HP Exam HPE6-A84 Topic 8 Question 36 Discussion

Actual exam question for HP's HPE6-A84 exam

Question #: 36
Topic #: 8

You are setting up Aruba ClearPass Policy Manager (CPPM) to enforce EAP-TLS authentication with Active Directory as the authentication source. The company wants to prevent users with disabled accounts from connecting even if those users still have valid certificates.

As the first part of meeting these criteria, what should you do to enable CPPM to determine where accounts are enabled in AD or not?

AAdd an Endpoint Context Server to the domain controller with actions for querying the domain controller for account status.

BEnable OCSP in the EAP-TLS authentication method settings and configure an OCSP override to the domain controller FQDN.

CAdd a custom attribute for userAccountControl to the filters in the AD authentication source.

DInstall a Microsoft Active Directory extension in Aruba ClearPass Guest and set up an HTTP authentication source that points to that extension.

Show Suggested Answer

Suggested Answer: C

According to the ClearPass Policy Manager User Guide1, userAccountControl is a custom attribute in Active Directory that contains a set of flags that define the properties and behavior of user accounts. One of these flags is ACCOUNTDISABLE, which indicates whether the account is disabled or not. By adding this attribute to the filters in the AD authentication source, CPPM can retrieve this attribute for each user and use it as a condition in the enforcement policies to prevent users with disabled accounts from connecting even if they have valid certificates. Therefore, option C is the correct answer.

by Jannette at Jan 12, 2025, 12:54 PM

Limited Time Offer

25%

Off

Get Premium HPE6-A84 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Fabiola

1 days ago

I disagree, I believe the answer is C) Add a custom attribute for userAccountControl to the filters in the AD authentication source.

upvoted 0 times

...

Mila

2 days ago

Option C looks like the way to go. Querying the userAccountControl attribute in AD seems like the most straightforward approach here.

upvoted 0 times

...

Shawna

2 days ago

I think the correct answer is A) Add an Endpoint Context Server to the domain controller with actions for querying the domain controller for account status.

upvoted 0 times

...