Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

HP Exam HPE6-A84 Topic 2 Question 15 Discussion

Actual exam question for HP's HPE6-A84 exam
Question #: 15
Topic #: 2
[All HPE6-A84 Questions]

You are setting up Aruba ClearPass Policy Manager (CPPM) to enforce EAP-TLS authentication with Active Directory as the authentication source. The company wants to prevent users with disabled accounts from connecting even if those users still have valid certificates.

As the first part of meeting these criteria, what should you do to enable CPPM to determine where accounts are enabled in AD or not?

Show Suggested Answer Hide Answer

Contribute your Thoughts:

Olive
5 months ago
Yeah, OCSP override to the domain controller FQDN seems like a necessary step to take.
upvoted 0 times
...
Tatum
5 months ago
I believe enabling OCSP in EAP-TLS authentication method settings could also help in this scenario.
upvoted 0 times
...
Shasta
6 months ago
That sounds like a good idea. It would help us determine if accounts are disabled in AD.
upvoted 0 times
...
Paris
6 months ago
I think we need to add an Endpoint Context Server to query the domain controller for account status.
upvoted 0 times
...
Hermila
6 months ago
I think installing a Microsoft Active Directory extension in Aruba ClearPass Guest might be the best option here.
upvoted 0 times
...
Royce
7 months ago
But wouldn't adding a custom attribute for userAccountControl help in determining if an account is enabled or not?
upvoted 0 times
...
Leonida
7 months ago
I disagree, I believe we need to enable OCSP in the EAP-TLS authentication method settings and configure an OCSP override to the domain controller FQDN.
upvoted 0 times
...
Royce
7 months ago
I think we should add a custom attribute for userAccountControl to the filters in the AD authentication source.
upvoted 0 times
...
Ilona
8 months ago
D? Really? I don't know, that seems like a bit of a workaround. Why not just go with the direct AD integration in the first place?
upvoted 0 times
...
An
8 months ago
I don't know, guys. I'm kinda leaning towards D - the Microsoft AD extension in ClearPass Guest. That might be the easiest way to integrate with AD.
upvoted 0 times
...
Kathryn
8 months ago
You know, B might be a good option too. OCSP is designed for this kind of thing. Though it might be a bit more complex to set up.
upvoted 0 times
...
Johnna
8 months ago
Yeah, C does sound the most logical. But what about B - using OCSP? Wouldn't that also work by querying the domain controller directly?
upvoted 0 times
...
Gladys
8 months ago
Hmm, I'm leaning towards C - adding a custom attribute for userAccountControl in the AD authentication source. That seems like the most direct way to check the account status.
upvoted 0 times
Una
7 months ago
I'm not sure, but maybe option D) could also be a good solution. Installing a Microsoft Active Directory extension in Aruba ClearPass Guest could help with authentication.
upvoted 0 times
...
Shantay
7 months ago
I agree with Isaiah, option A) sounds like it would work effectively in this case.
upvoted 0 times
...
Isaiah
7 months ago
I think option A) might be a better choice. Adding an Endpoint Context Server to the domain controller seems like a direct way to query account status.
upvoted 0 times
...
...
Latonia
8 months ago
Whoa, this question is tricky! We need to figure out how to get CPPM to check the AD account status, but it's not straightforward. I'm going to have to think this through.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77