For securing management access to the ArubaOS Web UI of an Aruba Mobility Controller (MC), it is a best practice to install a certificate signed by a Certificate Authority (CA). This ensures that communications between administrators and the MC are secured with trusted encryption, which greatly reduces the risk of man-in-the-middle attacks. Using a CA-signed certificate enhances the trustworthiness of the connection over self-signed certificates, which do not offer the same level of assurance.
:
ArubaOS documentation on management access security.

The scenario involves AOS-CX switches in a two-tier topology (access and core layers) using OSPF routing at the core. The goal is to prevent ARP poisoning attacks on user VLANs at the access layer switches, where end-user devices connect. ARP poisoning (also known as ARP spoofing) is an attack where a malicious device sends fake ARP messages to associate its MAC address with the IP address of another device (e.g., the default gateway), allowing the attacker to intercept traffic.
ARP Inspection (Dynamic ARP Inspection, DAI): This feature prevents ARP poisoning by validating ARP packets against a trusted database of IP-to-MAC bindings. On AOS-CX switches, ARP inspection uses the DHCP snooping binding table to verify that ARP messages come from legitimate devices. If an ARP packet does not match the binding table, it is dropped.
DHCPv4 Snooping: This feature protects against rogue DHCP servers and builds a binding table of legitimate IP-to-MAC mappings by snooping DHCP traffic. The binding table is used by ARP inspection to validate ARP packets. DHCP snooping must be enabled before ARP inspection can function effectively, as it provides the trusted data for validation.
Option A, "ARP inspection," is correct. ARP inspection (DAI) directly prevents ARP poisoning by ensuring that ARP packets are legitimate, making it a key technology for this purpose.
Option B, "OSPF passive interface," is incorrect. OSPF passive interface is used to prevent OSPF from sending routing updates on specific interfaces, typically to reduce routing protocol traffic on user-facing interfaces. It does not prevent ARP poisoning, which is a Layer 2 attack.
Option C, "BPDU guard (protection)," is incorrect. BPDU guard protects against spanning tree protocol (STP) attacks by disabling a port if it receives BPDUs (e.g., from an unauthorized switch). It does not address ARP poisoning, which is unrelated to STP.
Option D, "DHCPv4 snooping," is correct. DHCP snooping is a prerequisite for ARP inspection, as it builds the binding table used to validate ARP packets. It also protects against rogue DHCP servers, which can indirectly contribute to ARP poisoning by assigning incorrect IP addresses.
Option E, "BPDU filtering," is incorrect. BPDU filtering prevents a port from sending or receiving BPDUs, which can be used to protect against STP attacks, but it does not prevent ARP poisoning.
The HPE Aruba Networking AOS-CX 10.12 Security Guide states:
"To prevent ARP poisoning attacks on user VLANs, enable Dynamic ARP Inspection (DAI) on access layer switches. DAI validates ARP packets against the DHCP snooping binding table to ensure they come from legitimate devices. Use the command ip arp inspection vlan <vlan-list> to enable DAI on the specified VLANs. DHCP snooping must be enabled first with dhcp-snooping and dhcp-snooping vlan <vlan-list> to build the binding table used by DAI." (Page 145, ARP Inspection and DHCP Snooping Section) Additionally, the guide notes:
"DHCP snooping and ARP inspection work together to protect against Layer 2 attacks like ARP poisoning. DHCP snooping builds a trusted database of IP-to-MAC bindings, which ARP inspection uses to filter out malicious ARP packets." (Page 146, Best Practices Section)
:
HPE Aruba Networking AOS-CX 10.12 Security Guide, ARP Inspection and DHCP Snooping Section, Page 145.
HPE Aruba Networking AOS-CX 10.12 Security Guide, Best Practices Section, Page 146.

HPE Aruba Networking ClearPass Policy Manager (CPPM) uses device profiling to identify and classify endpoints on the network, enabling granular access control based on device type, OS, or other attributes. CPPM supports both passive and active profiling methods.
Option C, "CPPM can analyze settings such as TTL and time window size in endpoints' TCP traffic in order to fingerprint the OS," is correct. TCP fingerprinting is a passive profiling method used by CPPM. It involves analyzing TCP packet headers, such as the Time To Live (TTL) value and TCP window size, which vary between operating systems (e.g., Windows, Linux, macOS). CPPM captures this traffic (e.g., via mirrored traffic from a switch or controller) and matches the TCP attributes against its fingerprint database to identify the OS of the endpoint.
Option A, "CPPM can use Wireshark to actively probe devices, analyze their traffic patterns, and construct an endpoint profile," is incorrect. CPPM does not use Wireshark for profiling; Wireshark is a third-party packet analysis tool. CPPM has its own built-in profiling engine and does not rely on external tools like Wireshark for active probing.
Option B, "CPPM can use SNMP to configure Aruba switches and mobility devices to mirror client traffic to CPPM for analysis," is incorrect. While CPPM can receive mirrored traffic for profiling (e.g., via SPAN or mirror ports), it does not use SNMP to configure the mirroring. The configuration of traffic mirroring is typically done manually on the switch or controller (e.g., using a datapath mirror on an MC), not via SNMP by CPPM.
Option D, "CPPM can analyze settings such as TCP/UDP ports used for HTTP, DHCP, and DNS in endpoints' traffic to fingerprint the OS," is incorrect. While CPPM does analyze HTTP, DHCP, and DNS traffic for profiling, it does not fingerprint the OS based on TCP/UDP ports. Instead, it uses attributes like DHCP Option 55 (for DHCP fingerprinting) or HTTP User-Agent strings (for HTTP fingerprinting) to identify devices, not the ports themselves.
The HPE Aruba Networking ClearPass Policy Manager 6.11 User Guide states:
"ClearPass supports TCP fingerprinting as a passive profiling method to identify the operating system of endpoints. By analyzing TCP packet headers, such as the Time To Live (TTL) value and TCP window size, ClearPass can fingerprint the OS of a device. For example, Windows devices typically have a TTL of 128, while Linux devices often have a TTL of 64. These attributes are matched against ClearPass's fingerprint database to classify the device." (Page 248, TCP Fingerprinting Section) Additionally, the ClearPass Device Insight Data Sheet notes:
"ClearPass uses passive profiling techniques like TCP fingerprinting to identify device operating systems. By examining TCP attributes such as TTL and window size, ClearPass can accurately determine whether a device is running Windows, Linux, macOS, or another OS, enabling precise policy enforcement." (Page 3, Profiling Methods Section)
:
HPE Aruba Networking ClearPass Policy Manager 6.11 User Guide, TCP Fingerprinting Section, Page 248.
ClearPass Device Insight Data Sheet, Profiling Methods Section, Page 3.

The AOS Wireless Intrusion Prevention System (WIP) in an AOS-8 architecture (Mobility Controllers or Mobility Master) is designed to detect and mitigate wireless threats, such as rogue APs and unauthorized clients. WIP classifies clients and APs based on their behavior and status in the network.
Authorized Client Definition: In the context of WIP, an "Authorized" client is one that has successfully authenticated to an authorized AP (an AP managed by the MC and part of the company's network) and is actively passing encrypted traffic. This typically means the client has completed 802.1X authentication (e.g., in a WPA3-Enterprise network) or PSK authentication (e.g., in a WPA3-Personal network) and is communicating securely with the AP.
Option D, "A client that has successfully authenticated to an authorized AP and passed encrypted traffic," is correct. This matches the WIP definition of an Authorized client: the client must authenticate to an AP that is classified as "Authorized" (i.e., part of the company's network) and must be passing encrypted traffic, indicating a secure connection (e.g., using WPA3 encryption).
Option A, "A client that is on the WIP whitelist," is incorrect. WIP does not use a client whitelist for classification. The AP whitelist is used to authorize APs, not clients. Client classification (e.g., Authorized, Interfering) is based on their authentication status and connection to authorized APs.
Option B, "A client that has a certificate issued by a trusted Certification Authority (CA)," is incorrect. While a certificate might be used for 802.1X authentication (e.g., EAP-TLS), WIP does not classify clients as Authorized based on their certificate status. The classification depends on successful authentication to an authorized AP and encrypted traffic.
Option C, "A client that is NOT on the WIP blacklist," is incorrect. WIP does use blacklisting (e.g., for clients that violate security policies), but being "not on the blacklist" does not make a client Authorized. A client must actively authenticate to an authorized AP and pass encrypted traffic to be classified as Authorized.
The HPE Aruba Networking AOS-8 8.11 User Guide states:
"In the Wireless Intrusion Prevention (WIP) system, an 'Authorized' client is defined as a client that has successfully authenticated to an authorized AP and is passing encrypted traffic. An authorized AP is one that is managed by the Mobility Controller and part of the company's network. For example, a client that completes 802.1X authentication to an authorized AP using WPA3-Enterprise and sends encrypted traffic is classified as Authorized." (Page 414, WIP Client Classification Section) Additionally, the HPE Aruba Networking Security Guide notes:
"WIP classifies clients as 'Authorized' if they have authenticated to an authorized AP and are passing encrypted traffic, indicating a secure connection. Clients that are not authenticated or are connected to rogue or neighbor APs are classified as 'Interfering' or other categories, depending on their behavior." (Page 78, WIP Classifications Section)
:
HPE Aruba Networking AOS-8 8.11 User Guide, WIP Client Classification Section, Page 414.
HPE Aruba Networking Security Guide, WIP Classifications Section, Page 78.