In a WLAN setup that uses 802.1X for authentication, the role assigned to a user is determined by the result of the authentication process. When a user successfully authenticates via 802.1X, the RADIUS server may include a Vendor-Specific Attribute (VSA), such as the Aruba-User-Role, in the Access-Accept message. This attribute specifies the role that should be assigned to the user. If the RADIUS Access-Accept message includes an Aruba-User-Role VSA set to " employee1 " , the client should be assigned the " employee1 " role, as per the VSA, and not the default " guest " role. The " guest " role would typically be a fallback if no other role is specified or if the authentication fails.

When managing local certificates on an ArubaOS-Switch, a recommended guideline is to create a trust anchor (TA) profile with the root CA certificate before installing the local certificate. This step ensures that the switch can verify the authenticity of the certificate chain during SSL/TLS communications. The trust anchor profile establishes a basis of trust by containing the root CA certificate, which helps validate the authenticity of any subordinate certificates, including the local certificate installed on the switch. This process is essential for enhancing security on the network, as it ensures that encrypted communications involving the switch are based on a verified certificate hierarchy.

The AOS Wireless Intrusion Prevention System (WIP) in an AOS-8 architecture (Mobility Controllers or Mobility Master) is designed to detect and mitigate wireless threats, such as rogue APs and unauthorized clients. WIP classifies clients and APs based on their behavior and status in the network.

Authorized Client Definition : In the context of WIP, an " Authorized " client is one that has successfully authenticated to an authorized AP (an AP managed by the MC and part of the company’s network) and is actively passing encrypted traffic. This typically means the client has completed 802.1X authentication (e.g., in a WPA3-Enterprise network) or PSK authentication (e.g., in a WPA3-Personal network) and is communicating securely with the AP.

Option D , " A client that has successfully authenticated to an authorized AP and passed encrypted traffic, " is correct. This matches the WIP definition of an Authorized client: the client must authenticate to an AP that is classified as " Authorized " (i.e., part of the company’s network) and must be passing encrypted traffic, indicating a secure connection (e.g., using WPA3 encryption).

Option A , " A client that is on the WIP whitelist, " is incorrect. WIP does not use a client whitelist for classification. The AP whitelist is used to authorize APs, not clients. Client classification (e.g., Authorized, Interfering) is based on their authentication status and connection to authorized APs.

Option B , " A client that has a certificate issued by a trusted Certification Authority (CA), " is incorrect. While a certificate might be used for 802.1X authentication (e.g., EAP-TLS), WIP does not classify clients as Authorized based on their certificate status. The classification depends on successful authentication to an authorized AP and encrypted traffic.

Option C , " A client that is NOT on the WIP blacklist, " is incorrect. WIP does use blacklisting (e.g., for clients that violate security policies), but being " not on the blacklist " does not make a client Authorized. A client must actively authenticate to an authorized AP and pass encrypted traffic to be classified as Authorized.

The HPE Aruba Networking AOS-8 8.11 User Guide states:

" In the Wireless Intrusion Prevention (WIP) system, an ‘Authorized’ client is defined as a client that has successfully authenticated to an authorized AP and is passing encrypted traffic. An authorized AP is one that is managed by the Mobility Controller and part of the company’s network. For example, a client that completes 802.1X authentication to an authorized AP using WPA3-Enterprise and sends encrypted traffic is classified as Authorized. " (Page 414, WIP Client Classification Section)

Additionally, the HPE Aruba Networking Security Guide notes:

" WIP classifies clients as ‘Authorized’ if they have authenticated to an authorized AP and are passing encrypted traffic, indicating a secure connection. Clients that are not authenticated or are connected to rogue or neighbor APs are classified as ‘Interfering’ or other categories, depending on their behavior. " (Page 78, WIP Classifications Section)

The scenario involves an AOS-CX switch configured for 802.1X port-access authentication. The configuration defines several roles and their associated VLANs:

port-access role role1 vlan access 11: Role1 assigns VLAN 11.

port-access role role2 vlan access 12: Role2 assigns VLAN 12.

port-access role role3 vlan access 13: Role3 assigns VLAN 13.

port-access role role4 vlan access 14: Role4 assigns VLAN 14.

The switch has 802.1X authentication enabled globally (aaa authentication port-access dot1x authenticator enable). Two ports are configured:

Interface 1/1/1 :

vlan access 1: Default VLAN is 1.

aaa authentication port-access critical-role role1: If the RADIUS server is unavailable, assign role1 (VLAN 11).

aaa authentication port-access preauth-role role2: Before authentication, assign role2 (VLAN 12).

aaa authentication port-access auth-role role3: After successful authentication, assign role3 (VLAN 13) unless overridden by a VSA.

Interface 1/1/2 : Same configuration as 1/1/1.

Client1 on port 1/1/1 :

Client1 authenticates successfully, and CPPM sends an Access-Accept with the VSA Aruba-User-Role: role4.

In AOS-CX, the auth-role (role3) is applied after successful authentication unless the RADIUS server specifies a different role via the Aruba-User-Role VSA. Since CPPM sends Aruba-User-Role: role4, and role4 exists on the switch, Client1 is assigned role4 (VLAN 14), overriding the default auth-role (role3).

Client2 on port 1/1/2 :

Client2 does not attempt to authenticate (i.e., does not send 802.1X credentials).

In AOS-CX, if a client does not attempt authentication and no other authentication method (e.g., MAC authentication) is configured, the client is placed in the preauth-role (role2, VLAN 12). This role is applied before authentication or when authentication is not attempted, allowing the client limited access (e.g., to perform authentication or access a captive portal).

Option A , " Client1 = role3; Client2 = role2, " is incorrect because Client1 should be assigned role4 (from the VSA), not role3.

Option B , " Client1 = role4; Client2 = role1, " is incorrect because Client2 should be assigned the preauth-role (role2), not the critical-role (role1), since the RADIUS server is reachable (Client1 authenticated successfully).

Option C , " Client1 = role4; Client2 = role2, " is correct. Client1 gets role4 from the VSA, and Client2 gets the preauth-role (role2) since it does not attempt authentication.

Option D , " Client1 = role3; Client2 = role1, " is incorrect for the same reasons as Option A and Option B.

The HPE Aruba Networking AOS-CX 10.12 Security Guide states:

" After successful 802.1X authentication, the AOS-CX switch assigns the client to the auth-role configured for the port (e.g., aaa authentication port-access auth-role role3). However, if the RADIUS server returns an Aruba-User-Role VSA (e.g., Aruba-User-Role: role4), and the specified role exists on the switch, the client is assigned that role instead of the auth-role. If a client does not attempt authentication and no other authentication method is configured, the client is assigned the preauth-role (e.g., aaa authentication port-access preauth-role role2), which provides limited access before authentication. " (Page 132, 802.1X Authentication Section)

Additionally, the guide notes:

" The critical-role (e.g., aaa authentication port-access critical-role role1) is applied only when the RADIUS server is unavailable. The preauth-role is applied when a client connects but does not attempt 802.1X authentication. " (Page 134, Port-Access Roles Section)

To meet the requirements for configuring an ArubaOS-CX switch for integration with ClearPass Policy Manager (CPPM), it is necessary to set the AAA authentication login method for SSH to use the “radius” server-group, with “local” as a backup. This ensures that when an admin attempts to SSH into the switch, the authentication request is first sent to CPPM via RADIUS. If CPPM is unavailable, the switch will fall back to using local authentication 1 2 .

Here’s why the other options are not correct:

Option B is incorrect because configuring a CPPM username and password on the switch that matches a CPPM admin account is not required for SSH login; rather, the switch needs to be configured to communicate with CPPM for authentication.

Option C is incorrect because while CPPM will send Aruba-Admin-Role Vendor-Specific Attributes (VSAs), the switch does not need to have port-access roles created with the same names; it needs to interpret the VSA to assign the correct role.

Option D is incorrect because disabling SSH on the default VRF and enabling it on the mgmt VRF is not related to the authentication process with CPPM.

Therefore, the correct answer is A , as setting the AAA authentication login method for SSH to the “radius” server-group with “local” as backup is a key step in ensuring that the switch can authenticate admins through CPPM while providing a fallback method 1 2 .

Based on the exhibits which seem to show RADIUS authentication and CoA logs, one can determine that CPPM (ClearPass Policy Manager) initially assigned the client to a role meant for non-profiled devices and then sent a CoA to the network access device (authenticator) once the device was categorized. This is a common workflow in network access control, where a device is first given limited access until it can be properly identified, after which appropriate access policies are applied.

Tarpit containment is a method used in ArubaOS Wireless Intrusion Prevention (WIP) to contain rogue APs. It differs from traditional wireless containment in several ways, particularly in how it interacts with clients and manages network resources.

Tarpit containment works by spoofing frames from an AP to confuse a client about its association. It forces the client to associate with a fake channel or BSSID, which is more efficient than rogue containment via repeated de-authorization requests. This method is designed to be less disruptive and more resource-efficient 1 .

Here’s why the other options are not correct:

Option A is incorrect because tarpit containment does not involve sending ARP frames over the wired network. It operates wirelessly by creating a fake channel or BSSID.

Option B is incorrect because tarpit containment does not selectively target authorized clients; it affects all clients connected to the rogue AP.

Option C is incorrect because tarpit containment does require an RF Protect license to function 2 .

Therefore, Option D is the correct answer. Tarpit containment is more effective at keeping clients off the network with fewer disassociation frames than traditional wireless containment. It achieves this by forming associations with clients, which leads to a more efficient use of airtime and reduces the chance of negative effects on legitimate network users 1 2 .