jncis-ac - gratis exam · 2015. 8. 16. · user is signed in. b. a certificate authentication...

JNCIS-AC

Number: JN0-314Passing Score: 635Time Limit: 120 minFile Version: 4.0

ht t p:/ / w w w .gratisexam.com/

I strongly recommend you read the "Junos Pulse Access Control Service Administration Guide"

http://www.juniper.net/techpubs/software/uac/4.1xguides/j-ic-uac-4.1-adminguide.pdf

Good luck!

Exam A

QUESTION 1A customer wants to create a custom Junos Pulse configuration. Which two are required? (Choose two)

A. Connection setB. Configuration setC. Custom installerD. Component set

Correct Answer: ADSection: (none)Explanation

Explanation/Reference:Explanation:

From 'Junos Pulse Access Control Service Administration Guide v4.1' page 37;

"To provision a custom Pulse package for users, you first configure a Pulse connection set, which includesone or more connections.Each connection includes all the settings that an endpoint needs to connect to a particular access device.

Then you create a Pulse component set, which allows you to choose the Pulse components to download toendpoints.You can select a previously created client connection set profile to associate with the client component set"

QUESTION 2What is a type of firewall enforcer supported by the Junos Pulse Access Control Service?

A. Checkpoint firewallB. SRX Series deviceC. DP sensorD. MX Series device

Correct Answer: BSection: (none)Explanation


From 'Junos Pulse Access Control Service 4.1R1 Supported Platforms Document' page 3;

"Junos Enforcer: SRX 210, 220, 240, 650, 1400, 3400, 3600, 5600, 5800"

QUESTION 3A customer is trying to decide which 802.1X inner protocol to use on their network. The customer requiresthat no passwords be sent across the network in plain text, that the protocol be supported by the Windowsnative supplicant, and that the protocol supports password changes at Layer 2.

Which protocol would meet the customer's needs?

A. EAP-TLSB. EAP-MD5C. PAPD. EAP-MSCHAPv2

Correct Answer: DSection: (none)Explanation


QUESTION 4You navigate to "UAC" > "Infranet Enforcer" > "Auth Table Mapping" in the admin GUI. You see one policy,which is the unmodified, original default policy.

Which statement is true?

A. Dynamic auth table mapping is not enabled.B. A successful authentication attempt will result in a new authentication table entry, which will be delivered

only to the Junos enforcer protecting the network from which the user has authenticated.C. To create a static auth table mapping, you must delete the default policy.D. The default policy applies only to the factory-default role User.

Correct Answer: ASection: (none)Explanation


KB13744: How to configure dynamic discovery (Dynamic Auth Table Allocation);

"How to configure Dynamic Auth Table Allocation:

1. No configuration is needed on the Infranet Enforcer (ScreenOS), just make sure the ScreenOS /JUNOS / UAC version meet the above prerequisites.2. On Infranet Controller side: Browse to: Admin WebUI > UAC > Infranet Enforcer > Auth Table Mapping. Delete the Default Policy orspecify an Infranet Enforcer for which you do not want to configure this feature."

QUESTION 5You have a Junos Pulse Secure Access Service acting as an IF-MAP client, configured to federate all userroles to a Junos Pulse Access Control Service acting as an IF-MAP Federation server. A remote user usingJunos Pulse logs in to the Junos Pulse Secure Access Service; the Junos Pulse Secure Access Serviceprovisions a remote access session for that user.


What happens next?

A. The Junos Pulse Secure Access Service redirects the user to the Junos Pulse Secure Access Servicefor authentication.

B. The Junos Pulse Access Control Service provisions enforcement points to enable resource access forthat user.

C. The Junos Pulse Secure Access Service publishes user session and role information to the IF- MAPFederation server.

D. The Junos Pulse Secure Access Service provisions enforcement points to enable resource access forthat user.

Correct Answer: CSection: (none)Explanation


From 'Junos Pulse Access Control Service: Guide to IF-MAP Federation' page 8;

"The authenticating IC Series device or SA appliance (the original IF-MAP client) publishes any changes insession parameters to the IF-MAP server. Because the IC Series device that is protecting the accessedresources subscribes to the metadata on the Federation server, session information is always current."

QUESTION 6You are configuring an active/passive cluster of SRX Series devices as the firewall enforcer on a MAGSeries device. Which statement is true?

A. Multiple Infranet Enforcer instances are created with a single serial number of an SRX Series devicedefined in each configuration.

B. A single Infranet Enforcer instance is created with both serial numbers of the clustered SRX Seriesdevices defined in the configuration.

C. Multiple Infranet Enforcer instances are created with a single IP address of an SRX Series devicedefined in each configuration.

D. A single Infranet Enforcer instance is created with the VIP of the clustered SRX Series device defined inthe configuration.



KB11971: Appropriate configurations for IC's and IE's in different types of clustering;

"Single IC with IE’s in NSRP A/P cluster

One IC entry on IE’s, points to IC Internal IP address One IE entry on IC, with serial numbers for both IE’s"

QUESTION 7A customer has purchased a third-party switch to use for Layer 2 access with their Junos Pulse AccessControl Service. When configuring the switch on the Junos Pulse Access Control Service, the customerdoes not find a make/model entry for it.

Which two actions should the customer take to make the switch work with the Junos Pulse Access ControlService? (Choose two.)

A. Add the switch to the Junos Pulse Access Control Service as a standard RADIUS.B. Add the switch to the Junos Pulse Access Control Service using the "Any" make/model.C. Add the switch as a firewall enforcer.D. Obtain and configure the RADIUS dictionary for the switch and use that vendor listing for the make/

model.




"RADIUS Dictionary

If you are not sure which make and model switch you are using or if your

device is not in the list, select - Standard RADIUS - for Make/Model.Alternately, you can upload additional dictionaries to add a new NAD."

QUESTION 8Which three settings are accessible from the serial console menu on a MAG Series device? (Choosethree.)

A. The ping commandB. Factory default resetC. Personality imageD. License importsE. Admin login credentials

Correct Answer: ABESection: (none)Explanation


From Juniper's Technical Documentation;

Performing Common Recovery Tasks with the Serial Console:http://www.juniper.net/techpubs/en_US/sa7.3/topics/reference/general/secure-access-serial-console-common-tasks.html

Ping,Factory reset,Create superadministrator account

QUESTION 9What is the function of Host Checker?

A. To allow clientless access to the networkB. To restrict access to protected resources on the networkC. To scan an endpoint for compliance with security policiesD. To push a firewall policy to the endpoint's local firewall application



QUESTION 10Click the Exhibit button.

What is the cause of the error shown in the exhibit?

A. A RADIUS request is being received from a device that is not configured on the RADIUS Client page.B. A user entered an incorrect password during RADIUS authentication.C. A RADIUS proxy attempt failed to reach the configured proxy server.D. The RADIUS shared secret is incorrect.



QUESTION 11You have a firewall enforcer protecting resources in a data center. A user is experiencing difficultyconnecting to a protected resource.

Which two elements must exist so the user can access the resource? (Choose two.)

A. Resource access policy on the MAG Series deviceB. IPsec routing policy on the MAG Series deviceC. General traffic policy blocking access through the firewall enforcerD. Auth table entry on the firewall enforcer



QUESTION 12A user's Junos Pulse client uses 802.1X to access a wired network and is failing to authenticate. You run apacket capture from the user's PC and notice that immediately after the client machine sends an EAPoL-start packet, an EAP-failure packet is returned. You review the RADIUS troubleshooting logs on the MAGSeries device and do not see any authentication attempts from the user. Other users on the same Ethernetswitch are successfully authenticating.

Which device is sending the EAP-failure packet to the workstation?

A. The RADIUS serverB. The EAPoL serverC. The workstation's network adapterD. The Ethernet switch



QUESTION 13You want to ensure that users who access the company's protected resources present a client certificatebefore they are allowed to sign in.

What should you configure?

A. A certificate authentication policy that allows all users and remembers certificate information while the

user is signed in.B. A certificate authentication policy that only allows users with a client-side certificate signed by a trusted

client CA to sign in.C. A certificate role restriction that allows all users and remembers certificate information while the user is

signed in.D. A certificate role restriction that only allows users with a client-side certificate signed by a trusted client

CA to sign in.



QUESTION 14What are two ways to access the Junos Pulse Access Control Service? (Choose two.)

A. admin GUIB. TelnetC. SSHD. console



From Juniper's Technical Documentation:(Console) http://www.juniper.net/techpubs/en_US/sa7.3/topics/reference/general/secure-access-serial-console-setup.html

From Juniper's Learning Portal, 'Junos Pulse Access Control' Class Description:

Chapter 3: Initial Configuration

Junos Pulse Access Control Service Initial Configuration: Console Junos Pulse Access Control Service Initial Configuration: Admin UI

QUESTION 15You are configuring an IPsec routing policy that will be used with a ScreenOS firewall enforcer.

What must you also configure?

A. Source IP policies on the ScreenOS deviceB. ScreenOS IPsec policies on the Junos Pulse Access Control ServiceC. VPN NAT traversal on the ScreenOS deviceD. Source interface policies on the Junos Pulse Access Control Service



From 'Junos Pulse Access Control Service Administration Guide v4.1' page 101 and 102 ;

"You can set up a basic ScreenOS IPsec policy on the IC Series device and push the policy to theScreenOSEnforcer, or you can set up the policy using ScreenOS Web UI or the command line." pg 101

"With ScreenOS Release 6.1 or later the IC Series device can dynamically provision IPsec routingpolicies for you, eliminating the need to configure a separate policy for each resource." pg 102

QUESTION 16On a MAG Series device, where is the preauthentication sign-in message configured?

A. On the configuration page for the sign-in notification messageB. On the wireless user realm authentication policyC. On the sign-in policy of the URL being used by the wireless usersD. On the sign-in page of the URL being used by the wireless users



QUESTION 17You are the administrator in your company and you have restricted administrator access to require a usercertificate to access the admin GUI on your company's MAG Series device. You must now access theadmin GUI from a PC that does not have your user certificate installed.

How would you access the MAG Series device admin GUI with this PC?

A. Perform a factory reset of the MAG Series device.B. Connect to the MAG Series device with HTTP instead of HTTPS, e.g.. http:///admin.C. Create a Super Admin Session through the console menu and use the resulting one-time token to

access the admin GUI.D. Log in through the console port and reset the admin password to get into the admin GUI.



From Juniper's Technical Documentation;

Performing Common Recovery Tasks with the Serial Console:http://www.juniper.net/techpubs/en_US/sa7.3/topics/reference/general/secure-access-serial-console-common-tasks.html

QUESTION 18Which two actions are available in the GUI for creating location awareness rules? (Choose two.)

A. WINS serverB. DNS serverC. IP reachabilityD. Resolve address

Correct Answer: BDSection: (none)Explanation



Configuring Connection Rules for Location Awareness:

The following criteria can be qualified with an interface. Available interface values are physical, Pulse, orany. You can specify the following criteria for establishing a network connection:

• DNS server(s)—Connect if the DNS server of a network adapter on the endpoint is set to a certain valueor set of values.• DNS host(s)—Connect if the configured hostname or set of hostnames is (or is not) resolvable to aparticular IP address.• IP Address(es)—Connect if a network adapter on the endpoint has an IP address that falls within a rangeor a set of ranges.

QUESTION 19You are the network administrator for your company. A user is complaining that they are not able to accessthe network with the Junos Pulse client. You run a packet capture on the network interface to monitor the802.1X authentication process. You notice that after the EAP- request/identity packet is received, and thesupplicant responds with an EAP-response/identity packet, no further communication occurs for severalseconds.

What are three causes for this behavior? (Choose three.)

A. The authenticator is not licensed to support Junos Pulse.B. The authenticator did not receive the EAP-response/identity packet.C. The authentication server is not receiving the RADIUS packet containing the EAP- response/identity

data.D. The authenticator is sending the request over its loopback interface.E. The authentication server is sending back a RADIUS response packet, but the authenticator is not

forwarding the response back to the supplicant.

Correct Answer: BCESection: (none)Explanation


QUESTION 20An administrator has created three different Odyssey Access Client preconfiguration files and assignedthem to three different roles in the same realm.

Which action should the administrator take to ensure that users get the correct Odyssey Access Clientpreconfiguration file?

A. Configure each user account in the auth server with the appropriate Odyssey Access Clientpreconfiguration files.

B. Configure the role-mapping rules with the appropriate Odyssey Access Client preconfiguration files.C. Ensure that merge roles is selected in the role-mapping rules.D. Ensure that the first role a user is mapped to is the role with the appropriate Odyssey Access Client

preconfiguration file.



QUESTION 21You want to create a Host Checker policy that looks for a specific antivirus product that is running on yourclient machines, but the predefined antivirus options do not include the antivirus product version that youuse.

Which feature should you verify the antivirus product is up to date?

A. Enhanced Endpoint SecurityB. DP signaturesC. Antivirus licensingD. Endpoint Security Assessment Plug-in



QUESTION 22What are three benefits of IF-MAP Federation? (Choose three.)

A. Enables seamless access for remote access users to firewall enforcer protected resources.B. Scales a Junos Pulse Access Control Service deployment beyond the capacity of a single cluster.C. Enables dynamic configuration synchronization across multiple MAG Series devices.D. Provides a substitute for WAN clustering among geographically separated MAG Series devices.E. Shares non-localized DP integration and IPsec configuration information between multiple Junos Pulse

Access Control Service instances.

Correct Answer: ABESection: (none)Explanation


QUESTION 23Which three authentication server types are supported for retrieving user attributes used in role- mappingrules? (Choose three.)

A. LDAPB. S/KeyC. TACACS+D. RADIUSE. SiteMinder

Correct Answer: ADESection: (none)Explanation


QUESTION 24You have an SRX Series Layer 2 enforcer providing 802.1X authentication for connected endpoints. Yoursecurity policy requires that users who fail their authentication be placed in a specific VLAN.

On the Layer 2 enforcer, at the [edit protocols dot1x authenticator interface] hierarchy for each participatinginterface, what provides this functionality?

A. guest-vlanB. auth-fail-vlanC. server-reject-vlanD. server-fail-vlan



From Juniper's Technical Documentation:http://www.juniper.net/techpubs/en_US/junos11.1/topics/concept/802-1x-overview.html

QUESTION 25A company has completed two acquisitions over the previous year. Each of the acquired companies wasallowed to keep its own independent authentication server. The network administrator has been asked toroll out the Junos Pulse Access Control Service to users within the original company along with each of thetwo acquired organizations. The administrator configures three authentication realms, one for eachindependent authentication server, and associates them all with a single sign-in policy. All of the clientendpoints are running Junos Pulse on their Windows XP desktops.

When a user signs in to the Junos Pulse Access Control Service, which statement is correct?

A. The first authentication realm that was added to the sign-in policy is used by default.B. The user is allowed to choose the correct authentication realm from a list presented by Junos Pulse.C. When Junos Pulse is initially installed on the desktop, it must be configured with the correct realm.D. This is not an allowed configuration; the administrator should configure separate sign-in policies for

each realm.



QUESTION 26You want to customize access to the corporate network so that agentiess users are instructed to obtain acertificate before accessing the network.

Which two configurations solve this problem? (Choose two.)

A. Create a custom sign-in page with specific instructions in the "Instructions" field.B. Create a custom sign-in page with specific "Missing Certificate" messages in the "Custom error

messages" field.C. Create a custom sign-in policy with specific instructions in the "Instructions" field.D. Create a custom sign-in notification and assign it to the "Pre-Auth Sign-in Notification" in the sign-in

policy.



QUESTION 27You want to restrict access to a role based on the client machine from which the user is accessing the

network.

Which two role restrictions accomplish this goal? (Choose two.)

A. user nameB. password lengthC. certificateD. Host Checker

Correct Answer: CDSection: (none)Explanation


QUESTION 28A customer is deploying a new Junos Pulse Access Control Service and has completed the initial bootconfiguration as prompted using a serial connection. The customer now wants to complete the rest of theconfiguration using the admin GUI.

Into which port on the Junos Pulse Access Control Service should the customer plug the network cable toenable access to the admin GUI?

A. the internal interfaceB. the external interfaceC. the management interfaceD. the console interface



QUESTION 29A user is successfully authenticating to the network but is unable to access protected resources behind aScreenOS enforcer. You log in to the ScreenOS enforcer and issue the command get auth table infranetand you do not see the user listed.

Which two event log settings on the Junos Pulse Access Control Service must you enable totroubleshootthis issue? (Choose two.)

A. Connection RequestsB. System ErrorsC. Enforcer EventsD. Enforcer Command Trace



QUESTION 30A user signs into the Junos Pulse Access Control Service on a wired network. The user then migrates to awireless network, receives a new IP address, and notices that the session is disconnected.

In the admin GUI, what must be configured for the user to stay connected when migrating from a wired to a

wireless network?

A. Persistent sessionB. Dynamic evaluationC. Roaming sessionD. Browser request follow-through



QUESTION 31What are two valid configurations for user-driven remediation when a Windows-based endpoint fails a HostChecker policy? (Choose two.)

A. Kill a running process on the endpoint, based on executable name and MD5 checksum.B. Delete a file on the endpoint's file system.C. Download and run a remediation executable from the local software distribution server.D. Alter registry entries to prevent future execution of an executable, based on executable name and full

path.

Correct Answer: ABSection: (none)Explanation


QUESTION 32You are receiving reports of possible unauthorized access to resources protected by a firewall enforcerrunning the Junos OS. You want to verity which users are currently accessing resources through theenforcer.

Which command should you use to verify user access on the enforcer?

A. show services unified-access-control authentication-tableB. show auth tableC. show services unified-access-control policiesD. show services unified-access-control captive-portal




A customer configures the Junos Pulse Access Control Service with a Contractor role, an Employee role,and a Remediation role. A user logs in and is assigned the Remediation role.

Referring to the exhibit, to which RADIUS Return Attributes Policy will the user be assigned?

A. CorporateVLANB. EmployeeVLANC. RemediationVLAND. GuestVLAN



QUESTION 34You are setting up a Junos Pulse Access Control Service. You cannot obtain a device certificate from anexternal certificate authority.

Which tool should you use to generate a device certificate?

A. OpenSSLB. OpenSSHC. OpenLDAPD. OpenRADIUS



QUESTION 35You have configured the Odyssey Access Client with a profile which has the "Disable Server Verification"setting cleared.

What will be the result if the device certificate on the MAG Series device has expired and the user attemptsto authenticate?

A. The user will be instructed to call the network administrator.B. The user will fail authentication.C. The user will be prompted to install a new device certificate on the MAG Series device.D. The user will successfully authenticate and have full network access.



QUESTION 36In a Junos Pulse Access Control Service active/active clustered environment, which statement is true aboutVIPs?

A. VIP is not required when using only agentless access for all endpoint platforms.B. VIP is not required when using Junos Pulse or Odyssey Access Client for all endpoint platforms.C. VIP is not required when using Junos Pulse and agentless access for all endpoint platforms.D. VIP is not required when using Odyssey Access Client and agentless access for all endpoint platforms.



QUESTION 37Which three types of policies must you configure to allow remote users transparent access to protectedresources using IF-MAP Federation between a Junos Pulse Secure Access Service and a Junos PulseAccess Control Service? (Choose three.)

A. Session-Export policies on the Junos Pulse Secure Access ServiceB. Session-Export policies on the Junos Pulse Access Control ServiceC. Session-Import policies on the Junos Pulse Secure Access ServiceD. Session-Import policies on the Junos Pulse Access Control ServiceE. Resource access policies on the Junos Pulse Access Control Service



QUESTION 38What are two features provided by the Junos Pulse client? (Choose two.)


A. 802.1XB. video messaging

C. IPsecD. VoIP

Correct Answer: ACSection: (none)Explanation


QUESTION 39You have a MAG Series device with IP address 10.0.1.5 and hostname acl.pulse.local acting as an IF-MAPFederation server. The subject name of the device certificate on this server is acl.pulse.local.

Which server URL must you configure on the IF-MAP clients communicating with this IF-MAP Federationserver?

A. https://acl.pulse.local/dana-ws/soap/dsifmapB. http://acl.pulse.local/dana-ws/soap/dsifmapC. https://acl/dana-ws/soap/dsifmapD. http://10.0.1.5/dana-ws/soap/dsifmap



QUESTION 40You are installing a new deployment of the Junos Pulse Access Control Service. You have an existingRADIUS server that has a populated user file. You are considering using the RADIUS proxy feature.

Which consideration must you take into account?

A. Your RADIUS server database must be replicated onto another device for redundancy.B. Inner proxy creates a tunnel between the supplicant and the external server.C. RADIUS proxy causes the role assignment process to be skipped.D. Outer proxy configuration passes authentication data to the external RADIUS server in clear text.



QUESTION 41You have multiple realms configured on a MAG Series device. A user is authenticating with a non- JunosPulse Access Control Service client. The username does not contain a realm suffix.

Which behavior will the user experience?

A. The user will not be able to log-in, as the Junos Pulse Access Control Service device cannot map theuser to a realm when the realm value is empty.

B. The user will be mapped to all realms available to the user.C. The Junos Pulse Access Control Service device displays a page where the user must choose from a list

of realms.D. The endpoint is assigned to the first realm in the list whose authentication server is a match with the

endpoints software.



QUESTION 42A customer is trying to determine which client to deploy. The customer wants to be able to perform Layer 2authentication as well as connect to the Junos Pulse Secure Access Service.

Which client should the customer deploy?

A. Windows native supplicantB. Odyssey Access ClientC. Junos PulseD. Network Connect



QUESTION 43You are configuring an LDAP authentication server, and you want to configure role-mapping rules based ongroup membership. When you attempt to search for groups in the server catalog, no groups appear.

Assuming the LDAP server is reachable and functioning properly, in the admin GUI. Which two parts of theconfiguration should you verify are correct? (Choose two.)

A. Finding user entriesB. Authentication requiredC. LDAP Server TypeD. Determining group membership



QUESTION 44Before replacing a MAG Series device, using the admin GUI, you export two backup files, system.cfg from"Maintenance" > "ImportfExport Configuration" and user.cfg from "Maintenance" > "Import/Export Users".When you receive the new hardware, you import all of the settings stored in the system.cfg file (includingthe IP address, network configuration, and device certificates), but you fail to import the user.cfg file.

Which three configuration areas were updated by system.cfg? (Choose three.)

A. Cluster configuration settingsB. Static routesC. SNMP settingsD. Sign-in policiesE. MAC authentication realms

Correct Answer: ABC

Section: (none)Explanation


QUESTION 45You administer a network containing SRX Series firewalls. New policy requires that you implement MAGSeries devices to provide access control for end users. The policy requires that the SRX Series devicesdynamically enforce security policy based on the source IP address of the user. The policy also requiresthat the users communicate with protected resources using encrypted traffic.

Which two statements are true? (Choose two.)

A. The endpoints can use agentless access.B. Encrypted traffic flows between the endpoint and the enforcer.C. Encrypted traffic flows between the endpoint and the protected resourceD. The endpoints can use the Odyssey Access Client.




A user logs in, is assigned the default role, and successfully loads the Host Enforcer policies shown in theexhibit.

Which three statements are true? (Choose three.)

A. The local host will respond to ICMP echo-request packets from 192.168.53.10.B. The local host will respond to UDP port 53 requests from 192.168.1.25.C. The local host can send any packet of any type to host 172.16.1.1.D. The local host will accept any packet of any type from host 172.16.1.1.E. The local host can send packets to UDP port512 on server 192.168.53.10.

Correct Answer: ACDSection: (none)Explanation

Explanation/Reference:

Explanation:

QUESTION 47An outside vendor is eligible for the guest role and the contractor role when accessing your network, that issecured with the Junos Pulse Access Control Service.

What is the default role-mapping behavior?

A. The vendor must select a role from a list of eligible roles.B. The vendor must select a rule from a list of eligible rules.C. The vendor is automatically mapped to the first configured roleD. The vendor is automatically granted a merged role.



QUESTION 48You want to create a security policy on an SRX240 that redirects unauthenticated users back to the JunosPulse Access Control Service.

Which two steps must you take to accomplish this task? (Choose two.)

A. Configure a captive-portal service that redirects all traffic back to the Junos Pulse Access ControlService.

B. Configure a security policy that references the unified-access-control captive-portal service.C. Configure a captive-portal service that redirects unauthenticated traffic back to the Junos Pulse Access

Control Service.D. Configure a security policy that references the unified-access-control intranet-controller service.

Correct Answer: BCSection: (none)Explanation


QUESTION 49Which three authentication resources are grouped within an authentication realm? (Choose three.)

A. Authentication enforcerB. Directory serverC. Captive authenticationD. Authentication policyE. Role-mapping rules

Correct Answer: BDESection: (none)Explanation


QUESTION 50A customer has purchased a new Junos Pulse Access Control Service and wants to install it in an existingcluster. After initial configuration, the customer finds that the firmware version running on the Junos PulseAccess Control Service is 4.1 r5, but the existing cluster is running firmware version 4.1 r3.

Which two actions must be performed to allow the new Junos Pulse Access Control Service to load theolder version of firmware? (Choose two.)

A. Install a valid license on the new Junos Pulse Access Control Service.B. When loading the older firmware, delete all the existing data on the Junos Pulse Access Control

Service.C. Add the new Junos Pulse Access Control Service to the existing cluster.D. Download the 4.1 r3 version firmware from the Juniper support website.



QUESTION 51What information does the Junos Pulse Access Control Service provide to Security Threat ResponseManager (STRM)? (Choose two.)

A. Session lengthB. User browser informationC. Session IP addressD. User identity information



QUESTION 52Without calling JTAC, which two troubleshooting tools on a MAG Series device would you use to identify thecause of an authentication failure?

A. Remote DebuggingB. System SnapshotC. User Access logsD. Policy Tracing



QUESTION 53Two MAG4610s are running in an active/passive cluster configuration. The system administrator is planningto apply a service package to the cluster.

Which process should the administrator follow?

A. Perform the upgrade on the active node of the cluster. When completed, the node reboots and thenpushes the service package to the passive node automatically.

B. Perform the upgrade on the passive node of the cluster. When completed, the node reboots and thenpushes the service package to the active node automatically.

C. On the clustering status page, disable the active node. Perform the upgrade on the disabled node.

When completed and the node reboots, enable the node on the clustering status page.Repeat the process on the passive node.

D. On the clustering status page, disable the passive node. Perform the upgrade on the disabled node.When completed and the node reboots, enable the node on the clustering status page.Repeat the process on the active node.



QUESTION 54When configuring resource access policies in a Junos Pulse Access Control Service device, which entry ispermitted when defining the specific resources?

A. HostnameB. fully qualified domain nameC. IP addressD. address book entry



QUESTION 55You are customizing the user interface options for the finance department in your organization. Users in thedepartment are able to see a session counter on the Web interface of the Junos Pulse Access ControlService. The CFO is unable to see the session counter.

Which explanation would cause this behavior?

A. The CFO is mapped to the finance role, but the session counter was enabled prior to the role mapping.B. The CFO is mapped to the finance role, but the session counter was enabled after the role mapping.C. The CFO is mapped to the executive and finance roles, but the CFO was mapped to the executive role

first, which does not have the session counter enabled.D. The CFO is mapped to the executive and finance roles, but the CFO was mapped to the executive role

last, which does not have the session counter enabled.



QUESTION 56You are an administrator of an active/passive cluster of MAG Series devices running in mixed- modeconfiguration (IF-MAP server and authenticating users). The active user count is quickly approaching themaximum limit of the cluster. You have been directed to reconfigure the cluster to an active/active clusterand add a new license to increase the total number of active users the cluster can support.

What must you do before changing the cluster configuration?

A. Apply the new license to the passive node of the cluster.B. Configure an external load balancer to hold the VIP.

C. Disable the active node in the cluster.D. Remove the IF-MAP server configuration.



QUESTION 57Which protocol is used for communication between the Junos Pulse client and 802.1X-compliant switcheswhen performing Layer 2 enforcement?

A. EAPB. RADIUSC. SSLD. EAP-o-HTTP



QUESTION 58You have configured Junos Pulse on your Windows desktop and want to verify that the IPsec configurationpolicy is being pushed down to your workstation upon network authentication and login.

Which utility program do you use to see this configuration and where do you find it?

A. the Pulse Diagnostics Tool in the "File" > "Tools" menu option in the Pulse GUIB. the Pulse Diagnostics Tool in the "Start" > "All Programs" > "Juniper Networks" > "Junos Pulse" menu

folder next to the Junos Pulse applicationC. the Pulse Diagnostics Viewer, which you access by simultaneously pressing "Ctrl" and "F2"D. the Pulse Diagnostics Viewer in the "File" > "Tools" menu option in the Pulse GUI



QUESTION 59You have a firewall enforcer protecting sensitive internal resources in a data center. The network traversedby endpoint traffic is semi-trusted, so you need to encrypt the traffic between the endpoints accessing theresources and the firewall enforcer.

Which type of policies provide this level of protection?

A. resource access policiesB. Host Enforcer policiesC. source IP enforcement policiesD. IPsec enforcement policies



QUESTION 60How would an end user add both a Junos Pulse Access Control Service URL and a Junos Pulse SecureAccess Service URL to the same Junos Pulse client?

A. By adding two separate connections in the connections dialog boxB. By adding two separate intranet Controllers under the configuration hierarchyC. By adding one intranet Controller and one SA under the configuration hierarchyD. By adding two URLs under a connection in the connections dialog box



QUESTION 61Which service is provided by a MAG Series device?

A. RoutingB. MPLS VPNsC. Access controlD. Intrusion detection



QUESTION 62A user calls the help desk and explains that they just purchased a Macintosh computer. When they log intothe network, the Odyssey Access Client is not automatically downloaded as it was when the user used theirWindows PC.

How do you resolve this issue?

A. Download the Macintosh installer from the Junos Pulse Access Control Service and manually install theOdyssey Access Client.

B. Provide the user with the sign-in URL you set up for Macintosh users; this will push the Odyssey AccessClient to the user's machine.

C. Assist the user to configure the Macintosh native supplicant and provide the AppleScnptto expose theEAP-JUAC inner authentication protocol.

D. Configure the user's role to install the Java agent, which is a requirement to allow the Junos PulseAccess Control Service to deploy the Odyssey Access Client.



QUESTION 63Your company has deployed the Junos Pulse Access Control Service. The system administrator noticesthat the Host Checker policies are not being applied and enforced. You have verified that the controller's

configuration is correct.

Which two conditions are causing this issue? (Choose two.)

A. The endpoint is using EAP-PEAP with EAP-GTC as the inner protocol,B. The endpoint is using EAP-TTLS with EAP-JUAC as the inner protocol.C. The endpoint is using EAP-FAST with EAP-GTC as the inner protocol,D. The endpoint is using EAP-PEAP with EAP-JUAC as the inner protocol.



QUESTION 64You want to provide 802.1X access for Windows clients using Junos Pulse as the agent. Which twoconsiderations must you take into account? (Choose two.)

A. Junos Pulse outer authentication uses EAP-PEAP.B. Junos Pulse outer authentication uses EAP-TTLS.C. Junos Pulse inner authentication uses EAP-MSCHAP-V2.D. The endpoint must use the native Microsoft 802.1X supplicant.



QUESTION 65What is a function of a user role?

A. It defines the IPsec parameters for the role.B. It assigns access to resources.C. It associates the user with a RADIUS server.D. It defines the types of authentication methods available to the user



QUESTION 66At which point in the authentication process does the Junos Pulse Access Control Service determinewhether the endpoint complies with a realm's authentication policy?

A. Before the user credentials are submitted to the authentication serverB. After the user has successfully been authenticated by the authentication serverC. During the role-mapping processD. After the user has been assigned a role



QUESTION 67You are installing a MAG Series device for access control using an SRX Series device as the firewallenforcer. The MAG Series device resides in the same security zone as users. However, the users reside indifferent subnets and use the SRX Series device as an IP gateway.

Which statement is true?

A. You must configure a security policy on the SRX Series device to allow traffic to flow from the userdevices to the MAG Series device.

B. No security policy is necessary on the SRX Series device to allow traffic to flow from the user devices tothe MAG Series device.

C. You must configure host-inbound traffic on the SRX Series device to allow SSL traffic between the MAGSeries device and the user devices.

D. You must configure host-inbound traffic on the SRX Series device to allow EAP traffic between the MAGSeries device and the user devices.



QUESTION 68Which Junos Pulse Access Control Service client provides a built-in viewer to access local logs?

A. Odyssey Access ClientB. Junos PulseC. Java agentD. Agent less access



QUESTION 69A user logs in and is mapped to two roles. The first role has a maximum timeout value of 600 minutes andthe default Juniper Networks logo on the user interface page. The second role has a maximum timeoutvalue of 1200 minutes and a custom logo on the user interface page.

Based on the merging of these two roles, which two will be applied? (Choose two.)

A. A custom logo on the user interface pageB. A maximum timeout value of 600 minutesC. A maximum time out value of 1200 minutesD. A default Juniper Networks logo on the user interface page



QUESTION 70You have created a security policy on an SRX240 that permits traffic from any source-address, anydestination-address, and any application. The policy will be a source IP policy for use with the Junos PulseAccess Control Service.

What must you add to complete the security policy configuration?

A. The intranet-auth authentication optionB. The redirect-portal application serviceC. The uac-policy application serviceD. The ipsec-vpn tunnel



QUESTION 71What are two benefits of integrating Junos Pulse Access Control Service with Security Threat ResponseManager (STRM)? (Choose two.)

A. The ability to detect and prevent malicious traffic.B. The ability to associate security breaches with a specific user.C. Converged management of network and security events, network flow data, and identity information.D. Consistent device management across administrative realms.



QUESTION 72You have a firewall enforcer receiving resource access policies from a Junos Pulse Access Control Service.You are using Network and Security Manager (NSM) for configuration management on that firewall. Thefirewall can also be configured using its built-in command-line interface (CLI) or Web-based user interface(WebUI).

To avoid conflicting configurations, which two interfaces must you use to configure the firewall enforcer?(Choose two.)

A. CLIB. WebUIC. NSMD. Junos Pulse Access Control Service



QUESTION 73End users want to map a network drive on their PCs when they are connected to the Junos Pulse AccessControl Service. The mapped drive must be removed when users disconnect their session.

Which feature addresses this requirement?

A. agent session scriptsB. preconfiguration installerC. Junos Pulse component setD. agent actions



QUESTION 74Your corporate security policy requires that a user performing attacks must have limited network accessand activities until an administrator can investigate.

In the admin GUI, which sensor event policy action must you configure in "Configuration" > "Sensors" >"Sensor Event Policies" > [rule name] to accomplish this?

A. IgnoreB. Replace user's roleC. Terminate user sessionD. Disable user account



QUESTION 75You are the network administrator for your company. A user is complaining that they are not able to accessthe network with the Junos Pulse client. You run a packet capture on the network interface to monitor the802.1X authentication process. You notice that after the EAP- request/identity packet is received, and thesupplicant responds with an EAP-response/identity packet, no further communication occurs for severalseconds.

What are three causes for this behavior? (Choose three.)

A. The authenticator is not licensed to support Junos Pulse.B. The authenticator did not receive the EAP-response/identity packet.C. The authentication server is not receiving the RADIUS packet containing the EAP- response/identity

data.D. The authenticator is sending the request over its loopback interface.E. The authentication server is sending back a RADIUS response packet, but the authenticator is not

forwarding the response back to the supplicant.

Correct Answer: BCESection: (none)Explanation


QUESTION 76When using RADIUS as an external authentication method for 802.1X authentication for the Junos PulseAccess Control Service, what must you do to ensure that the RADIUS authentication works properly?

A. Configure IP helper to forward the authentication requests from the clients to the external RADIUSserver

B. Configure the supplicant as anexternal authentication serverC. Configure RADIUS proxy on the realmD. Specify the correct RADIUS port 389 on the Junos Pulse Access Control Service



QUESTION 77You are validating the configuration of your SRX Series device and see the output shown below.

What does this indicate?

A. The SRX Series device has been configured correctly, the Junos Pulse Access Control Service isreachable on the network, and the SRX Series device is waiting to receive the initial connection from theJunos Pulse Access Control Service.

B. The SRX Series device has confirmed that the Junos Pulse Access Control Service is configured and isreachable on the network, the SRX Series device is waiting to receive the connection from the JunosPulse Access Control Service, and all that remains to be accomplished is to configure the SRX Seriesdevice.

C. The SRX Series device is configured correctly and connected to the Junos Pulse Access ControlService. All that remains to be done to complete the configuration is to configure the SRX Series deviceon the Junos Pulse Access Control Service.

D. Both the Junos Pulse Access Control Service and the SRX Series device are configured correctly andcommunicating with each other.



QUESTION 78In the admin GUI, you navigate to "System" > "Status" > "Active Users". You see several buttons, including"Delete Session", "Delete All Sessions". "Refresh Roles", and "Disable All Users".

Which two statements are true? (Choose two.)

A. To forcibly sign out a single user, you should select the check box next to that user's login name, thenselect "Delete Session".

B. If you select "Delete All Sessions", all users are forcibly signed out and are unable to sign in again until"Enable All Users" is selected.

C. Selecting "Disable All Users" prevents users from signing in and starting a new session, but does notforcibly sign out any users that already have an existing session.

D. Selecting "Refresh Roles" re-evaluates authentication policies, role-mapping rules, and resourcepolicies for all existing user sessions.



QUESTION 79Which three features are supported with the Junos Pulse client? (Choose three.)

A. third-party RADIUS supportB. Host EnforcerC. Host CheckerD. IPsecE. soft tokens

Correct Answer: CDESection: (none)Explanation


QUESTION 80You are deploying a Junos Pulse Access Control Service cluster in active/passive mode. How do youconfigure the IP address on the SRX Series devices?

A. Configure a single Junos Pulse Access Control Service instance on the enforcer, specifying the VIP asthe IP address of the instance.

B. Configure multiple Junos Pulse Access Control Service instances on the enforcer, specifying thespecific IP address of each device in a separate instance.

C. Configure a single Junos Pulse Access Control Service instance on the enforcer, specifying the VIP andactive node IP address in the instance.

D. Configure a single Junos Pulse Access Control Service instance on the enforcer, specifying the VIP andpassive node IP address in the instance.



QUESTION 81You are configuring captive portal on your SRX Series device for guest user access.

When would you use the redirect-traffic all command?

A. When you want all unauthenticated traffic to be redirectedB. When you want all clear text traffic to be redirected.C. When you want all authenticated traffic to be redirected.D. When you want all encrypted traffic to be redirected.



QUESTION 82You administer a network with Windows-based endpoints that have custom software images. You want touse Host Checker to require that endpoints are running the custom software image.

Which two Host Checker policy rules would be used to enforce this requirement? (Choose two.)

A. Isolate a file name unique to the custom image and create a custom rule-type of "File" which matcheson the file. Select the "Required" option under the custom rule.

B. Identify the MAC address unique to network cards installed in PCs with the custom image and create acustom rule-type of "MAC Address" which matches on the appropriate MAC address.Select the "Required" option under the custom rule

C. Identify the IP address unique to the network cards installed in PCs with the custom image and create acustom rule-type of "IP Address" which matches on the appropriate IP address. Select the "Required"option under the custom rule.

D. Isolate or create a unique Windows registry key for the custom image and create a custom rule- type of"Registry Setting" which matches on the name of the registry key.



QUESTION 83A new software engineer has been hired. As part of the normal hiring process, the user was added to theActive Directory and placed into the Domain Users group and the SW_DEV group. The Domain Usersgroup has access to the company's intranet website and time card system. The SW_DEV group hasaccess to the source code library server. You have created roles that correspond to each Active Directorygroup. The user calls the help desk stating that they cannot access the source code library server.

Which two troubleshooting tools would you use on the Junos Pulse Access Control Service to resolve theissue? (Choose two.)

A. Perform a policy trace for the specific user and review the output to isolate the problem.B. Review the Events log.C. Review the Admin Access log to verify that the user has the correct permissions to access the

SVVJDEV resource.D. Review the User Access log to verify that the user is getting mapped to both the Domain User role and

the SW_DEV role.



QUESTION 84You are an administrator of a large campus network. Every switch on a floor within each building of yourcampus has been configured for a different VLAN. During implementation of the Junos Pulse AccessControl Service, you must configure a RADIUS return attribute policy to apply a role representing a group ofauthenticated users that frequently transport their laptops from building to building and floor to floor.

In the admin GUI, which policy element would you enable to accommodate these users?

A. Add Session-Timeout attribute with value equal to the session lifetimeB. Add Termination-Action attribute with value equal 1C. VLAND. Open port



QUESTION 85What are three elements the Junos Pulse Access Control Service uses to establish endpoint access toprotected resources? (Choose three.)

A. sign-in policyB. authentication realmsC. role restrictionsD. policy realmsE. routing policy

Correct Answer: ABCSection: (none)Explanation


QUESTION 86What are two roles of the authenticator as described in the 802.1X standard? (Choose two.)

A. It proxies the authentication information between the supplicant and the authentication server.B. It controls physical access to the network.C. It communicates with the authentication server only.D. It is responsible for verifying the identity of the supplicant through the use of an internal database.



QUESTION 87You want to enforce a Host Checker policy so that only users who pass the policy receive the Employeerole. In the admin GUI, which two parameters must you configure? (Choose two.)

A. Select "Require and Enforce" for the Host Checker Policy in the realm authentication policy.B. Select "Evaluate Policies" for the Host Checker policy in the realm authentication policy.C. Configure the Host Checker policy as a role restriction for the Employee role.D. Configure the Host Checker policy as a resource access policy for the Employee role.



QUESTION 88You have three classes of users on your network: employee, contractor, and IT administrator. Youconfigure the Junos Pulse Access Control Service to assign roles to each user class and require that aspecific wireless SSID be preconfigured for the Odyssey Access Client based on the role.

Which configuration method should you use to satisfy this scenario?

A. Create a "Settings Update file" in the Odyssey Access Client Administrator and upload it to the Junos

Pulse Access Control Service under "User Roles" > "Agent" > "Odyssey Settings" > "PreconfiguredInstaller".

B. Configure a wired adapter and assign the required SSID under "User Roles" > "Agent" > "OdysseySettings".

C. Create a script in the Odyssey Access Client Administrator and upload it to the Junos Pulse AccessControl Service under "User Roles" > "Agent" > "Odyssey Settings" > "Preconfigured Installer".

D. Create a "Preconfiguration file" in the Odyssey Access Client Administrator and upload it to the JunosPulse Access Control Service under "User Roles" > "Agent" > "Odyssey Settings" > "PreconfiguredInstaller".



QUESTION 89What are three necessary steps for enabling 802.1X access when configuring Layer 2 enforcement?(Choose three.)

A. Configure a location groupB. Create authentication protocol setC. Configure the RADIUS AV pair listD. Configure RADIUS clientsE. Configure role and role-mapping rules



QUESTION 90On the Junos Pulse Access Control Service, you have created a role called Secret that you only want toprovide to users who present a certificate.

Using the admin GUI, which two features would you configure to satisfy this requirement? (Choose two.)

A. Sign-in PolicyB. Role Mapping RuleC. Role RestrictionsD. Trusted Server CA



QUESTION 91Your IT manager has requested that you start providing weekly reports of CPU utilization on all networkdevices.

Which monitoring function should be enabled on the MAG Series device?

A. Admin loggingB. SNMP logging

C. Syslog server loggingD. Event logging



QUESTION 92What are three default role-mapping rule values that are available for all realms? (Choose three.)

A. UsernameB. LDAP userC. CertificateD. Custom expressionsE. Source IP

Correct Answer: ACDSection: (none)Explanation


QUESTION 93You must configure access to the corporate network for employees using a client access method. Usersrequire IPsec tunneling to protected resources and an 802.1X supplicant. Users will access the networkusing Windows platforms.

Which two client access methods would support these requirements? (Choose two.)

A. Junos PulseB. Java AgentC. Odyssey Access ClientD. Native 802.1X supplicant



QUESTION 94You are performing the initial setup of a new MAG Series device and have installed a valid CA- signedcertificate on the MAG Series device. Connectivity to an existing SRX Series firewall enforcer cannot beobtained.

What are two explanations for this behavior? (Choose two.)

A. The MAG Series device has multiple ports associated with the certificate.B. The MAG Series device's serial number needs to be configured on the SRX Series device.C. The SRX Series device must have a certificate signed by the same authority as the MAG Series device.D. The MAG Series device and SRX Series device are not synchronized to an NTP server.



QUESTION 95In a Junos Pulse Access Control Service firewall enforcement configuration, what is the purpose of thesource IP policy?

A. to specify the destination addresses to which access is permittedB. to specify the source address permitted to access the resourceC. to specify the services to which access is permittedD. to inform the enforcer to expect policy information from the Junos Pulse Access Control Service



QUESTION 96You are installing a new deployment of the Junos Pulse Access Control Service. In your environment, youhave VoIP handsets that support 802.1X authentication with EAP-MD5.

Which deployment constraint must you consider?

A. EAP-MD5 is not supported by the Junos Pulse Access Control ServiceB. EAP-MD5 requires passwords to be stored in an encrypted format.C. EAP-MD5 requires passwords to be stored in a clear text format.D. EAP-MD5 performs a real time hash of the handset's MAC address.



QUESTION 97What is a Host Enforcer policy?

A. A policy that is defined on the endpoint that permits or denies inbound or outbound traffic.B. A policy that is sent to the endpoint that permits or denies inbound or outbound traffic.C. A policy that is sent to the protected resource that permits or denies inbound or outbound traffic.D. A policy that is defined on the protected resource that permits or denies inbound or outbound traffic.



QUESTION 98You want to provide all users in your corporation with a single agent that provides access to multipleconnection types conditionally. For example, you connect to the Junos Pulse Access Control Service if youare connected to the intranet, but you connect to the Junos Pulse Secure Access Service if you are on aremote network.

Which agent should you use for this type of connection requirement?

A. Junos Pulse should be configured with location awareness rules configured.B. Odyssey Access Client should be installed with Host Checker configured to check the client's location.C. Junos Pulse should be configured with all components installed.D. Agentless access should be enabled so that clients can connect to any service without concern for

installing an agent.



QUESTION 99You have created a Host Checker policy that contains multiple rules. You want to inform end users whichrule specifically has failed.

In the admin GUI, which configuration setting would you enable?

A. Enable Custom InstructionsB. Pre-auth notificationC. Remediation messageD. Send reason strings



QUESTION 100Your IT director has decided to allow employees to use their laptops at home as well as in the office. Youhave deployed the Junos Pulse client to allow access to the office's 802.1X-enabled wired network. Yourcompany also has the Junos Pulse Secure Access Service deployed. You want the Junos Pulse client toautomatically launch the appropriate access method depending on each user's location.

Which three are supported to determine the user's location? (Choose three.)

A. MAC addressB. DNS serverC. DHCP serverD. resolve addressE. endpoint address



QUESTION 101Which two considerations must you take into account when deploying a Junos Pulse Access ControlService cluster? (Choose two.)

A. State synchronization occurs only through the internal network interface card (NIC)B. Latency of the WAN must be less than 300 ms.C. Authenticating endpoints must be on the same LAN segment.

D. Cluster members must use the same hardware platform.



QUESTION 102A system administrator wants to configure 802.1X on an Ethernet switch to enable access to specific partsof the network based on group memberships.

How can the administrator accomplish this goal?

A. Configure roles based on departments and assign access based on source IP address.B. Configure roles based on the user's manager and assign access based on the user's MAC addressC. Configure roles based on group memberships and assign a specific VLAN to the role.D. Configure roles based on a RADIUS request attribute and assign a specific VLAN to the role.



QUESTION 103When configuring a single SRX210 as a firewall enforcer to a MAG4610 active/passive cluster, whichstatement supports a fault-tolerant configuration?

A. The cluster VIP is defined on the MAG4610 cluster, and the VIP of the cluster is defined as an instanceon the SRX Series device.

B. The cluster VIP is not defined on the MAG4610 cluster, and the IP address of both the active andpassive nodes of the cluster are defined as separate instances on the SRX Series device.

C. The cluster VIP is defined on the MAG4610 cluster, and the IP address of the active node is defined asan instance on the SRX Series device.

D. The cluster VIP is not defined on the MAG4610 cluster, and the IP address of the passive node isdefined as an instance on the SRX Series device.



QUESTION 104What are two use cases enabled by IF-MAP Federation? (Choose two.)

A. Users authenticated to one Junos Pulse Access Control Service can transparently access resourcesprotected by another Junos Pulse Access Control Service.

B. Users authenticated to a Junos Pulse Access Control Service can transparently access resourcesprotected by a Junos Pulse Secure Access Service.

C. Remote access users authenticated to a Junos Pulse Secure Access Service can transparently accessresources protected by a Junos Pulse Access Control Service.

D. Remote access users authenticated to one Junos Pulse Secure Access Service can transparentlyaccess resources protected by another Junos Pulse Secure Access Service.

Correct Answer: AC

Section: (none)Explanation


QUESTION 105Using an LDAP authentication server, what do you configure to validate certificate attributes?

A. Use the "is exactly" or "contains" operators.B. Create a user filter matching the DN of the certificate.C. Verify that the certificate is issued by a publicly trusted CA.D. Match the certificate type and value with an attribute from the LDAP server.



QUESTION 106In the Junos Pulse Access Control Service, which three actions are only available in the admin GUI?(Choose three.)

A. Take a "System Snapshot"B. Configure "Licensing"C. Review the "Events"D. Set the date and timeE. Upgrade or downgrade the firmware



QUESTION 107What are two steps to configure user authentication for a Junos Pulse Access Control Service? (Choosetwo.)

A. Configure an authentication policy as part of the user role definitions.B. Configure a Sign-in Policy.C. Configure authentication agents as part of the user role definitions.D. Configure an authentication policy as part of the authentication realm definition.



QUESTION 108Which parameter do you use to enable Junos Pulse Access Control Service enforcement on a policy on aScreenOS platform?

A. uac-policyB. ic-policy

C. infranet-authD. uac-auth



QUESTION 109You notice that during peak hours, some firewall enforcers contain a high number of auth table entries. Asyou investigate the issue, you discover that all users are getting auth table mappings to all firewalls, which isnot acceptable.

What should you do on the Junos Pulse Access Control Service to resolve this problem?

A. Delete the default auth table mapping policyB. Create auth table mapping policies that route users to specific resourcesC. Create Resource Access policies that permit access to specific resourcesD. Create Source Interface policies that route users to specific resources



QUESTION 110You are configuring an SRX210 as a firewall enforcer that will tunnel IPsec traffic from several Junos Pulseusers. Which two parameters must you configure on the SRX210? (Choose two.)

A. access profileB. IKE parametersC. tunneled interfaceD. redirect policy



QUESTION 111Which Junos Pulse feature allows the user to log in once through a Junos Pulse Secure Access Service onthe network and then access resources protected by a Junos Pulse Access Control Service withoutreauthentication?

A. Roaming SessionB. Session MigrationC. Location AwarenessD. Persistent Session


Explanation/Reference:

Explanation:

QUESTION 112Your manager has informed you that only specific users can have access to the Preferred Members role,and that these users are restricted to the Preferred Members role. The Preferred Members role-mappingrule is currently set as the last rule in your role-mapping rules and is based on username. Currently all usersare assigned to the Preferred Members role-mapping rule.

Which three changes in the admin GUI will enforce your manager's change request? (Choose three.)

A. Move the Preferred Members role-mapping rule to the top of the list.B. Remove the Preferred Members role from the role-mapping rule.C. Edit the Preferred Members role-mapping rule so that the username is equal to *.D. Edit the Preferred Members role-mapping rule so that only the select users are assigned to the role-

mapping rule.E. Edit the Preferred Members role-mapping rule and select "Stop processing rules when this rule

matches".



QUESTION 113You are the administrator of a Junos Pulse Access Control Service implementation. You must restrictauthenticated users connected from the branch offices to a few specific resources within the data center.However, when the authenticated users are connected at the corporate office, they are allowed moreaccess to the data center resources. You have created two roles with different levels of access and aretrying to determine the best way of controlling when a user is mapped to a specific role. Having the userprompted to manually select their role is possible, but you want to automate the process.

Which configuration solves this problem?

A. Implement a RADIUS request attribute policy to assist with realm selection and create different role-mapping rules for the user in each realm.

B. Implement a directory/attribute server on the realm and set up this server to determine by groupmembership the proper role to which a user should be mapped.

C. Reorder the role-mapping rules to allow for the more open role to be mapped first and then enable the"stop processing rules when this rule matches" function on this role.

D. Implement a Host Checker policy on the realm that determines the geographic location of the deviceand restricts the user based on the results of the policy.



QUESTION 114An authentication realm consists of which three authentication resources? (Choose three.)

A. Authentication serverB. Session optionsC. Authentication policyD. End-point security policyE. Role-mapping rules

Correct Answer: ACESection: (none)Explanation


QUESTION 115Your security policy requires that users authenticating to the Junos Pulse Access Control Service areconnecting from a domain member endpoint on the internal corporate network.

Which set of role access restrictions must you configure to enforce this security policy?

A. Source IP and browserB. Source IP and certificateC. Certificate and Host CheckerD. Host Checker and source IP




jncis-ac - gratis exam · 2015. 8. 16. · user is signed in. b. a certificate authentication...

Documents