Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location PL
Mob_nav_barsMENU

HP Exam HPE6-A84 Topic 4 Question 27 Discussion

Actual exam question for HP's HPE6-A84 exam
Question #: 27
Topic #: 4
[All HPE6-A84 Questions]

You are setting up Aruba ClearPass Policy Manager (CPPM) to enforce EAP-TLS authentication with Active Directory as the authentication source. The company wants to prevent users with disabled accounts from connecting even if those users still have valid certificates.

As the first part of meeting these criteria, what should you do to enable CPPM to determine where accounts are enabled in AD or not?

Show Suggested Answer Hide Answer
Suggested Answer: C

According to the ClearPass Policy Manager User Guide1, userAccountControl is a custom attribute in Active Directory that contains a set of flags that define the properties and behavior of user accounts. One of these flags is ACCOUNTDISABLE, which indicates whether the account is disabled or not. By adding this attribute to the filters in the AD authentication source, CPPM can retrieve this attribute for each user and use it as a condition in the enforcement policies to prevent users with disabled accounts from connecting even if they have valid certificates. Therefore, option C is the correct answer.


by Rory at Sep 09, 2024, 06:52 PM

Limited Time Offer

25%

Off

Get Premium HPE6-A84 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Marcelle
3 months ago
I'm a big fan of B. OCSP can give you that extra layer of security and visibility into user account status. Plus, it's a built-in feature of EAP-TLS, so it should be pretty straightforward to configure.
upvoted 0 times
Jeff
2 months ago
Barbra: That could work too, but I still think OCSP is a strong choice for this scenario.
upvoted 0 times
...
Goldie
2 months ago
I'm not sure, I think we should also consider adding a custom attribute for userAccountControl to the filters in the AD authentication source.
upvoted 0 times
...
Barbra
2 months ago
Yeah, I agree. It's a built-in feature of EAP-TLS, so it should be easy to set up.
upvoted 0 times
...
Corinne
2 months ago
I think B is a good option. OCSP can help us check user account status.
upvoted 0 times
...
...
Tracey
3 months ago
B looks like a clever solution to me. Querying the domain controller directly for account status could be tricky, and a custom AD extension feels like overkill. OCSP is the way to go!
upvoted 0 times
Adelina
3 months ago
C) Add a custom attribute for userAccountControl to the filters in the AD authentication source.
upvoted 0 times
...
Lucina
3 months ago
B) Enable OCSP in the EAP-TLS authentication method settings and configure an OCSP override to the domain controller FQDN.
upvoted 0 times
...
...
Xenia
3 months ago
Haha, D sounds like something a consultant would try to sell you. 'Oh, you need this custom extension to make it work? That'll be an extra $5,000 please.' I'm going with C - keep it simple!
upvoted 0 times
...
Delfina
3 months ago
I'm not sure, but I think B) Enable OCSP in the EAP-TLS authentication method settings and configure an OCSP override to the domain controller FQDN might be the right choice.
upvoted 0 times
...
Marquetta
3 months ago
I disagree, I believe the correct answer is C) Add a custom attribute for userAccountControl to the filters in the AD authentication source.
upvoted 0 times
...
Denna
3 months ago
I think the answer is A) Add an Endpoint Context Server to the domain controller with actions for querying the domain controller for account status.
upvoted 0 times
...
Ashley
3 months ago
C seems like the most straightforward option to me. Why overcomplicate things with OCSP or a custom extension when we can just add the userAccountControl attribute to the AD authentication source filters?
upvoted 0 times
Wilburn
3 months ago
Yeah, it's definitely the most straightforward way to go about it.
upvoted 0 times
...
Ernest
3 months ago
I agree, option C seems like the simplest solution.
upvoted 0 times
...
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77