Scribd
Upload
77 views

Hp0-Y39 Epg

To pass the exam, you will need to demonstrate that you troubleshoot complex, HP A-Series wireless deployments. You must also know how to secure a wireless network using HP RF Manager.

Uploaded by

spiderman7
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
77 views

Hp0-Y39 Epg

To pass the exam, you will need to demonstrate that you troubleshoot complex, HP A-Series wireless deployments. You must also know how to secure a wireless network using HP RF Manager.

Uploaded by

spiderman7
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 36

HP0-Y39: MANAGING & TROUBLESHOOTING ENTERPRISE WIRELESS NETWORKS

HP Networking
Exam preparation guide

HP0-Y39: MANAGING & TROUBLESHOOTING ENTERPRISE WIRELESS NETWORKS


HP Networking
Exam preparation guide

Overview
Requirements for successful completion This guide helps you to study for the Managing & Troubleshooting Enterprise Wireless Networks (HP0-Y39) exam. You can benefit from this guide whether you are attempting to expand your existing HP certification or you have a former H3C or a Cisco background and want to get certified with HP. To pass the exam, you will need to demonstrate that you troubleshoot complex, HP A-Series wireless deployments. You must also know how to secure a wireless network using HP RF Manager.

Table of Contents
Why take this exam? ............................................................................................................................ 4 HP Master ASE Wireless Networks [2011] certification ......................................................................... 4 Path 1 ............................................................................................................................................. 4 Path 2 ............................................................................................................................................. 4 How to study for the exam .................................................................................................................... 5 Study tips based on your certification ..................................................................................................... 6 HP ASE Wireless Networks [2011] certification ................................................................................ 6 Master ASE HP ProCurve Mobility certification or Master ASE Mobility 2010 certification with HP Enterprise Networking Products Technical Qualification ............................................................ 6 Master ASE HP ProCurve Campus LANs or HP Master ASE Network Infrastructure [2011] certification ..................................................................................................................................... 6 CCIE Wireless certification ............................................................................................................. 7 Attend recommended ILTs ..................................................................................................................... 7 Secure Wireless Solutions with HP RF Manager ................................................................................... 7 Topics covered ............................................................................................................................. 7 Format offered.............................................................................................................................. 7 More information .......................................................................................................................... 7 Troubleshooting HP Enterprise Wireless Networks ................................................................................ 8 Topics covered ............................................................................................................................. 8 Format offered.............................................................................................................................. 8 More information .......................................................................................................................... 8 Purchase self-study materials.................................................................................................................. 8 Refer to additional materials .................................................................................................................. 8 Obtain hands-on experience ................................................................................................................. 9 How to take the Managing & Troubleshooting Enterprise Wireless Networks (HP0-Y39) exam ...................... 9 Exam content ................................................................................................................................... 9 Comments on the exam ................................................................................................................... 10 Tips for taking HP exams .................................................................................................................... 10 Register ............................................................................................................................................ 11 Sample questions ............................................................................................................................... 11 Conclusion ........................................................................................................................................ 22 Appendix: Answers to the sample questions .......................................................................................... 22

Why take this exam?


Passing this exam gives you one component toward HP Master Accredited Systems Engineer Wireless Networks [2011] certification. This achievement certifies that you can design, integrate, and support secure network solutions for large and complex enterprise wireless networks using A-Series network technologies.

HP Master ASE Wireless Networks [2011] certification


There are two paths to achieve this certification, as outlined below. The exams you must pass are dependent upon which achievements you currently hold. (Some previous certification is required; if you do not have any of the certifications listed in Table 1, obtain the HP ASE Wireless Networks [2011] certification.)

Path 1
This path is designed for networking professionals who have one of the following certifications: HP ASE Wireless Networks [2011] Master ASE HP ProCurve Mobility [2010] Master ASE Mobility 2010 with HP Enterprise Networking Products Technical Qualification [2010]

If you meet one of these criteria, you must pass the Deploying HP Enterprise Wireless Networks (HP0-Y38) exam in addition to the HP0-Y39 exam. By completing this path, you will also be granted the HP ASE Wireless Networks [2011] certification if you do not already have it.

Path 2
This path is designed for networking professionals who have one of the following certifications. Master ASE HP ProCurve Campus LANs [2010] HP Master ASE Network Infrastructure [2011] CCIE Wireless

If you meet one of these criteria, you must pass the HP0-Y39 exam as well as two other exams: Implementing HP Wireless Networks (HP0-Y33) Deploying HP Enterprise Wireless Networks (HP0-Y38)

By completing this path, you will also be granted the HP ASE Wireless Networks [2011] certification. Table 1 summarizes these requirements.

Table 1: Exam based on current achievement


Current achievements Path 1 HP ASE Wireless Networks [2011] Path 2

Master ASE HP ProCurve Mobility [2010]

Master ASE Mobility 2010 with HP Enterprise Networking Products Technical Qualification [2010]

Master ASE HP ProCurve Campus LANs [2010]

HP Master ASE Network Infrastructure [2011]

CCIE Wireless*

Requirements for HP Master ASE Network Infrastructure

Proctored exam Implementing HP Wireless Networks (HP0-Y33) Proctored exam Deploying HP Enterprise Wireless Networks (HP0-Y38) Proctored exam Managing & Troubleshooting HP Wireless Networks (HP0-Y39)

*Note: CCIE specialties such as Voice, Security, or Routing and Switching do not apply toward HP Master ASE Wireless certification.

Who should take the exam?


Every candidate for the HP Master ASE Wireless Networks [2011] must take the Managing & Troubleshooting Enterprise Wireless Networks (HP0-Y39) exam. Although anyone can take the exam, most successful candidates have at least five years of real-world experience implementing and maintaining complex enterprise networks. Successful candidates also prepare for the test in a variety of ways. This guide describes some of these ways and provides references to materials for further preparation. NOTE Anyone can take the exam, but passing it only helps you to achieve certification if you have one of the prior achievements listed in Table 1. If you are a new candidate, obtain the HP ASE Wireless Networks [2011] certification first.

How to study for the exam


The Managing & Troubleshooting Enterprise Wireless Networks (HP0-Y39) exam tests you on topics that are covered in several HP instructor-led training (ILT) and Web-based training (WBT) courses, described later in this guide.

While all training is recommended for all candidates no matter what their current achievements, it is neither required nor does it guarantee that you will pass the exam. It is expected that you will also study on your own and draw on your real-world experience. The exam certifies that you have the knowledge and skills necessary for a Master ASE Wireless Networks, the highest certification HP offers in this area. Therefore, you will encounter complex and demanding questions, reflecting the challenging nature of the tasks that the Master ASE often faces in real world complex wireless network implementations. Read the sections below to further assess your options. Even if you do not intend to complete the recommended training, you should examine the topics that they cover because the exam will test you on your mastery of these topics.

Study tips based on your certification


All candidates, no matter what their certification, should consider taking the Implementing HP Wireless Networks (HP0-Y33) exam, if required, and the Implementing HP Enterprise Wireless Networks (HP0-Y38) exam before this attempting the Managing & Troubleshooting Enterprise Wireless Networks (HP0-Y39) exam. If you pass those exams, you should have the requisite skills for succeeding in the training associated with the Managing & Troubleshooting Enterprise Wireless Networks (HP0-Y39) exam and with the exam itself. The sections below provide special tips based on your current certification: HP ASE Wireless Networks [2011] Master ASE HP ProCurve Mobility or Master ASE Mobility 2010 with HP Enterprise Networking Products Technical Qualification Master ASE HP ProCurve Campus LANs or HP Master ASE Network Infrastructure [2011] CCIE Wireless

HP ASE Wireless Networks [2011] certification


As other candidates, you are encouraged to pass the HP0-Y38 exam before attempting the Managing & Troubleshooting Enterprise Wireless Networks (HP0-Y39) exam. However, the training and experience that have rewarded you with the HP ASE Wireless Networks [2011] certification should have prepared you well. You should take the recommended ILTs described later in this guide and continue to obtain as much real-world experience as possible. To learn more about ways to prepare for the exam, continue reading, beginning at: Attend recommended ILTs.

Master ASE HP ProCurve Mobility certification or Master ASE Mobility 2010 certification with HP Enterprise Networking Products Technical Qualification
The Managing & Troubleshooting Enterprise Wireless Networks (HP0-Y39) exam focuses on troubleshooting advanced wireless solutions on HP A-Series products. Make sure that you know the A-Series products well enough that you can interpret their configurations and find potential issues. A few of the questions test you on implementing HP RF Manager. To obtain your current certification, you might have already learned about this product. If so, you should not find these questions to difficult. To learn more about ways to prepare for the exam, continue reading, beginning at: Attend recommended ILTs.

Master ASE HP ProCurve Campus LANs or HP Master ASE Network Infrastructure [2011] certification
Because you might have less of a background in wireless technologies, you are particularly encouraged to pass the HP0-Y33 and HP0-Y38 exams before taking the Managing & Troubleshooting Enterprise Wireless Networks (HP0-Y39) exam. To learn more about ways to prepare for the Managing & Troubleshooting Enterprise Wireless Networks (HP0Y39) exam, continue reading, beginning at: Attend recommended ILTs.

CCIE Wireless certification


Your background in wireless technologies should help you answer some questions, including ones that ask you to find reasons for poor Quality of Service (QoS), poor signal, or slow connections. However, you should be aware that the Managing & Troubleshooting Enterprise Wireless Networks (HP0-Y39) exam does very much focus on troubleshooting HP A-Series solutions. Make sure that you know the A-Series products well enough that you can interpret their configurations and find potential issues. You also need to learn about RF Manager, which is similar to other Wireless IDS solutions with which you might be familiar. To learn more about ways to prepare for the exam, continue reading, beginning at: Attend recommended ILTs.

Attend recommended ILTs


Two ILTs help to prepare you for this exam: Secure Wireless Solutions with HP RF Manager, Rev. 11.11 or later (1 day) Troubleshooting HP Enterprise Wireless Networks, Rev. 11.11 or later (3 day)

You are highly encouraged to attend these courses, where you will expand your knowledge of networking and security technologies and gain hands-on experience implementing these technologies on HP equipment. Register for these courses in The Learning Center of your HP Partner Portal, which is the HP Learning Management System for HP customers and partners. You will require an HP Learner ID to register for a class. Note that, while it only takes a few minutes to request the ID, the process of activating it may take up to several days. Please obtain this ID and then register for classes at least one week in advance. Costs and scheduling vary according to region.

Secure Wireless Solutions with HP RF Manager


Secure Wireless Solutions with HP RF Manager focuses on wireless intrusion detection and protection. You will learn about the specific types of threats HP RF Manager detects, and learn as well how it works with sensors to locate and mitigate these threats. You will then learn how to use RF Manager to locate and quarantine rogue APs and set up intrusion prevention to enforce a companys overall security policy. Topics covered After attending this course, you will be able to: Install RF Manager and configure it to automatically take action against threats or notify you of suspicious activity o o Detect threats such as vulnerabilities, backdoors, denial-of-service (DoS) attacks, and Wired Equivalent Privacy (WEP) attacks Classify APs and clients Locate and quarantine rogue AP devices Mitigate threats, including disassociating devices that exhibit suspicious behavior

o o

Plan the deployment of and configure sensors to best protect the network environment Monitor VLANs on the wired network Audit security, including monitoring events and analyzing reports

Format offered 1-day instructor-led course with 50% lecture and 50% lab and classroom activities. More information If you are interested, the course datasheet discusses Secure Wireless Solutions with HP RF Manager in more detail. It is available at http://h17007.www1.hp.com/us/en/training/certifications/technical/mase-wirelessnetworks.aspx.

Troubleshooting HP Enterprise Wireless Networks


Should you choose to attend the Troubleshooting HP Enterprise Wireless Networks training, you will learn to identify and resolve issues related to HP A-Series wireless client connectivity, roaming, and authentication using network management software and device debugging commands. You will gain familiarity with common issues and their resolutions as well as troubleshooting methods and tools that are used to identify and resolve unfamiliar or undocumented issues. Topics covered After attending this course, you will be able to: Understand common wireless networking issues and causes Resolve issues with HP A-Series wireless product deployment and operation, including o Lack of power or power failure Cabling problems AC discovery and AP management issues 802.11n performance issues Basic configuration errors Client connectivity issues Client roaming issues o

o o o o o

Centrally manage and troubleshoot a wireless network using Intelligent Management Center (IMC) Interpret event logs to identify and troubleshoot wireless network issues Use networking, debug, and hidden commands to troubleshoot issues Capture wireless network packets and interpret results

Format offered 3-day instructor-led course with 40% lecture, 40% hands-on labs, 10% activity, and 10% review. Generally the student lab activities will consist of identifying, defining, resolving, and documenting issues with wireless networking, as well as reporting their approach and results back to the class. More information If you are interested, the course datasheet discusses Troubleshooting HP Enterprise Wireless Networks in more detail. It is available at http://h17007.www1.hp.com/us/en/training/certifications/technical/mase-wirelessnetworks.aspx.

Purchase self-study materials


Rather than attend the ILTs, you can purchase self-study materials. Typically, materials consist of the Learners Guide provided to the ILT participants, which you can read and study at your own pace. Note that these materials were designed for use in a participative ILT. Therefore, you will see discussion questions and activities, which you can use to practice and assess your progress. Answers are provided in an appendix at the end of the guide. For some courses, you might also be able to purchase a Lab Guide. Finally, remember that simply reading these materials will not give you the hands-on experience provided by labs in the ILT. The exam assumes that you have experience working with HP products. To purchase the self-study materials associated with the ILTs described above, visit http://learningpartnerconnection.com/coursemanuals.

Refer to additional materials


This exam assesses your ability to troubleshoot all aspects of HP A-Series wireless solutions. Therefore, you might want to refer to HP A-Series products solution guides and documentation to study topics with which you are less familiar. You can search for these materials at www.hp.com/networking/support.

Obtain hands-on experience


All HP exams are designed for networking professionals with on-the-job experience, but this exam in particular requires such experience. You will find the troubleshooting portions of the exam much easier to complete if you have spent time working with HP A-Series wireless products. If you do not have such experience, you should strongly consider taking the ILTs, which provide a safe lab environment for experimenting in these areas.

How to take the Managing & Troubleshooting Enterprise Wireless Networks (HP0-Y39) exam
Table 2 provides details about the exam. Note that this is a proctored exam, which you must complete at a scheduled time and authorized location. You will not be allowed to take any reference materials with you. Table 2: HP0-Y39 exam details
Parameter Description

Number of items Item types

42 Multiple choice (single response) Multiple choice (multiple responses) Drag and drop

Exam time Passing score Additional guidelines

2 hours (150 minutes) 66 percent (29 correct answers) No online or hard copy reference material will be allowed at the testing site.

Exam content
The following testing objectives represent the specific areas of content covered in the exam. Use this outline to guide your study and to check your readiness for the exam. The exam measures your understanding of these areas. Table 3: HP0-Y39 exam content
HP0-Y39 Sections/Objectives

15%

Wireless Network Optimization Understand optimal and suboptimal wireless network parameters Detect and remove interference sources Determine and implement methods to optimize network reliability and performance Apply consistent and predictable methods to defining and resolving issues Resolve cabling problems

2%

Troubleshooting Methodology

2%

Troubleshooting Core Wireless Networking

HP0-Y39

Sections/Objectives

21%

Troubleshooting Configuration Issues Resolve basic configuration issues for Access Controllers (AC) and Access Points (AP) Ensure AC is discoverable through various methods (Layer 2, Layer 3 with DHCP Option 43, and Layer 3 with DNS) Resolve configuration issues related to lack of power or power failure Resolve issues related to AP firmware (wlan apdb) Resolve issues related to IP addressing and name resolution (e.g. DHCP, DNS) Resolve cabling problems Resolve AP-to-AC communications issues over Lightweight Access Point Protocol (LWAPP) Identify issues that prevent clients from associating with an AP Identify issues that break client connections from an AP Resolve issues related to MAC authentication Resolve issues related to 802.1X authentication Resolve issues related to use of mismatched or improperly configured cryptography (including WEP, WPA, WPA2, TKIP, etc.) Resolve issues related to Web Portal authentication Analyze network events and take corrective action, if necessary Use debugging and hidden commands to resolve issues Resolve client connectivity issues Resolve problems related to client roaming Describe RF Manager's role in an HP mobility solution Describe the threats detected by RF Manager Plan the deployment of sensors Install HP RF Manager and complete the initial setup Use RF Manager to locate and quarantine Rogue Aps Set up intrusion prevention on RF Manager to enforce a company's security policy

29%

Troubleshooting Wireless Connection Issues

10%

Troubleshooting Wireless Connectivity and Roaming Issues

21%

Managing Wireless Threats

Comments on the exam


During the exam, participants can make specific comments about the items (i.e. accuracy, appropriateness to audience, etc). HP welcomes these comments as part of our continuous improvement process.

Tips for taking HP exams


Rather than emphasize simple memorization, HP exams attempt to assess whether you have the knowledge and skills that a networking professional requires on the job. Therefore, some questions feature exhibits or scenarios. As you see, you will have an average of about three-and-a-half minutes per question. You will need this amount of time because many questions feature complete configurations, through which you must search to find errors. If allowed by the system, you might want to answer the questions about which you are sure first and then move back to the others. Before you do answer a question, take the time to read the question and all of the options carefully. If the question indicates that it features an exhibit, study the exhibit and reread the question. Make sure to select the answer that correctly responds to the question that is askednot simply an answer that includes some correct information. For example, an answer might refer to something that is truly indicated in a configuration, but this answer is only correct if it refers to the actual problem indicated in the question.

10

If the question asks for more than one answer, remember to select each correct answer. You do not receive partial credit for a partially correct answer.

Register
To register for this 30 exam, visit the Prometric website at: http://www.Prometric.com/hp You will need an HP Learner ID and a Prometric ID. You can also access links to register for this exam when you view information about them on The Learning Center: http://www.hp.com/go/expertone

Sample questions
Use these questions to help to assess whether you are ready to take the exam. An appendix at the end of this guide provides answers and explanations. 1. You are deploying the HP A-Series wireless solution shown in the exhibit. However, when you install the APs, the access controller (AC) fails to discover them. You implement traffic mirroring to monitor the packets sent and received by the APs, and repower the APs. You discover that the APs send several UDP broadcasts to port 12223 and several DNS requests but no other packets. What might be causing the problem? a. b. c. d. The AC has not been configured correctly to provide the APs with their IP addresses. The APs have not been configured with the correct port to which to direct UDP broadcasts. The DNS server has not been configured with the correct entry mapping to the ACs IP address. The APs have not been manually configured with the correct IP address to which to direct UDP unicasts.

Figure 1: Exhibit for question 1 2. A customer has deployed a WLAN with the SSID MyCompany that enforces 802.1X authentication to a Windows Internet Authentication Server (IAS). The wireless client cannot connect to the WLAN. The first exhibit displays settings on IAS. The second displays settings on the wireless client (Windows 7). Below the exhibits is the configuration on the AC. Based on the information in the exhibits and the configurations, what might be causing the problem? a. b. c. The client is using the wrong form of EAP authentication. The client is using a certificate to authenticate, but the AC is looking for a secret key (sharedsecret). The client is using the wrong from of encryption.

11

d.

The client is configured to use WPA instead of 802.1X authentication.

Figure 2: Exhibit 1 for question 2Settings for the IAS remote access policy

Figure 3: Exhibit 2 for question 2Settings for the Windows 7 wireless client

12

Wireless AC configuration
# version 5.20, Release 1108P02, Release 1108P02 # sysname WX5002 # domain default enable system # telnet server enable # port-security enable # dot1x authentication-method eap # vlan 1 # vlan 2 # radius scheme wpatkip primary authentication 20.20.20.2 key authentication sharedsecret user-name-format without-domain # domain system authentication default radius-scheme wpatkip authorization default radius-scheme wpatkip accounting default none access-limit disable state active idle-cut disable self-service-url disable accounting optional # user-group system # local-user admin password simple wireless authorization-attribute level 3 service-type telnet # wlan rrm dot11a mandatory-rate 6 12 24 dot11a supported-rate 9 18 36 48 54 dot11b mandatory-rate 1 2 dot11b supported-rate 5.5 11 dot11g mandatory-rate 1 2 5.5 11 dot11g supported-rate 6 9 12 18 24 36 48 54 # wlan service-template 1 crypto ssid MyCompany bind WLAN-ESS 1 cipher-suite ccmp security-ie rsn service-template enable # interface NULL0 # interface Vlan-interface1 ip address 10.20.20.100 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type trunk port trunk permit vlan all # interface GigabitEthernet1/0/2 # interface M-Ethernet1/0/1 #

13

interface WLAN-ESS1 port link-type hybrid port hybrid vlan 1 to 2 untagged mac-vlan enable port-security port-mode userlogin-secure-ext port-security tx-key-type 11key # wlan ap ap1 model WA4610 serial-id 9V6FAMNA96820 radio 1 channel 6 service-template 1 radio enable # ip route-static 0.0.0.0 0.0.0.0 10.20.20.1 # load xml-configuration # user-interface aux 0 user-interface vty 0 4 authentication-mode scheme user privilege level 3 #

3. A sensor has just detected a new AP sending traffic on the wired network. The AP that uses these settings: SSID = Employees Security = WPA (802.1X with AES)

The AP is detected passing the clients traffic on VLAN 20 (10.1.20.0/24). A client that was Uncategorized is now associated with the AP. Examine the settings shown for RF Manager in the exhibits below (assume other settings are at the defaults). What action does RF Manager take? a. b. c. d. It quarantines the AP only. It quarantines the client only. It quarantines the AP and the client. It quarantines neither the AP nor the client.

Figure 4: Exhibit 1 for question 3RF Manager AP Auto-classification policy

14

Figure 5: Exhibit 2 for question 3RF Manager Authorized 802.11 SSID template

Figure 6: Exhibit 3 for question 3RF Manager Authorized WLAN Setup > Select No Wi-Fi Networks

15

Figure 7: Exhibit 4 for question 3RF Manager Client Auto-classification policy

Figure 8: Exhibit 5 for question 3RF Manager Intrusion Prevention Policy

16

4. A conference center has a large auditorium that holds 400 people. The center has installed a wireless solution with five APs and an AC to provide conference visitors with access to video servers. After several months, the company CIO contacts you, complaining that although about fifty percent of users have 802.11n-capable laptops, these users are not experiencing 802.11n speeds. The AC is running the configuration shown below. What is the best solution for this problem? a. b. c. d. AC configuration
# # # # # # # # version 5.20, Release 3111 sysname HP domain default enable system telnet server enable port-security enable portal trap server-down oap management-ip 192.168.0.101 slot 0

Enable High Throughput mode on radio 1 on all APs. Increase the mandatory data rates for 802.11a. Enable Greenfield mode all both radios on all APs. Change the WLAN encryption to Advanced Encryption Standard (AES).

wlan country-code US # vlan 1 # vlan 2 # domain system access-limit disable state active idle-cut disable self-service-url disable # dhcp server ip-pool 0 network 192.168.0.0 mask 255.255.255.0 gateway-list 192.168.0.200 option 43 hex 80070000 01C0A800 60 # dhcp server ip-pool 1 network 192.168.1.0 mask 255.255.255.0 gateway-list 192.168.1.200 option 43 hex 80070000 01C0A800 60 # user-group system # local-user admin password simple admin authorization-attribute level 3 service-type telnet # wlan rrm dot11a mandatory-rate 6 12 24 dot11a supported-rate 9 18 36 48 54 dot11b mandatory-rate 1 2 dot11b supported-rate 5.5 11 dot11g mandatory-rate 1 2 5.5 11 dot11g supported-rate 6 9 12 18 24 36 48 54 #

17

wlan service-template 1 crypto ssid HP_Openaccess bind WLAN-ESS 0 cipher-suite ccmp security-ie rsn service-template enable # interface NULL0 # interface Vlan-interface1 ip address 192.168.0.100 255.255.255.0 # interface Vlan-interface2 ip address 192.168.1.100 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type trunk port trunk permit vlan all # interface WLAN-ESS0 port link-type hybrid port hybrid vlan 1 untagged port-security port-mode psk port-security tx-key-type 11key port-security preshared-key pass-phrase simple Ay+G8lqFPsu0FxRl6KqYEWN7QkT # wlan ap AP1 model WA2620E-AGN serial-id 219801A0AL9099G00461 radio 1 service-template 1 radio enable radio 2 service-template 1 radio enable # wlan ap AP2 model WA2620E-AGN serial-id 219801A0AL9099G00462 radio 1 radio 2 service-template 1 radio enable # wlan ap AP3 model WA2620E-AGN serial-id 219801A0AL9099G00463 radio 1 radio 2 service-template 1 radio enable # wlan ap AP4 model WA2620E-AGN serial-id 219801A0AL9099G00464 radio 1 radio 2 service-template 1 radio enable # wlan ap AP5 model WA2620E-AGN serial-id 219801A0AL9099G00465 radio 1 service-template 1 radio enable radio 2 service-template 1 radio enable # dhcp enable # ip route-static 0.0.0.0 0.0.0.0 192.168.0.200 #

18

load xml-configuration # user-interface aux 0 user-interface vty 0 4 authentication-mode scheme user privilege level 3 # Return

5. A company with an HP A-Series wireless solution wants to provide wireless access for visitors. The visitors will connect to a WLAN named Guest and log in using portal authentication. You are testing the solution, and you find that your laptop can connect to the Guest WLAN and receive an IP address. You can then connect to the Internet without having to log in. Examine the exhibit and the configurations. How do you fix the problem?

Figure 9: Exhibit for question 1 a. b. c. d. Remove free rule 0. In the DHCP scope, change the DNS address to the ACs address on VLAN 2 instead of the external DNS servers address. Enable portal authentication on VLAN 2 Change the portal servers IP address to the ACs address on VLAN 2.

A3000 AC-side configuration


# # # # # # version 5.20, E3111 sysname AC domain default enable system dns server 10.1.0.20 telnet server enable port-security enable

19

portal server webportal ip 10.1.0.100 url http://10.1.0.100/portal/logon.htm portal free-rule 0 source interface GigabitEthernet1/0/1 destination any portal free-rule 1 source any destination ip 10.1.0.20 mask 255.255.255.255 portal local-server http

oap management-ip 10.1.0.101 slot 0 # vlan 1 # vlan 2 # domain system authentication portal local authorization portal local access-limit disable state active idle-cut disable self-service-url disable # dhcp server ip-pool webportal network 10.1.1.0 mask 255.255.255.0 gateway-list 10.1.1.1 dns-list 10.1.0.20 # dhcp server ip-pool webportal1 network 10.1.0.0 mask 255.255.255.0 gateway-list 10.1.0.1 dns-list 10.1.0.20 # user-group system # local-user admin password simple admin authorization-attribute level 3 service-type telnet local-user portal password simple portal authorization-attribute vlan 2 service-type portal # wlan rrm dot11a mandatory-rate 6 12 24 dot11a supported-rate 9 18 36 48 54 dot11b mandatory-rate 1 2 dot11b supported-rate 5.5 11 dot11g mandatory-rate 1 2 5.5 11 dot11g supported-rate 6 9 12 18 24 36 48 54 # wlan service-template 1 clear ssid Guests bind WLAN-ESS 1 service-template enable # interface NULL0 # interface Vlan-interface1 ip address 10.1.0.100 255.255.255.0 # interface Vlan-interface2 ip address 10.1.1.100 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type trunk port trunk permit vlan all # interface WLAN-ESS1 port access vlan 2 #

20

wlan ap ap1 model WA2620E-AGN serial-id 9TZ49LM376C00 radio 1 radio 2 service-template 1 radio enable # ip route-static 0.0.0.0 0.0.0.0 10.1.0.1 # dhcp enable # load xml-configuration # user-interface aux 0 user-interface vty 0 4 authentication-mode scheme user privilege level 3 # return

A3000 Switch-side configuration


sysname HP # oap management-ip 10.1.0.100 slot 0 # mirroring-group 1 local # radius scheme system # domain system # local-user admin password simple admin service-type telnet level 3 # vlan 1 to 2 # interface Vlan-interface1 ip address 10.1.0.101 255.255.255.0 # interface Vlan-interface2 # interface Aux1/0/0 # interface GigabitEthernet1/0/1 # interface GigabitEthernet1/0/2 poe enable # interface GigabitEthernet1/0/3 port-access vlan 2 poe enable # interface GigabitEthernet1/0/4 # interface GigabitEthernet1/0/5 # interface GigabitEthernet1/0/6 # interface GigabitEthernet1/0/7 #

21

interface GigabitEthernet1/0/8 port link-type trunk port trunk permit vlan 1 to 2 # interface GigabitEthernet1/0/9 # interface GigabitEthernet1/0/10 # interface GigabitEthernet1/0/11 port link-type trunk port trunk permit vlan all # interface NULL0 # user-interface aux 0 user-interface vty 0 4 authentication-mode scheme user privilege level 3 # return

Conclusion
HP wishes you success in the HP ExpertONE Program and in passing the exam for which you are preparing.

Appendix: Answers to the sample questions


This section provides answers and explanations for the sample questions. 1. You are deploying the HP A-Series wireless solution shown in the exhibit. However, when you install the APs, the access controller (AC) fails to discover them. You implement traffic mirroring to monitor the packets sent and received by the APs, and repower the APs. You discover that the APs send several UDP broadcasts to port 12223 and several DNS requests but no other packets. What might be causing the problem? a. b. c. d. The ACs DHCP server is disabled and the APs could not receive their IP addresses. The APs have not been configured with the correct port to which to direct UDP broadcasts. The DNS server has not been configured with the correct entry mapping to the ACs IP address. The APs have not been manually configured with the correct IP address to which to direct UDP unicasts.

Explanation: After an AP powers up, it follows this sequence to discover the controller: The AP receives its IP address using DHCP. The AP checks the DHCP response for option 43, which would include the IP address of an AC that is on a different subnet.

If DHCP option 43 is included, the AP sends a UDP unicast on port 12223 to the specified address. The AC then checks whether the AP is allowed, and if it is, it sends the APs code and configuration. If the DHCP response has no option 43, sends out UDP broadcasts to port 12223, searching for an AC on its same subnet. If there is an AC on the subnet, the AC then checks whether the AP is allowed, and if it is, it sends the APs code and configuration. If the broadcasts receive no response, the AP sends a DNS request for the IP address associated with the default AC hostname. When the AP receives the IP address from the DNS server, it sends a UDP unicast on port 12223 to the specified IP address. The AC then checks whether the AP is allowed, and if it is, it sends the APs code and configuration. The packets that you see in the packet capture indicate where this process has failed. Because the APs have sent out the UDP broadcasts and DNS requests, you know that they have received IP addresses. The presence of the DNS requests also indicates that the AP failed to receive replies to the UDP

22

broadcasts. This failure makes sense because, as shown in the exhibit, the AP and the AC are on different subnets. Because AP has not sent any UDP unicasts, however, you know that it has not been able to find the ACs IP address. The problem might be that the DHCP server should be sending option 43 or that the DNS server cannot resolve the APs requests. Therefore, the correct answer is answer c. (The other option, that the DHCP server is misconfigured, might be correct as well, but this explanation is not listed among the potential answers.) Answer a is incorrect because you know that the APs did receive IP addresses. Answer b is incorrect; the APs are sending the UDP broadcasts to the correct port, but the AC is not on the same subnet. And answer d is incorrect because you cannot manually configure the ACs IP address on the APs. You must use DNS or DHCP for the Layer 3 discovery.

Figure 1: Exhibit for question 1 2. A customer has deployed a WLAN with the SSID MyCompany that enforces 802.1X authentication to a Windows Internet Authentication Server (IAS). The wireless client cannot connect to the WLAN. The first exhibit displays settings on IAS. The second displays settings on the wireless client (Windows 7). Below the exhibits is the configuration on the AC. Based on the information in the exhibits and the configurations, what might be causing the problem? a. b. c. d. The client is using the wrong form of EAP authentication. The client is using a certificate to authenticate, but the AC is looking for a secret key (sharedsecret). The client is using the wrong from of encryption. The client is configured to use WPA2 instead of 802.1X authentication.

Explanation: For 802.1X authentication to succeed, the 802.1X supplicant (here, the Windows 7 client) and the 802.1X authentication server (here, IAS) must support the same EAP method. The exhibits show that IAS supports both EAP-TLS (Smart Card or other certificate) and PEAP. The client is also using EAP-TLS, so the authentication methods match. Therefore, answer a is incorrect. Answer b is incorrect. The client is using a certificate to authenticate, but IAS supports that form of authentication. The ACs secret key is for its communications with IAS, and the client does not need that key. For the client to associate to the WLAN, it must support the correct encryption specified for that WLAN on the AC. Exhibit 2 indicates that client is using TKIP. The AC configuration, however, shows that the service template for the MyCompany WLAN only supports AES (CCMP). Therefore, answer c is correct. (You should ignore wpatkip, which is simply the name of the RADIUS server scheme.) Answer d is incorrect. The client is using WPA2, but WPA2 Enterprise mode does use 802.1X for authentication.

23

Figure 2: Exhibit 1 for question 2

Figure 3: Exhibit 2 for question 2 Wireless AC configuration


# version 5.20, Release 1108P02, Release 1108P02 # sysname WX5002 # domain default enable system # telnet server enable #

24

port-security enable # dot1x authentication-method eap # vlan 1 # vlan 2 # radius scheme wpatkip primary authentication 10.20.20.2 key authentication sharedsecret user-name-format without-domain # domain system authentication default radius-scheme wpatkip authorization default radius-scheme wpatkip accounting default none access-limit disable state active idle-cut disable self-service-url disable accounting optional # user-group system # local-user admin password simple wireless authorization-attribute level 3 service-type telnet # wlan rrm dot11a mandatory-rate 6 12 24 dot11a supported-rate 9 18 36 48 54 dot11b mandatory-rate 1 2 dot11b supported-rate 5.5 11 dot11g mandatory-rate 1 2 5.5 11 dot11g supported-rate 6 9 12 18 24 36 48 54 # wlan service-template 1 crypto ssid MyCompany bind WLAN-ESS 1 cipher-suite ccmp security-ie rsn service-template enable # interface NULL0 # interface Vlan-interface1 ip address 10.20.20.100 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type trunk port trunk permit vlan all # interface GigabitEthernet1/0/2 # interface M-Ethernet1/0/1 # interface WLAN-ESS1 port link-type hybrid port hybrid vlan 1 to 2 untagged mac-vlan enable port-security port-mode userlogin-secure-ext port-security tx-key-type 11key #

25

wlan ap ap1 model WA4610 serial-id 9V6FAMNA96820 radio 1 channel 6 service-template 1 radio enable # ip route-static 0.0.0.0 0.0.0.0 10.20.20.1 # load xml-configuration # user-interface aux 0 user-interface vty 0 4 authentication-mode scheme user privilege level 3 #

3. A sensor has just detected a new AP sending traffic on the wired network. The AP that uses these settings: SSID = Employees Security = WPA (802.1X with AES)

The AP is detected passing the clients traffic on VLAN 20 (10.1.20.0/24). An client that was Uncategorized is now associated with the AP. Examine the settings shown for RF Manager in the exhibits below (assume other settings are at the defaults). What action does RF Manager take? a. b. c. d. It quarantines the AP only. It quarantines the client only. It quarantines the AP and the client. It quarantines neither the AP nor the client.

Explanation: To determine the action taken by RF Manager, you must first determine how the AP is categorized. From Exhibit 2, you know that the AP complies with the Authorized WLAN policy: The policys authorized SSID is Employees, and the AP uses this SSID. The policy allows WPA or WPA2 (802.11i) for security, 802.1X for authentication, and TKIP or AES (CCMP) for encryption. The APs security settings comply. The policy allows traffic on any VLAN.

The locations No Wi-Fi Networks settings always take precedence over the allowed networks in the Authorized WLAN policy, so you must check the settings in Exhibit 3 and make sure that wireless traffic is allowed on subnet 10.1.20.0/24. The exhibit shows that traffic is allowed on this subnet. Therefore, the AP is Potentially Authorized. RF Manager never automatically reclassifies Potentially Authorized APs as Authorized (an administrator must do so). Therefore, the AP remains Potentially Authorized. As you can see in Exhibit 4, RF Manager does not reclassify the client; it remains Unclassified. You now simply need to examine Exhibit 5, the intrusion prevention policy, to see how RF Manager responds to Potentially Authorized APs and to Uncategorized Clients that connect to Potentially Authorized APs. As you see, the Potentially Authorized AP is quarantined (fourth check box under Rogue APs), but the Uncategorized Client is not (no policy for this type of connection). Answer a is correct. Note that answer d is not correct because RF Manager does not quarantine the client itself. Sensors do disrupt the clients connection to the Potentially Authorized AP, but the client can connect to another AP.

26

Figure 4: Exhibit 1 for question 3RF Manager AP Auto-classification policy

Figure 5: Exhibit 2 for question 3RF Manager Authorized 802.11 SSID template

27

Figure 6: Exhibit 3 for question 3RF Manager Authorized WLAN Setup > Select No Wi-Fi Networks

Figure 7: Exhibit 4 for question 3RF Manager Client Auto-classification policy

28

Figure 8: Exhibit 5 for question 3RF Manager Intrusion Prevention Policy 4. A conference center has a large auditorium that holds 400 people. The center has installed a wireless solution with five APs and an AC to provide conference visitors with access to video servers. After several months, the company CIO contacts you, complaining that although about fifty percent of users have 802.11n-capable laptops, these users are not experiencing 802.11n speeds. The AC is running the configuration shown below. What is the best solution for this problem? a. b. c. d. Enable High Throughput mode on radio 1 on all APs. Increase the mandatory data rates. Enable Greenfield mode all both radios on all APs. Change the WLAN encryption to Advanced Encryption Standard (AES).

Explanation: In order for 802.11n stations and APs to communicate at the highest 802.11 rates, 802.11n High Throughput or Greenfield mode must be enabled. (High Throughput mode and Greenfield mode refer to the same feature.) However, non-802.11n clients cannot detect transmissions in this mode, so they cannot connect to radios that implement it. In addition, if an 802.11a/b/g cell operates on the same frequency as the 802.11n High Throughput cell, the non-802.11n stations would cause collisions because they cannot detect the 802.11n transmissions. The question indicates that the 400 users at this site typically consists of about 200 users with 802.11n stations and 200 with stations that do not support that standard. Therefore, you must plan a solution that accommodates both types. Answer a, enabling High Throughput mode on radio 1 on all APs, provides a good solution. The 802.11n stations connect to the APs radio 1 and operate in High Throughput mode while the other stations connect to the APs radio 2, which support only 802.11b/g.

29

Answer b does not solve the problem. Even if you raise, the 802.11a and 802.11b/g mandatory data rates, the 802.11n users would not experience the higher 802.11n speeds. Answer c would improve the transmission speeds for users with 802.11n stations, but the question indicates that many users do not have such stations. The customer wants to support all visitors, so this answer does not provide the best solution. 802.11n does require AES encryption; however, the WLAN already supports this form of encryption (cipher-suite ccmp). Therefore answer d is incorrect. AC configuration
# # # # # # # # version 5.20, Release 3111 sysname HP domain default enable system telnet server enable port-security enable portal trap server-down oap management-ip 192.168.0.101 slot 0

wlan country-code US # vlan 1 # vlan 2 # domain system access-limit disable state active idle-cut disable self-service-url disable # dhcp server ip-pool 0 network 192.168.0.0 mask 255.255.255.0 gateway-list 192.168.0.200 option 43 hex 80070000 01C0A800 60 # dhcp server ip-pool 1 network 192.168.1.0 mask 255.255.255.0 gateway-list 192.168.1.200 option 43 hex 80070000 01C0A800 60 # user-group system # local-user admin password simple admin authorization-attribute level 3 service-type telnet # wlan rrm dot11a mandatory-rate 6 12 24 dot11a supported-rate 9 18 36 48 54 dot11b mandatory-rate 1 2 dot11b supported-rate 5.5 11 dot11g mandatory-rate 1 2 5.5 11 dot11g supported-rate 6 9 12 18 24 36 48 54 # wlan service-template 1 crypto ssid HP_Openaccess bind WLAN-ESS 0 cipher-suite ccmp security-ie rsn service-template enable #

30

interface NULL0 # interface Vlan-interface1 ip address 192.168.0.100 255.255.255.0 # interface Vlan-interface2 ip address 192.168.1.100 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type trunk port trunk permit vlan all # interface WLAN-ESS0 port link-type hybrid port hybrid vlan 1 untagged port-security port-mode psk port-security tx-key-type 11key port-security preshared-key pass-phrase simple Ay+G8lqFPsu0FxRl6KqYEWN7QkT # wlan ap AP1 model WA2620E-AGN serial-id 219801A0AL9099G00461 radio 1 service-template 1 radio enable radio 2 service-template 1 radio enable # wlan ap AP2 model WA2620E-AGN serial-id 219801A0AL9099G00462 radio 1 radio 2 service-template 1 radio enable # wlan ap AP3 model WA2620E-AGN serial-id 219801A0AL9099G00463 radio 1 radio 2 service-template 1 radio enable # wlan ap AP4 model WA2620E-AGN serial-id 219801A0AL9099G00464 radio 1 radio 2 service-template 1 radio enable # wlan ap AP5 model WA2620E-AGN serial-id 219801A0AL9099G00465 radio 1 service-template 1 radio enable radio 2 service-template 1 radio enable # dhcp enable # ip route-static 0.0.0.0 0.0.0.0 192.168.0.200 # load xml-configuration #

31

user-interface aux 0 user-interface vty 0 4 authentication-mode scheme user privilege level 3 # return

5. A company with an HP A-Series wireless solution wants to provide wireless access for visitors. The visitors will connect to a WLAN named Guest and log in using portal authentication. You are testing the solution, and you find that your laptop can connect to the Guest WLAN and receive an IP address. You can then connect to the Internet without having to log in. Examine the exhibit and the configurations. How do you fix the problem? a. b. c. d. Remove free rule 0. In the DHCP scope, change the DNS address from 10.1.0.20 to 10.1.1.100. Enable portal authentication on VLAN 2 Change the portal servers IP address to the ACs address on VLAN 2.

Explanation: To answer this question, you must examine the configuration and look for an error that would prevent portal authentication from occurring. A misconfigured rule that allows traffic that should be prohibited before configuration could cause guests to be able to reach the Internet without authenticating. Free rule 0 permits all traffic from Gigabit interface 1/0/1. However, this does not apply to the traffic tunneled to VLAN 2, which is the traffic from users who connect to the guest WLAN. Therefore, this rule is causing the problem, and answer a is incorrect. The external DNS address is the correct address for users to direct their DNS requests. The configuration shows the proper commands in the DHCP scope for assigning this address to guests, so answer b is incorrect. Answer c is correct. If you examine the configuration, you see that portal authentication is not enabled on VLAN 2, which is the VLAN to which traffic on the Guest WLAN is tunneled. You must enable this form of authentication. Answer d is incorrect. You are allowed to specify the local portal server IP address on the VLAN 1 address, so the current configuration would not cause a problem.

Figure 9: Exhibit for question 1

32

A3000 AC-side configuration


# # # # # # version 5.20, E3111 sysname AC domain default enable system dns server 10.1.0.20 telnet server enable port-security enable portal server webportal ip 10.1.0.100 url http://10.1.0.100/portal/logon.htm portal free-rule 0 source interface GigabitEthernet1/0/1 destination any portal free-rule 1 source any destination ip 10.1.0.20 mask 255.255.255.255 portal local-server http

oap management-ip 10.1.0.101 slot 0 # vlan 1 # vlan 2 # domain system authentication portal local authorization portal local access-limit disable state active idle-cut disable self-service-url disable # dhcp server ip-pool webportal network 10.1.1.0 mask 255.255.255.0 gateway-list 10.1.1.1 dns-list 10.1.0.20 # dhcp server ip-pool webportal1 network 10.1.0.0 mask 255.255.255.0 gateway-list 10.1.0.1 dns-list 10.1.0.20 # user-group system # local-user admin password simple admin authorization-attribute level 3 service-type telnet local-user portal password simple portal authorization-attribute vlan 2 service-type portal # wlan rrm dot11a mandatory-rate 6 12 24 dot11a supported-rate 9 18 36 48 54 dot11b mandatory-rate 1 2 dot11b supported-rate 5.5 11 dot11g mandatory-rate 1 2 5.5 11 dot11g supported-rate 6 9 12 18 24 36 48 54 # wlan service-template 1 clear ssid Guests bind WLAN-ESS 1 service-template enable #

33

interface NULL0 # interface Vlan-interface1 ip address 10.1.0.100 255.255.255.0 # interface Vlan-interface2 ip address 10.1.1.100 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type trunk port trunk permit vlan all # interface WLAN-ESS1 port access vlan 2 # wlan ap ap1 model WA2620E-AGN serial-id 9TZ49LM376C00 radio 1 radio 2 service-template 1 radio enable # ip route-static 0.0.0.0 0.0.0.0 10.1.0.1 # dhcp enable # load xml-configuration # user-interface aux 0 user-interface vty 0 4 authentication-mode scheme user privilege level 3 # return

A3000 Switch-side configuration

34

sysname HP # oap management-ip 10.1.0.100 slot 0 # mirroring-group 1 local # radius scheme system # domain system # local-user admin password simple admin service-type telnet level 3 # vlan 1 to 2 # interface Vlan-interface1 ip address 10.1.0.101 255.255.255.0 # interface Vlan-interface2 # interface Aux1/0/0 # interface GigabitEthernet1/0/1 # interface GigabitEthernet1/0/2 poe enable # interface GigabitEthernet1/0/3 port-access vlan 2 poe enable # interface GigabitEthernet1/0/4 # interface GigabitEthernet1/0/5 # interface GigabitEthernet1/0/6 # interface GigabitEthernet1/0/7 # interface GigabitEthernet1/0/8 port link-type trunk port trunk permit vlan 1 to 2 #

35

interface GigabitEthernet1/0/9 # interface GigabitEthernet1/0/10 # interface GigabitEthernet1/0/11 port link-type trunk port trunk permit vlan all # interface NULL0 # user-interface aux 0 user-interface vty 0 4 authentication-mode scheme user privilege level 3 # return

To learn more about HP networking, visit www.hp.com/networking


Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. HP0-Y39: Managing & Troubleshooting Enterprise Wireless Networks Exam Preparation Guide / May 2011

You might also like