Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

HP Exam HPE6-A84 Topic 2 Question 15 Discussion

Actual exam question for HP's HPE6-A84 exam
Question #: 15
Topic #: 2
[All HPE6-A84 Questions]

You are setting up Aruba ClearPass Policy Manager (CPPM) to enforce EAP-TLS authentication with Active Directory as the authentication source. The company wants to prevent users with disabled accounts from connecting even if those users still have valid certificates.

As the first part of meeting these criteria, what should you do to enable CPPM to determine where accounts are enabled in AD or not?

Show Suggested Answer Hide Answer
Suggested Answer: C

According to the ClearPass Policy Manager User Guide1, userAccountControl is a custom attribute in Active Directory that contains a set of flags that define the properties and behavior of user accounts. One of these flags is ACCOUNTDISABLE, which indicates whether the account is disabled or not. By adding this attribute to the filters in the AD authentication source, CPPM can retrieve this attribute for each user and use it as a condition in the enforcement policies to prevent users with disabled accounts from connecting even if they have valid certificates. Therefore, option C is the correct answer.


by Paz at Apr 09, 2024, 11:47 PM

Limited Time Offer

25%

Off

Get Premium HPE6-A84 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Olive
8 months ago
Yeah, OCSP override to the domain controller FQDN seems like a necessary step to take.
upvoted 0 times
...
Tatum
8 months ago
I believe enabling OCSP in EAP-TLS authentication method settings could also help in this scenario.
upvoted 0 times
...
Shasta
9 months ago
That sounds like a good idea. It would help us determine if accounts are disabled in AD.
upvoted 0 times
...
Paris
9 months ago
I think we need to add an Endpoint Context Server to query the domain controller for account status.
upvoted 0 times
...
Hermila
9 months ago
I think installing a Microsoft Active Directory extension in Aruba ClearPass Guest might be the best option here.
upvoted 0 times
...
Royce
10 months ago
But wouldn't adding a custom attribute for userAccountControl help in determining if an account is enabled or not?
upvoted 0 times
...
Leonida
10 months ago
I disagree, I believe we need to enable OCSP in the EAP-TLS authentication method settings and configure an OCSP override to the domain controller FQDN.
upvoted 0 times
...
Royce
10 months ago
I think we should add a custom attribute for userAccountControl to the filters in the AD authentication source.
upvoted 0 times
...
Ilona
11 months ago
D? Really? I don't know, that seems like a bit of a workaround. Why not just go with the direct AD integration in the first place?
upvoted 0 times
...
An
11 months ago
I don't know, guys. I'm kinda leaning towards D - the Microsoft AD extension in ClearPass Guest. That might be the easiest way to integrate with AD.
upvoted 0 times
...
Kathryn
11 months ago
You know, B might be a good option too. OCSP is designed for this kind of thing. Though it might be a bit more complex to set up.
upvoted 0 times
...
Johnna
11 months ago
Yeah, C does sound the most logical. But what about B - using OCSP? Wouldn't that also work by querying the domain controller directly?
upvoted 0 times
...
Gladys
11 months ago
Hmm, I'm leaning towards C - adding a custom attribute for userAccountControl in the AD authentication source. That seems like the most direct way to check the account status.
upvoted 0 times
Una
9 months ago
I'm not sure, but maybe option D) could also be a good solution. Installing a Microsoft Active Directory extension in Aruba ClearPass Guest could help with authentication.
upvoted 0 times
...
Shantay
9 months ago
I agree with Isaiah, option A) sounds like it would work effectively in this case.
upvoted 0 times
...
Isaiah
10 months ago
I think option A) might be a better choice. Adding an Endpoint Context Server to the domain controller seems like a direct way to query account status.
upvoted 0 times
...
...
Latonia
11 months ago
Whoa, this question is tricky! We need to figure out how to get CPPM to check the AD account status, but it's not straightforward. I'm going to have to think this through.
upvoted 0 times
...

Save Cancel