HPE6-A88 Questions and Answers

System-wide notification settings are managed under Administration > External Servers > Messaging Setup . To support simultaneous delivery, both the Email Relay (SMTP) and the SMS Gateway must be fully configured and tested within this menu. This centralizes the messaging logic, allowing various Guest and Insight services to utilize these pre-configured channels for automated alerts and receipts.

This is the "Profile and Bounce" workflow.

Initial connection: Device is unknown (IsProfiled=false) and restricted.

The device sends a DHCP request , which is intercepted by the ClearPass Profiler.

ClearPass identifies the device (e.g., "Company Laptop") and updates the database.

To apply the new "Full Access" policy, ClearPass must trigger a RADIUS CoA Terminate-Session to the NAD.

The device immediately reconnects and authenticates again; this time, ClearPass sees the updated profile and grants full access.

OCSP (Online Certificate Status Protocol) is designed to provide real-time revocation status. If an OCSP responder returns a status of 'unknown' , it means the responder has no record of the certificate. From a security standpoint, ClearPass treats any response other than 'Good' as a failure. To prevent potential unauthorized access via certificates that the PKI cannot verify, ClearPass will reject the authentication attempt.

In OnGuard, you can configure Post-Auth Actions . When a device fails compliance, simply telling the user is often not enough. By choosing an action to "Restart the session," ClearPass sends a RADIUS CoA (Change of Authorization) to the switch or controller, which bounces the user's connection. This forces the device to re-authenticate, at which point the new "Unhealthy" status will trigger a restricted or quarantine policy.

ClearPass Guest distinguishes between simple login pages and complex registration workflows. A Self-Registration page is the correct choice for this requirement because it includes the logic for the guest to enter their information, select a sponsor, receive credentials, and manage their own account details (like password changes or extending their stay).

ClearPass is built on an object-oriented configuration model. Elements such as Role Mappings, Enforcement Profiles, and Service Rules are modular. This reusability means an engineer can define a "Corporate-User" enforcement profile once and apply it to a dozen different services (Wireless, Wired, VPN). This ensures policy consistency across the organization, significantly reduces administrative overhead, and minimizes the risk of configuration errors.

ClearPass OnGuard licensing is based on the unique endpoint, not the number of connections or checks. A single device that connects via wired in the morning, Wi-Fi in the afternoon, and VPN in the evening—triggering a health check each time—will only consume one OnGuard license for that 24-hour period. This "per-device" model makes licensing predictable for enterprise deployments with roaming users.

While ClearPass provides built-in skins that allow for basic logo and color changes, achieving a pixel-perfect mirror of an existing corporate website usually requires a Fully Custom Skin . These skins allow developers to upload custom CSS, HTML headers/footers, and JavaScript to match the exact "look and feel" of the brand's main site. These are often provided as specialized plugins or professional service packages to ensure compatibility across different browser types.

ClearPass Onboard manages security via unique device certificates. When a device is lost, the most critical step is to revoke its certificate . This adds the certificate to the Certificate Revocation List (CRL) or updates the OCSP status, ensuring that if the old device tries to connect, ClearPass will reject it. The manager then marks the device as "Blocked" and allows the user to repeat the Onboarding process for their new device, which receives its own distinct certificate.

Comprehensive and Detailed Explanation From HPE Aruba Networking ClearPass portfolio:

Network Device Groups (NDGs) allow administrators to categorize switches and controllers by location or function. In a multi-site deployment, ClearPass can use a "Service Rule" that looks at which NDG the request came from. For example, if a request comes from the "London-Switches" group, ClearPass is configured to use the London AD domain; if it comes from "Tokyo-APs," it uses the Tokyo AD source. This prevents "cross-talk" between global regions and improves authentication speed.

By polling an EMM/MDM server, ClearPass pre-synchronizes its endpoint database with managed device information. This "Advanced Context" means that when a device eventually connects for the first time, ClearPass already knows its serial number, compliance status, and owner. This eliminates the need for manual profiling or initial "limited access" phases, allowing the system to grant appropriate access levels immediately upon the first authentication attempt.

After the initial authentication and context-gathering stages, ClearPass enters the Roles and Enforcement phase. During Role Mapping, ClearPass assigns one or more internal roles based on the gathered data. The Enforcement Policy then evaluates these roles against defined rules to make the final "Allow" or "Deny" decision. This stage is responsible for selecting the Enforcement Profile, which contains the final RADIUS attributes (like VLANs or ACLs) sent back to the Network Access Device.

Comprehensive and Detailed Explanation From HPE Aruba Networking ClearPass portfolio:

Health Checks are the core mechanism of OnGuard. These checks look for specific attributes on the endpoint, such as whether the antivirus is up-to-date, if the OS firewall is enabled, or if unauthorized applications (like peer-to-peer software) are running. The result of these checks is a "Posture Token" (Healthy, Unhealthy, or Unknown) that ClearPass uses to make enforcement decisions.

When a guest is redirected to the captive portal, their browser sends an HTTP Get request. Included in the headers of this request is the User-Agent string (e.g., Mozilla/5.0 (iPhone; CPU iPhone OS 17_0...)). ClearPass Guest parses this string to identify the specific OS and browser version. This information is then shared with the Policy Manager to update the endpoint database, providing immediate profiling context even before the user logs in.

Policy cache entries in ClearPass typically have a default life-cycle of 5 minutes . If the cache was updated three minutes ago , it has two minutes of validity remaining. During this time, ClearPass will use the cached roles and posture status for any incoming requests from that device. Once the 5-minute mark is reached, the cache expires, and ClearPass will perform a full re-evaluation on the next request.

When a RADIUS request reaches ClearPass, the system first attempts to identify the sender. ClearPass uses the Source IP Address of the incoming packet to match it against its configured list of Network Devices. If the IP is not found in the 'Devices' database, the request is dropped as an "Unknown NAD." Administrators can add single IPs (e.g., 10.1.1.5) or subnets (e.g., 10.1.1.0/24) to authorize groups of switches or APs.

ClearPass supports Context Server Actions , which allow it to act as an API client. When a device authenticates, ClearPass can be configured to send an outbound HTTP/REST message to an external system like an EMM (Enterprise Mobility Management) server. This message acts as a trigger, instructing the EMM to perform a specific management task—such as pushing a profile or app update—specifically because the device has just successfully accessed the network.

This follows the standard two-stage authentication flow. The first 802.1X attempt fails posture (Unknown) and results in a quarantine redirect. The user runs the dissolvable agent, which sends health data to a WEBAUTH service. ClearPass saves this status. During the second authentication attempt , the 802.1X service checks the cached posture token associated with that device. Finding it is now "Healthy," ClearPass applies the full-access enforcement policy.

The Zero Trust framework dictates that "trust" is never granted implicitly but is instead based on identity and context. ClearPass provides this by moving security away from static IP/VLAN-based rules to Dynamic Role-Based Access Control (RBAC) . By integrating profiling (to identify what the device is) with authentication (to identify who the user is), ClearPass assigns a "Role." This role stays with the user/device regardless of where or how they connect, ensuring a consistent security posture across legacy and modern infrastructure.

Certificate validation is a multi-step process. ClearPass must first verify the Trust Chain to ensure the certificate was issued by a trusted organization (CA). Next, it must check the Validity Period to ensure the certificate is not expired or not yet valid. Crucially, because certificates use precise timestamps, ClearPass must account for Clock Skew ; if the server and client times are too far apart, the certificate may appear invalid even if it is technically current.

Using AD for authentication confirms who the user is, while using it for authorization allows ClearPass to pull group memberships (e.g., "Finance Team") to determine access levels. Adding MDM integration provides "Rich Context"—letting ClearPass know if that specific user is connecting from a corporate-managed device that is encrypted and not jailbroken. This combination ensures that only the right person on a secure device can enter the network.

This approach is known as MAC Caching . During the first visit, the guest logs in via the captive portal. ClearPass then "caches" the device's MAC address for a specific period (e.g., 24 hours or 1 week). When the user returns, the network device performs a MAC-based authentication; ClearPass recognizes the cached device and grants access immediately, allowing the guest to bypass the portal entirely for a "seamless" experience.

The core of ClearPass Onboard is a specialized Certificate Authority (CA). During the provisioning process, each device generates a unique private key and receives a unique identity certificate . This certificate is tied to both the user and the specific hardware. When the device authenticates via 802.1X (EAP-TLS), ClearPass logs the exact certificate used, providing a perfect audit trail of "who" connected with "which" specific personal device.

In ClearPass service configuration, the Posture tab is not visible by default. To enable health check logic, the administrator must check the "Posture Compliance" box in the Service tab. This adds the Posture configuration screen where the administrator can select the specific Posture Policy that will evaluate the reports sent by the OnGuard agents.

ClearPass services are designed to be flexible with identity sources. In the Authentication tab of a service configuration, an administrator can add multiple sources (e.g., Active Directory, Guest Repository, and Local User Repository). ClearPass processes these sources in the exact order they appear in the list—attempting to authenticate the user against the first source, and moving to the next only if the user is not found in the previous one.

A common cause of certificate errors is a "broken trust chain". When uploading a new server certificate, the engineer must include the entire certificate bundle . This bundle should contain the server's certificate, any Intermediate CAs , and the Root CA certificate. This allows the ClearPass server to present the full chain to client browsers, ensuring they can verify the certificate's authenticity back to a trusted source.

Comprehensive and Detailed Explanation From HPE Aruba Networking ClearPass portfolio:

OCSP (Online Certificate Status Protocol) is used to check if a certificate has been revoked. By default, most certificates contain an "Authority Information Access" (AIA) field that points to the CA's OCSP responder. If the 'Override' option is unchecked , ClearPass follows standard PKI behavior and uses the specific URL embedded within the client's certificate to verify its status.

Zero Trust operates on the principle of Continuous Risk Assessment . Initial authentication is not a "permanent pass." If a device's behavior changes (detected by a traffic monitor or firewall), ClearPass must be able to revoke or reduce its access. The correct response is to move the device to a Quarantine VLAN or apply a restrictive ACL via CoA. This "closed-loop" security prevents lateral movement while the security team investigates the anomaly.