Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

HP Exam HPE6-A84 Topic 8 Question 36 Discussion

Actual exam question for HP's HPE6-A84 exam
Question #: 36
Topic #: 8
[All HPE6-A84 Questions]

You are setting up Aruba ClearPass Policy Manager (CPPM) to enforce EAP-TLS authentication with Active Directory as the authentication source. The company wants to prevent users with disabled accounts from connecting even if those users still have valid certificates.

As the first part of meeting these criteria, what should you do to enable CPPM to determine where accounts are enabled in AD or not?

Show Suggested Answer Hide Answer
Suggested Answer: C

According to the ClearPass Policy Manager User Guide1, userAccountControl is a custom attribute in Active Directory that contains a set of flags that define the properties and behavior of user accounts. One of these flags is ACCOUNTDISABLE, which indicates whether the account is disabled or not. By adding this attribute to the filters in the AD authentication source, CPPM can retrieve this attribute for each user and use it as a condition in the enforcement policies to prevent users with disabled accounts from connecting even if they have valid certificates. Therefore, option C is the correct answer.


by Jannette at Jan 12, 2025, 12:54 PM

Limited Time Offer

25%

Off

Get Premium HPE6-A84 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Lauryn
15 days ago
Option D sounds like overkill. Why install a whole extension when we can just use the userAccountControl attribute? C is the winner here.
upvoted 0 times
...
Janna
16 days ago
Haha, OCSP? What is this, 2005? C is definitely the way to go, keep it simple.
upvoted 0 times
Sharen
3 days ago
C
upvoted 0 times
...
Roy
11 days ago
A
upvoted 0 times
...
...
Shawna
25 days ago
I see your point, but I still think A is the best option because it directly queries the domain controller for account status.
upvoted 0 times
...
Delisa
28 days ago
I agree with Mila, C is the best choice. We need to access that user status info directly from AD, and the custom attribute is the cleanest solution.
upvoted 0 times
Barrett
3 days ago
I think C is the way to go. We need that direct access to AD for user status.
upvoted 0 times
...
Demetra
7 days ago
A) Add an Endpoint Context Server to the domain controller with actions for querying the domain controller for account status.
upvoted 0 times
...
Laquanda
15 days ago
C) Add a custom attribute for userAccountControl to the filters in the AD authentication source.
upvoted 0 times
...
...
Fabiola
1 months ago
I disagree, I believe the answer is C) Add a custom attribute for userAccountControl to the filters in the AD authentication source.
upvoted 0 times
...
Mila
1 months ago
Option C looks like the way to go. Querying the userAccountControl attribute in AD seems like the most straightforward approach here.
upvoted 0 times
Jesusita
18 days ago
User 3: Agreed, querying the userAccountControl attribute in AD should help us enforce the criteria effectively.
upvoted 0 times
...
Layla
22 days ago
User 2: That sounds like a good plan. It seems like the most direct way to determine if accounts are enabled or not.
upvoted 0 times
...
Lasandra
1 months ago
User 1: I think we should go with option C and add a custom attribute for userAccountControl to the filters in the AD authentication source.
upvoted 0 times
...
...
Shawna
1 months ago
I think the correct answer is A) Add an Endpoint Context Server to the domain controller with actions for querying the domain controller for account status.
upvoted 0 times
...

Save Cancel