nerdexam
HP

HPE6-A78 · Question #91

HPE6-A78 Question #91: Real Exam Question with Answer & Explanation

The correct answer is C. Client1 = role4; Client2 = role2. The scenario involves an AOS-CX switch configured for 802.1X port-access authentication. The configuration defines several roles and their associated VLANs: port-access role role1 vlan access 11: Role1 assigns VLAN 11. port-access role role2 vlan access 12: Role2 assigns VLAN 12.

Question

Refer to the exhibit: port-access role role1 vlan access 11 port-access role role2 vlan access 12 port-access role role3 vlan access 13 port-access role role4 vlan access 14 aaa authentication port-access dot1x authenticator enable interface 1/1/1 no shutdown no routing vlan access 1 aaa authentication port-access critical-role role1 aaa authentication port-access preauth-role role2 aaa authentication port-access auth-role role3 interface 1/1/2 no shutdown no routing vlan access 1 aaa authentication port-access critical-role role1 aaa authentication port-access preauth-role role2 aaa authentication port-access auth-role role3 The exhibit shows the configuration on an AOS-CX switch. Client1 connects to port 1/1/1 and authenticates to HPE Aruba Networking ClearPass Policy Manager (CPPM). CPPM sends an Access-Accept with this VSA: Aruba-User-Role: role4. Client2 connects to port 1/1/2 and does not attempt to authenticate. To which roles are the users assigned?

Options

  • AClient1 = role3; Client2 = role2
  • BClient1 = role4; Client2 = role1
  • CClient1 = role4; Client2 = role2
  • DClient1 = role3; Client2 = role1

Explanation

The scenario involves an AOS-CX switch configured for 802.1X port-access authentication. The configuration defines several roles and their associated VLANs: port-access role role1 vlan access 11: Role1 assigns VLAN 11. port-access role role2 vlan access 12: Role2 assigns VLAN 12. port-access role role3 vlan access 13: Role3 assigns VLAN 13. port-access role role4 vlan access 14: Role4 assigns VLAN 14. The switch has 802.1X authentication enabled globally (aaa authentication port-access dot1x authenticator enable). Two ports are configured: Interface 1/1/1: vlan access 1: Default VLAN is 1. aaa authentication port-access critical-role role1: If the RADIUS server is unavailable, assign role1 (VLAN 11). aaa authentication port-access preauth-role role2: Before authentication, assign role2 (VLAN 12). aaa authentication port-access auth-role role3: After successful authentication, assign role3 13) unless overridden by a VSA. Interface 1/1/2: Same configuration as 1/1/1. Client1 on port 1/1/1: Client1 authenticates successfully, and CPPM sends an Access-Accept with the VSA Aruba- In AOS-CX, the auth-role (role3) is applied after successful authentication unless the RADIUS server specifies a different role via the Aruba-User-Role VSA. Since CPPM sends Aruba-User- Role: role4, and role4 exists on the switch, Client1 is assigned role4 (VLAN 14), overriding the default auth-role (role3). Client2 on port 1/1/2: Client2 does not attempt to authenticate (i.e., does not send 802.1X credentials). In AOS-CX, if a client does not attempt authentication and no other authentication method (e.g., MAC authentication) is configured, the client is placed in the preauth-role (role2, VLAN 12). This role is applied before authentication or when authentication is not attempted, allowing the client limited access (e.g., to perform authentication or access a captive portal).

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full HPE6-A78 Practice