HPE6-A85 Online Practice Questions and Answers

Correct Answer: B

Explanation: The RADIUS message that you should look for to ensure a successful connection via 802.1X is Access-Accept. This message indicates that the RADIUS server has authenticated and authorized the supplicant (the device that

wants to access thenetwork) and has granted it access to the network resources. The Access-Accept message may also contain additional attributes such as VLAN ID, session timeout, or filter ID that specify how the authenticator (the device

that controls access to the network, such as a switch) should treat the supplicant's traffic. The other options are not RADIUS messages because:

Authorized: This is not a RADIUS message, but a state that indicates that a port on an authenticator is allowed to pass traffic from a supplicant after successful authentication and authorization.

Success: This is not a RADIUS message, but a status that indicates that an EAP Extensible Authentication Protocol (EAP) is an authentication framework that provides support for multiple authentication methods, such as passwords,

certificates, tokens, or biometrics. EAP is used in wireless networks and point-to- point connections to provide secure authentication between a supplicant (a device that wants to access the network) and an authentication server (a device that

verifies the credentials of the supplicant). exchange has completed successfully between a supplicant and an authentication server. Authenticated: This is not a RADIUS message, but a state that indicates that a port on an authenticator has

received an EAP-Success message from an authentication server after successful authentication of a supplicant.

References: https://en.wikipedia.org/wiki/RADIUS#Access-Accept

https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user- service-radius/13838-10.html

https://en.wikipedia.org/wiki/IEEE_802.1X#Port- based_network_access_control

https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol#EAP_exchange

Correct Answer: D

Explanation: The status of "ALFOE" means that LACP Link Aggregation Control Protocol (LACP) is a network protocol that provides dynamic negotiation of link aggregation between two devices. LACP allows multiple physical links to be combined into a single logical link for increased bandwidth, redundancy, and load balancing. LACP is defined in IEEE 802.3ad standard. is working fine with no problems when checking LACP with "show lacp interfaces". The status of "ALFOE" is an acronym that stands for:

A: Active - The interface is actively sending LACP packets to negotiate link aggregation with the peer device.

L: Link Up - The interface has physical connectivity with the peer device.

F: Aggregatable - The interface can be aggregated with other interfaces into a single logical link.

O: Synchronized - The interface has successfully negotiated link aggregation parameters with the peer device and can transmit or receive traffic on the logical link.

E: Collecting/Distributing - The interface is collecting incoming traffic from the peer device and distributing outgoing traffic to the peer device on the logical link.

The other options are not correct because:

The interface on the local switch is configured as static-LAG: This option is false because static-LAG does not use LACP to negotiate link aggregation. Static-LAG requires manual configuration of link aggregation parameters on both devices

and does not have any status indicators.

LACP is not configured on the peer side: This option is false because if LACP is not configured on the peer side, the status of the interface would be "ALF? instead of "ALFOE". This means that the interface would not be synchronized or

collecting/distributing with the peer device.

LACP is in a synchronizing process: This option is false because if LACP is in a synchronizing process, the status of the interface would be "ALF-O" instead of "ALFOE". This means that the interface would not be collecting/distributing with

the peer device.

References: https://www.arubanetworks.com/techdocs/AOS- CX_10_08/NOSCG/Content/cx-noscg/lag/lag-overview.htm https://www.arubanetworks.com/techdocs/AOS-CX_10_08/NOSCG/Content/cx- noscg/lag/lag-lacp.htm https:// www.arubanetworks.com/techdocs/AOS- CX_10_08/NOSCG/Content/cx-noscg/lag/lag-lacp-status.htm

Correct Answer: C

Explanation: Aruba AirMatch is a feature that optimizes RF Radio Frequency. RF is any frequency within the electromagnetic spectrum associated with radio wave propagation. When an RF current is supplied to an antenna, an

electromagnetic field is created that then is able to propagate through space. performance and user experience by using machine learning algorithms and historical data to dynamically adjust AP power levels, channel assignments, and

channel width. AirMatch performs live firmware upgrades on Aruba APs by partitioning all the APs based on RFneighborhood data and minimizing the impact on clients. AirMatch uses a rolling upgrade process that upgrades one partition at a

time while ensuring that adjacent partitions are not upgraded simultaneously.

References:

https://www.arubanetworks.com/assets/ds/DS_AirMatch.pdfhttps://www.arubanetworks.co m/techdocs/ArubaOS_86_Web_Help/Content/arubaos-solutions/arm/AirMatch.htm

Correct Answer: A

Explanation: The part of WPA Key Hierarchy that is used to encrypt and/or decrypt data is Pairwise Temporal Key (PTK). PTK is a key that is derived from PMK Pairwise Master Key (PMK) is a key that is derived from PSK Pre-shared Key (PSK) is a key that is shared between two parties before communication begins , ANonce Authenticator Nonce (ANonce) is a random number generated by an authenticator (a device that controls access to network resources, such as an AP) , SNonce Supplicant Nonce (SNonce) is a randomnumber generated by supplicant (a device that wants to access network resources, such as an STA) , AA Authenticator Address (AA) is MAC address of authenticator , SA Supplicant Address (SA) is MAC address of supplicant using Pseudo-Random Function (PRF). PTK consists of four subkeys: KCK Key Confirmation Key (KCK) is used for message integrity check KEK Key Encryption Key (KEK) is used for encryption key distribution TK Temporal Key (TK) is used for data encryption MIC Message Integrity Code (MIC) key The subkey that is specifically used for data encryption is TK Temporal Key (TK). TK is also known as Pairwise Transient Key (PTK). TK changes periodically during communication based on time or number of packets transmitted. The other options are not part of WPA Key Hierarchy because: PMK: PMK is not part of WPA Key Hierarchy, but rather an input for deriving PTK. KCK: KCK is part of WPA Key Hierarchy, but it is not used for data encryption, but rather for message integrity check. Nonce: Nonce is not part of WPA Key Hierarchy, but rather an input for deriving PTK.

References: https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access#WPA_key_hierarchy_and_management https://www.cwnp.com/wp- content/uploads/pdf/WPA2.pdf

Correct Answer: A

Explanation: Aruba's Captive Portal uses Layer 3 authentication, which means that it intercepts the client's HTTP requests and redirects them to a web page where the client can enter their credentials. The credentials are then verified by a RADIUS server or a local database before granting network access. References:https://www.arubanetworks.com/techdocs/Instant_86_WebHelp/Content/instan t-ug/captive-portal/captive-portal-auth.htm

Correct Answer: C

Explanation: A slow amber-flashing Stack-LED indicates that stacking mode is selected on the switch. This means that the switch is ready to join a stack or form a new stack if no other switches are present.

References: https://www.arubanetworks.com/techdocs/ArubaOS_86_Web_Help/Content/ar ubaos-solutions/1-overview/stacking-leds.htm

Correct Answer: C

Explanation: AirMatch is a feature that provides centralized RF planning and optimization service for Aruba wireless networks. It uses cloud-based algorithms and machine learning to optimize the RF performance and user experience. References:https://www.arubanetworks.com/assets/ds/DS_AirMatch.pdf

Correct Answer: C

Explanation: The weakness introduced into WLAN environment when WPA2-Personal is used for security is that PMK Pairwise Master Key (PMK) is a key that is derived from PSK Pre-shared Key (PSK) is a key that is shared between two parties before communication begins , which are both fixed. This means that all users who know PSK can generate PMK without any authentication process. This also means that if PSK or PMK are compromised by an attacker, they can be used to decrypt all traffic encrypted with PTK Pairwise Temporal Key (PTK) is a key that is derived from PMK, ANonce AuthenticatorNonce (ANonce) is a random number generated by an authenticator (a device that controls access to network resources, such as an AP), SNonce Supplicant Nonce (SNonce) is a random number generated by supplicant (a device that wants to access network resources, such as an STA), AA Authenticator Address (AA) is MAC address of authenticator, SA Supplicant Address (SA) is MAC address of supplicant using Pseudo-Random Function (PRF). PTK consists of four subkeys: KCK Key Confirmation Key (KCK) is used for message integrity check, KEK Key Encryption Key (KEK) is used for encryption key distribution, TK Temporal Key (TK) is used for data encryption, MIC Message Integrity Code (MIC) key. . The other options are not weaknesses because: It uses X 509 certificates generated by a Certification Authority: This option is false because WPA2-Personal does not use X 509 certificates or Certification Authority for authentication. X 509 certificates and Certification Authority are used in WPA2- Enterprise mode, which uses 802.1X and EAP Extensible Authentication Protocol (EAP) is an authentication framework that provides support for multiple authentication methods, such as passwords, certificates, tokens, or biometrics. EAP is used in wireless networks and point-to-point connections to provide secure authentication between a supplicant (a device that wants to access the network) and an authentication server (a device that verifies the credentials of the supplicant). for user authentication with a RADIUS server Remote Authentication Dial-In User Service (RADIUS) is a network protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service . The Pairwise Temporal Key (PTK) is specific to each session: This option is false because PTK being specific to each session is not a weakness but a strength of WPA2-Personal. PTK being specific to each session means that it changes periodically during communication based on time or number of packets transmitted. This prevents replay attacks and increases security of data encryption. It does not use the WPA 4-Way Handshake: This option is false because WPA2- Personal does use the WPA 4-Way Handshake for key negotiation. The WPA 4- Way Handshake is a process that allows the station and the access point to exchange ANonce and SNonce and derive PTK from PMK. The WPA 4-Way Handshake also allows the station and the access point to verify each other's PMK and confirm the installation of PTK.

References: https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access#WPA_key_hierarchy_and_management https://www.cwnp.com/wp- content/uploads/pdf/WPA2.pdf

Correct Answer:

Correct Answer: