HPE6-A73 Exam QuestionsBrowse all questions from this exam
Go to Exam

HPE6-A73 Exam - Question 17

An administrator is implementing a downloadable user role solution involving AOS-CX switches. The AAA solution and the AOS-CX switches can successfully authenticate users; however, the role information fails to download to the switches. What policy should be added to an intermediate firewall to allow the downloadable role function to succeed?

Show Answer
Correct Answer: AC

For a downloadable user role solution involving AOS-CX switches, roles that are configured on a ClearPass server are transferred to the switch using HTTPS. HTTPS operates over TCP port 443, which needs to be allowed through the firewall for the role information to download successfully to the switches.

Discussion

15 comments
Sign in to comment
d_natOption: A
Aug 20, 2022

Answer A is correct. Student Guide Vol2, page 115: "Roles can be configured locally on the switch using a Local User Role (LUR) or on a ClearPass server, using a downloadable user role (DUR). Roles that are configured locally can be assigned via any RADIUS server, using the Aruba-User-Role VSA. When using DUR, the ClearPass HPE-CPPM-Role VSA is used in combination with HTTPS to transfer the role to the switch."

poris27Option: A
Apr 2, 2021

I think the answer Should be A because something wrong with HTTPS maybe the switch failed to download the certificate or there is firewall block TCP443. If UDP 8211 (PAPI) is related for dynamic segmentation instead of DUR

Mar_a_LagoonOption: A
Oct 18, 2021

REST API is used for this, so A HTTPS

sentinel44Option: A
Jan 6, 2022

HTTPS uses TCP 443, so it is A and not C

SeidorBrunoOption: A
Jun 27, 2023

Page 775 Study Guide: This means that a HTTPS certificate has to be installed on the edge switch. [Aruba Networks]

fastyOption: A
Apr 12, 2021

Correct it is A

jordib4Option: A
Jan 9, 2022

pg 681 from the Aruba guide - "When using DUR, the ClearPass HPE-CPPM-Role VSA is used in combination with HTTPS to transfer the role to the switch." UDP 8211 (PAPI) is related to dynamic segmentation and the communication to the MC not DUR.

JazzyJ151Option: A
Apr 29, 2022

DUR is a CPPM feature, so assumption is that the AAA is CPPM. AOS switches download their roles from CPPM using HTTPS, you just have to put a CA cert on the switch for the CPPM and reference the FQDN. Definitely A.

AM1234Option: A
Jun 21, 2021

The correct Answer is A

MrvnOption: C
Jun 28, 2021

C is correct (HTTPS is used between switch and CPPM)

[Removed]
Jun 29, 2021

And HTTPS uses TCP 443, so it is A and not C

kupOption: C
Sep 14, 2021

C only this port mentioned in study book. v2-169

SniBBzOption: A
Apr 7, 2022

Answer is A

NetExpertOption: A
Sep 23, 2022

A is correct

E_NickOption: A
Oct 9, 2022

HTTPS uses TCP 443, so it is A and not C

LetuOption: C
Oct 24, 2023

If any firewall or network infrastructure device with ACLs are in the path, they must allow GRE and PAPI traffic. Enable GRE on IP protocol 47 and PAPI on UDP 8211