AP needs to transmit data to a user, it checks the validuser ACL to make sure the user has a valid IP address
When configuring the Mobility Controller’s internal DHCP via the startup wizard which option is not available for configuration?
Pool name
Default router
Option 43
Domain name
An Aruba AP 125 is capable of supporting which of the following network types? (choose all that apply)
802.11b
802.11n
802.11a
802.11w
Which of the following cannot be accomplished from the startup wizard?
Basic controller configuration
License installation
VPN configuration
WLAN configuration
WPA and WPA2 can use the following authentication methods: (select all that apply)
WEP Keys
PSK
802.1X
Captive Portal
When configuring roles under ‘Access Control’ in the Controller’s Configuration page, what does the ‘show reference’ action tell us?
Which firewall hits were detected that refer to the role
Which profiles refer to the role
What policies are inside the role
What users are currently assigned that role
Which of the following is true of an Aruba Mobility Controller acting as a layer 3 router? (select all that apply)
The Mobility Controller is the client's default router.
The Mobility Controller acts as a bridge.
DHCP can be provided by the network infrastructure or the Mobility Controller
The Mobility Controller supports BGP.
Which of the following can be configured in the GUI setup wizard: (choose all that apply)
Timezone
WLAN
WLAN trunck
Loopback address
Which of the following is not available for configuration in the startup wizard?
RF Plan
Administrator and enable passwords
Native VLANs on a per port basis
WPA-PSK encryption
Which of the following is true about configuring a server group?
Server rules are used to send information to the configured servers
A server group can have more than 1 server
If the internal database is used in the server group, then no external servers can be added
If multiple servers are assigned to the server group, all except the 1st will be ignored
Which is the strongest encryption type?
AES
TKIP
WEP
MSCHAPv2
Which of the following would be appropriate for standalone MAC Authentication?
Guest user
Internal user
Barcode scanner
Admin user
What is not a basic configuration in the startup wizard when configuring a WLAN?
SSID
VLAN
Radio Type
Anntena Type
What are some best practices when configuring the Aruba Firewall? Select all that apply.
Use aliases when possible
Write rules from least specific to most specific
Take actions like blacklisting when users violate policies
Create a different policy for each unique rule
Which firewall action is necessary in a guest pre-authentication role to display the captive portal login screen?
SRC-NAT
DST-NAT
allow all
allow CP
Clients connecting to a remote AP at a branch office can get an IP address through which of the following methods? (Select all that apply)
DHCP server connected to the Remote AP’s controller
DHCP server at a branch office
DHCP server inside the Remote AP
All of the above
What are the four views available in Visual RF Plan?
User View
Controller View
Access Point View
Floor Plan View
Network, Campus and Building View
Time range is applied directly to which of the following:
Firewall Policy
Firewall Rule
Profile
In what order does the AP dynamically discover the Master controller?
DNS query, ADP Broadcast, ADP Multicast, DHCP option 43
DHCP option 43, ADP Multicast, ADP Broadcast, DNS query
DHCP option 43, DNS query, ADP Multicast, ADP Broadcast
ADP Multicast, ADP Broadcast, DHCP option 43, DNS query
Identify the benefits of using aliases when writing firewall policies (select all that apply)
Makes policies more readable
Changes to policy rules that use aliases are auto updated.
End users are applied to the proper role
Which of the following is true of an Aruba Mobility Controller acting as a layer 2 switch? (select all that apply)
All stations must use the same VLAN
Uplink ports on the Mobility Controller can use 802.1q
A Remote AP uses which type of secure tunnel to communicate with a controller:
NAT-T
IPSec
PPTP
GRE
Which ARM function converts APs with excess capacity into Air Monitors?
Airtime fairness
Coordinated access to a single channel
Co-channel interference mitigation
Client aware scanning
Which roles must be configured via the startup wizard when captive portal is being configured (select all that apply)?
Roles are not used on the Aruba system
Pre-Authentication role
Authenticated role
Unauthenticated role
Which of the following needs to be done prior to attempting to use the GUI quick setup of a factory defaulted Aruba S3500 Mobility Access Switch?
Set the S3500 IP address to the 172.16.0.0 range
Quick-Setup needs to be enabled on the LCD Panel
Connect the S3500 to the network for DHCP
Set the laptop IP address to the 192.168.0.0 range
Which of the following information is gathered by APs during scanning periods? (Select all that apply)
MAC addresses of neighboring APs
Security threats in the surroundings
Type of non-802.11 interference detected
Interfering Clients connected to other APs
Which of the following deployment types is NOT a valid option when using the AP Wizard?
Campus
Mesh
Roaming
Remote Mesh
Which Aruba controllers are able to provide IEEE 802.3af POE? (Choose all the correct answers.)
3200
620
650
6000
Which of the following controllers has an integrated single radio AP?
651
What is the maximum number of campus APs supported by a 620 controller?
32
8
16
24
Which access point models support concurrent operations in both the “b/g” band as well as the “a” band? (Choose all the correct answers.)
RAP2
AP-120
AP-105
AP-125
AP-135
Which of the following APs do not support dual radio operations? (Choose all the correct answers.)
RAP-5
AP-124
Which of the following APs support remote AP operation?
An Aruba based network has a Master and three local controllers. No APs terminate on the Master controller. IDS is desired, so the administrator wants to install the "RFProtect license." On which controller should the license be installed?
master controller since it performs the IDS analysis
the local controllers since the APs terminate there
all of the controllers
this isn't the correct license for this purpose
What do you need to generate a feature license key for an Aruba controller?
controller's MAC address and the feature description
controller's MAC address and the certificate number
controller's Serial Number and the feature description
controller's Serial Number and the certificate number
What are the PEF-NG license limits based on?
Number of APs
Limit One per controller
Number of users
Number of local controllers
Which of the following licenses are consumed by RAP?
AP license
PEF-NG license
PEF-V license
No license required
The permanent licenses on the controller will be deleted with the use of which command?
delete license
write erase
Licenses cannot be deleted once activated
write erase all
Which statement is true about the Content Security License?
Applied to the master controller
Applied to all the controllers in the network
It is based on number of users
It is based on number of APs
What is the best practice regarding licensing for a backup master to support Master Redundancy?
Backup master only requires the AP license
License limits should be the same on primary master and backup Master
Licenses are pushed from the primary to the backup Master along with the configuration
Backup Master does not require licenses to support master redundancy
Which may be applied directly to an interface? (Choose all the correct answers.)
Access List (ACL)
Roles
RF Plan Map
What new firewall action was added specifically for use with Aruba's Content Security Service? VisualRF supports import of floor plans from:
dst-nat
dual-nat
route dst-nat
redirect to tunnel
When creating a firewall policy, which of the following parameters are required? (Choose all the correct answers.)
Destination
Service
Source
Log
Action
In all unmodified default AAA profiles, in which default initial role is the user placed?
trusted-ap
guest
pre-guest
logon
When are the system-defined default roles added to the configuration on the controller?
when the controller is first booted
when an RF Proctect license is added to the controller
when created manually
when a PEF-NG license is added to the controller
When a user first associates to the WLAN, what role are they given?
the guest role
the stateful role
the initial role in the server group profile
the initial role in the AAA profile
Which of the following could be used to set a user's post-authentication role or VLAN association? (Choose all the correct answers.)
AAA default role for authentication method
Server Derivation Rule
Vendor Specific Attributes
AP Derivation Rule
Which describe "roles" as used on Aruba Mobility Controllers? (Choose all the correct answers.)
Roles are assigned to users.
Roles are applied to interfaces.
Policies are built from roles.
A user can belong to only one role at a time.
Which netdestination aliases are built into the controller? (Choose all the correct answers.)
mswitch
any
user
What are aliases used for?
improve performance
simplify the configuration process
tie IP addresses to ports
assign rules to policies
Which of the following statements allows a user to initiate an HTTP session to other devices?
any alias internal-nets svc-dns permit
user any svc-http permit
user user svc-http permit
any any svc-http permit
The Aruba Policy Enforcement Firewall (PEF) module supports destination network address translation (dst-nat). Which is a common use of this statement in an Aruba configuration?
source the IP addresses of users to specific IP address
redirect HTTP sessions to Captive Portal
redirect Access Points to another Aruba controller
provide a telnet connection to the controller
The Aruba Policy Enforcement Firewall (PEF) module supports source network address translation (src-nat). Which is a common use of this statement in an Aruba configuration?
provide a single source IP address for users in a role
redirect Captive Portal HTTP sessions
provide IP addresses to clients
The network administrator wishes to terminate the VPN encryption on the Aruba controller. When writing a firewall rule to accomplish the task of automatically moving the VPN traffic for the wireless clients from a third party VPN concentrator to an Aruba controller, which action needs to be configured in the rule?
redirect to ESI group
source NAT
destination NAT
Review the following truncated output from an Aruba controller for this item. Based on the above output from an Aruba controller, an unauthenticated user assigned to the logon role attempts to start an http session to IP address 172.16.43.170. What will happen?
the user's traffic will be passed to the IP address because of the policy statement: user any svc-http dst-nat 8080
the user's traffic will be passed to the IP address because of the policy statement: user any svc-https dst-nat 8081
the user's traffic will be passed to the IP address because of the policy statement: user any svc-http-proxy1 dst-nat 8088
the user will not reach the IP address because of the policy statement: user any svc-http dst-nat 8080
the user will not reach the IP address because of the implicit deny any any at the end of the policy.
Refer to the following configuration segment for this item. ip access-list session anewone user network 10.1.1.0 255.255.255.0 any permit user host 10.1.1.1 any deny user any any permit Based on the above Aruba Mobility Controller configuration segment, which statements best describe this policy? (Choose all the correct answers.)
The rule user host 10.1.1.1 any deny is redundant because of the implicit deny all at the end.
The rule user network 10.1.1.0 255.255.255.0 any permit is redundant because of the user any any permit at the end.
The two rules user network 10.1.1.0 255.255.255.0 any permit and user host 10.1.1.1 any deny need to be re-sequenced.
This list is fine as is.
Refer to the following configuration segment for this item. netdestination "internal" no invert network 172.16.43.0 255.255.255.0 position 1 range 172.16.11.0 172.16.11.16 position 2 ! ip access-list session "My-Policy" alias "user" alias "internal" service_any permit queue low ! A user frame is evaluated against this access-list with the following attributes: Source IP: 172.17.49.3 Destination IP: 10.100.86.37 Destination Port: 80 Referring to the above file segment, how will the frame be handled by this access-list?
The frame will be dropped because of the implicit deny all at the end of the netdestination definition
The frame will be dropped because of the implicit deny all at the end of the access list.
The frame will be forwarded because of the implicit permit all at the end of the access list.
The frame will be passed because there is no service specified in the access list.
The frame will be dropped because there is no service specified in the access list.
ip access-list session anewone user network 10.1.1.0 255.255.255.0 any permit user any any permit host 10.1.1.1 host 10.2.2.2 any deny A user sends a frame with the following attributes: Source IP: 10.1.1.1 Destination IP: 10.2.2.2 Destination Port: 25 Based on the above Mobility Controller configuration file segment, what will this policy do with the user frame?
The frame is discarded because of the implicit deny all at the end of the policy.
The frame is discarded because of the statement: user host 10.1.1.1 host 10.2.2.2 deny.
The frame is accepted because of the statement: user any any permit.
The frame is accepted because of the statement: user network 10.1.1.0 255.255.255.0 any permit.
This is not a valid policy.
ip access-list session anewone user network 10.1.1.0 255.255.255.0 any permit user host 10.1.1.1 any deny user any any permit Referring to the above portion of a Mobility Controller configuration file, what can you conclude? (Choose all of the correct answers.)
This is a session firewall policy.
This is an extended Access Control List (ACL).
Any traffic going to destination 10.1.1.1 will be denied.
Any traffic going to destination 10.2.2.2 will be denied.
Any traffic going to destination 172.16.100.100 will be permitted.
As a user moves through the authentication process, which of the following is not used in a derivation rule?
MAC address
OS version
Radius attribute
Other than a user role, what attribute can be applied to a user with a derivation rule?
MAC
IP Address
Which is an Aruba specific DSA that can be used in a user derivation rule?
user login name
authentication server
location
controller Loopback address
Which match condition can be used by a server derivation rule?
greater than
less than
inverse of
contains
Where are Aruba Vendor Specific Attributes (VSA) programmed?
controller
client
Internal user database
View the Server group screen shot above. A company has provisioned the same VAP, AAA and SSID profiles at both its Miami and NY offices. This Server Group is applied for 802.1x authentication at both locations. The user's credentials are only found in the Miami Radius server “RadiusMiami”. There is no Radius synchronization. What happens when the user attempts to authenticate?
The controller recognizes the users Domain and sends the authentication request directly to RadiusMiami.
The request is initially sent to RadiusNY1 then RadiusNY1 redirects, the controller, to send the authentication request to RadiusMiami
RadiusNY1 receives the request and returns a deny. No other action is taken.
RadiusNY1 receives the request and returns a deny. The authentications request will then be sent to RadiusMiami.
View the Server group and User Roles screen shots above. A user associated to an SSID with 802.1x using this server group. RadiusNY returned a standard radius attribute of filter-Id with a value of “employee”. The user was placed in the guest Role. What statements below are correct?
The user was placed in the 802.1x authentication default Role guest
The user was placed in the initial Role guest
Role derivation failed because roles are case sensitive
Role derivation failed because the incorrect operation “value-of” was used
802.1x authentication failed so the user was automatically placed in the guest Role
A user associated to an SSID with 802.1x using this server group. RadiusNY returned a standard radius attribute of filter-Id with a value of “employee”. What Role will the user get?
The User will get the Emp Role
The user will get the 802.1x authentication default Role
The User will get the employee Role
The User will get the Employee Role
The User will get the initial Role
Which profiles are required in an AP Group to enable an SSID with VLAN 1, WPA2 and LMSIP?
Virtual-ap ap mesh-radio-profile ap system profile
Wlan ssid-profile ap-system-profile virtual-ap profile
Virtual-ap profile ap-system profile aaa profile
802.1X authentication profile wlan ssid-profile virtual-ap profile
A user connected to a Captive Portal VAP successfully. When the user opens their browser and tries to access their homepage, they get redirected as expected to another URL on the Aruba Controller. However, they see an error message that web authenticatio n has been disabled. What might be a cause of this?
The Captive portal profile has not been assigned to the initial role
The Captive portal profile has not been assigned to the AAA profile
A server group has not been assigned to the captive portal profile
An initial role has not been assigned to the AAA profile
A customer has configured a 3000 controller with the following commands: Vlan 55 Vlan 56 Vlan 57 Interface gigabitethernet 1/0 switchport mode trunk switchport trunk native vlan 55 switchport trunk allowed vlan 55-57 Which of the following sentences best describes this port?
All traffic in vlan 55 will be dropped and all traffic in vlan 56 and 57 will be trunked with and 802.1Q tag
All traffic in vlan 55, 56 and 57 will be trunked with an 802.1Q tag
All traffic in vlan 55 will be sent with an 802.1Q tag while vlan 56 and 57 traffic will be trunked untagged
All traffic in vlan 56 and 57 will be sent with an 802.1Q tag while vlan 55 traffic will be trunked untagged
A customer has a remote AP deployment, where each remote AP has an IPSEC VPN tunnel with L2TP to the controller. 1 of the remote APs is stuck in the user table and hasn't yet transitioned to the AP active table in the controller. The customer suspects that the AP is not setting up its VPN connection successfully. Which of the following commands might be useful in troubleshooting this? Select all that apply.
Logging level debugging security process localdb
Logging level debugging security process l2tp
Logging level debugging security process dot1x
Logging level debugging security process crypto
The screen captures above show the 802.1X authentication profile and AAA profile settings for a VAP. If machine authentication passes and user authentication passes, which role will be assigned?
employee
contractor
you can't tell
The screen captures above show the 802.1X authentication profile and AAA profile settings for a VAP. If machine authentication fails and user authentication fails, which role will be assigned?
Logon
no role will be assigned
What cannot be configured from the Initial Configuration wizards?
Controller name.
Syslog server and levels.
User firewall policy.
User derivation rules
When you create a WLAN SSID in the WLAN/LAN wizard what AP group is it automatically added to?
The air-monitors group
The first configured AP group
The Default AP group
It is only added to the 'All Profiles' section
The reusable wizards are accessible in which one of the following ways?
On startup through the CLI
Through the CLI, after the initial CLI wizard has been completed
In the Web UI under maintenance.
In the Web UI under configuration
What additional fields must be configured in the configuration wizard if the controller role is selected as a local instead of a standalone controller?
The Local's SNMPv3 user name and password
The Master IP address
The Local's loopback address
The IPSec PSK for Master/Local communication
The configuration wizard enables which of the following controller clock configurations?
NTP to a time server
Manually setting the date time
Daylight savings time
Only GMT can be configured
When configuring ports in the configuration wizard, which of the following are not options for configuration?
Inter-VLAN routing
Source NAT
Trusted
LACP
What Wizards can be used to create a new AP Group?
AP Wizard
Controller Wizard
WLAN/LAN Wizard
License Wizard
AP configurations Wizard
By default, which CLI based remote access method is enabled on Aruba controllers?
rsh
Telnet
SSH
Telnet and SSH
Telnet, SSH and rsh
An Aruba controller can be configured to support which CLI based remote access methods?
RSH
SSH and RSH
The Aruba controller's Command Line Interface can be accessed from WITHIN the browser based Web User Interface using which method?
It's not possible to access the CLI from within the WebUI
Embedded Telnet client
Java based SSH client
Proprietary serial over Ethernet client
As an admin/root user, what other types of role-based management users can be created on Aruba controllers? (Choose all the correct answers)
Auditing-compliance user
Read only user
Location-api-management user
Guest provisioning user
Which log type should be enabled to troubleshoot IPSec authentication issues on Aruba Controllers?
Security Logs
Management Logs
Wireless Logs
IDS Logs
Referring to the above screen capture, if an administrator desires to change a specific AP into an AM without assigning the AP to a new group, which menus could be used?
Network > Controller
Wireless > AP Configuration
Wireless > AP Installation
Advanced Services > Wireless
Advanced Services > All Profiles
