JUNIPER JN0-314 EXAM QUESTIONS & ANSWERS€¦ · 02/06/2014 · B. A certificate authentication policy that only allows users with a client-side certificate signed by a trusted client

JUNIPER JN0-314 EXAM QUESTIONS & ANSWERS

Number: JN0-314Passing Score: 800Time Limit: 120 minFile Version: 39.7

ht t p:/ / w w w .gratisexam.com/

JUNIPER JN0-314 EXAM QUESTIONS & ANSWERS

Exam Name: Junos Pulse Access Control, Specialist (JNCIS-AC)

Exam A

QUESTION 1A customer wants to create a custom Junos Pulse configuration. Which two are required? (Choose two)

A. Connection setB. Configuration setC. Custom installerD. Component set

Correct Answer: ADSection: (none)Explanation

Explanation/Reference:Explanation:

QUESTION 2What is a type of firewall enforcer supported by the Junos Pulse Access Control Service?

A. Checkpoint firewallB. SRX Series deviceC. DP sensorD. MX Series device

Correct Answer: ASection: (none)Explanation


QUESTION 3You navigate to "UAC" > "Infranet Enforcer" > "Auth Table Mapping" in the admin GUI. You see one policy,which is the unmodified, original default policy.

Which statement is true?

A. Dynamic auth table mapping is not enabled.B. A successful authentication attempt will result in a new authentication table entry, which will be delivered

only to the Junos enforcer protecting the network from which the user has authenticated.C. To create a static auth table mapping, you must delete the default policy.D. The default policy applies only to the factory-default role User.



QUESTION 4You have a Junos Pulse Secure Access Service acting as an IF-MAP client, configured to federate all userroles to a Junos Pulse Access Control Service acting as an IF-MAP Federation server. A remote user usingJunos Pulse logs in to the Junos Pulse Secure Access Service; the Junos Pulse Secure Access Serviceprovisions a remote access session for that user.


What happens next?

A. The Junos Pulse Secure Access Service redirects the user to the Junos Pulse Secure Access Servicefor authentication

B. The Junos Pulse Access Control Service provisions enforcement points to enable resource access forthat user.

C. The Junos Pulse Secure Access Service publishes user session and role information to the IF- MAPFederation server,

D. The Junos Pulse Secure Access Service provisions enforcement points to enable resource access forthat user.

Correct Answer: CSection: (none)Explanation


QUESTION 5You are configuring an active/passive cluster of SRX Series devices as the firewall enforcer on a MAGSeries device. Which statement is true?

A. Multiple Infranet Enforcer instances are created with a single serial number of an SRX Series devicedefined in each configuration.

B. A single Infranet Enforcer instance is created with both serial numbers of the clustered SRX Seriesdevices defined in the configuration.

C. Multiple Infranet Enforcer instances are created with a single IP address of an SRX Series devicedefined in each configuration.

D. A single Infranet Enforcer instance is created with the VIP of the clustered SRX Series device defined inthe configuration.

Correct Answer: BSection: (none)Explanation


QUESTION 6Which three settings are accessible from the serial console menu on a MAG Series device? (Choosethree.)

A. The ping commandB. Factory default resetC. Personality imageD. License importsE. Admin login credentials

Correct Answer: ABESection: (none)Explanation


QUESTION 7A user's Junos Pulse client uses 802.1X to access a wired network and is failing to authenticate. You run apacket capture from the user's PC and notice that immediately after the client machine sends an EAPoL-start packet, an EAP-failure packet is returned. You review the RADIUS troubleshooting logs on the MAGSeries device and do not see any authentication attempts from the user. Other users on the same Ethernetswitch are successfully authenticating.

Which device is sending the EAP-failure packet to the workstation?

A. The RADIUS serverB. The EAPoL serverC. The workstation's network adapterD. The Ethernet switch

Correct Answer: DSection: (none)Explanation


QUESTION 8You want to ensure that users who access the company's protected resources present a client certificatebefore they are allowed to sign in.

What should you configure?

A. A certificate authentication policy that allows all users and remembers certificate information while theuser is signed in.

B. A certificate authentication policy that only allows users with a client-side certificate signed by a trustedclient CA to sign in.

C. A certificate role restriction that allows all users and remembers certificate information while the user issigned in.

D. A certificate role restriction that only allows users with a client-side certificate signed by a trusted clientCA to sign in.



QUESTION 9On a MAG Series device, where is the preauthentication sign-in message configured?

A. On the configuration page for the sign-in notification messageB. On the wireless user realm authentication policyC. On the sign-in policy of the URL being used by the wireless usersD. On the sign-in page of the URL being used by the wireless users



QUESTION 10Which two actions are available in the GUI for creating location awareness rules? (Choose two.)

A. WINS serverB. DNS serverC. IP reachabilityD. Resolve address



QUESTION 11You are the network administrator for your company. A user is complaining that they are not able to accessthe network with the Junos Pulse client. You run a packet capture on the network interface to monitor the802.1X authentication process. You notice that after the EAP- request/identity packet is received, and thesupplicant responds with an EAP-response/identity packet, no further communication occurs for severalseconds.

What are three causes for this behavior? (Choose three.)

A. The authenticator is not licensed to support Junos Pulse.B. The authenticator did not receive the EAP-response/identity packet.C. The authentication server is not receiving the RADIUS packet containing the EAP- response/identity

data.D. The authenticator is sending the request over its loopback interface.E. The authentication server is sending back a RADIUS response packet, but the authenticator is not

forwarding the response back to the supplicant.

Correct Answer: BCESection: (none)Explanation


QUESTION 12What are three benefits of IF-MAP Federation? (Choose three.)

A. Enables seamless access for remote access users to firewall enforcer protected resources.B. Scales a Junos Pulse Access Control Service deployment beyond the capacity of a single cluster.C. Enables dynamic configuration synchronization across multiple MAG Series devices.D. Provides a substitute for WAN clustering among geographically separated MAG Series devices.E. Shares non-localized DP integration and IPsec configuration information between multiple Junos Pulse

Access Control Service instances.

Correct Answer: ABESection: (none)Explanation


QUESTION 13You have an SRX Series Layer 2 enforcer providing 802.1X authentication for connected endpoints. Yoursecurity policy requires that users who fail their authentication be placed in a specific VLAN.

On the Layer 2 enforcer, at the [edit protocols dot1x authenticator interface] hierarchy for each participatinginterface, what provides this functionality?

A. guest-vlanB. auth-fail-vlanC. server-reject-vlanD. server-fail-vlan



QUESTION 14A company has completed two acquisitions over the previous year. Each of the acquired companies wasallowed to keep its own independent authentication server. The network administrator has been asked toroll out the Junos Pulse Access Control Service to users within the original company along with each of thetwo acquired organizations. The administrator configures three authentication realms, one for eachindependent authentication server, and associates them all with a single sign-in policy. All of the clientendpoints are running Junos Pulse on their Windows XP desktops.

When a user signs in to the Junos Pulse Access Control Service, which statement is correct?

A. The first authentication realm that was added to the sign-in policy is used by default.B. The user is allowed to choose the correct authentication realm from a list presented by Junos Pulse.C. When Junos Pulse is initially installed on the desktop, it must be configured with the correct realm.D. This is not an allowed configuration; the administrator should configure separate sign-in policies for

each realm.



QUESTION 15You want to customize access to the corporate network so that agentiess users are instructed to obtain acertificate before accessing the network.

Which two configurations solve this problem? (Choose two.)

A. Create a custom sign-in page with specific instructions in the "Instructions" field.B. Create a custom sign-in page with specific "Missing Certificate" messages in the "Custom error

messages" field.C. Create a custom sign-in policy with specific instructions in the "Instructions" field.D. Create a custom sign-in notification and assign it to the "Pre-Auth Sign-in Notification" in the sign-in

policy.



QUESTION 16You want to restrict access to a role based on the client machine from which the user is accessing thenetwork.

Which two role restrictions accomplish this goal? (Choose two.)

A. user nameB. password lengthC. certificateD. Host Checker

Correct Answer: CDSection: (none)Explanation


QUESTION 17A customer is deploying a new Junos Pulse Access Control Service and has completed the initial bootconfiguration as prompted using a serial connection. The customer now wants to complete the rest of theconfiguration using the admin GUI.

Into which port on the Junos Pulse Access Control Service should the customer plug the network cable toenable access to the admin GUI?

A. the internal interfaceB. the external interfaceC. the management interfaceD. the console interface



QUESTION 18A user signs into the Junos Pulse Access Control Service on a wired network. The user then migrates to awireless network, receives a new IP address, and notices that the session is disconnected.

In the admin GUI, what must be configured for the user to stay connected when migrating from a wired to awireless network?

A. Persistent sessionB. Dynamic evaluationC. Roaming sessionD. Browser request follow-through



QUESTION 19What are two valid configurations for user-driven remediation when a Windows-based endpoint fails a HostChecker policy? (Choose two.)

A. Kill a running process on the endpoint, based on executable name and MD5 checksum.B. Delete a file on the endpoint's file system.

C. Download and run a remediation executable from the local software distribution server.D. Alter registry entries to prevent future execution of an executable, based on executable name and full

path.

Correct Answer: ABSection: (none)Explanation


QUESTION 20You are receiving reports of possible unauthorized access to resources protected by a firewall enforcerrunning the Junos OS. You want to verity which users are currently accessing resources through theenforcer.

Which command should you use to verify user access on the enforcer?

A. show services unified-access-control authentication-tableB. show auth tableC. show services unified-access-control policiesD. show services unified-access-control captive-portal



QUESTION 21Click the Exhibit button.

A customer configures the Junos Pulse Access Control Service with a Contractor role, an Employee role,and a Remediation role. A user logs in and is assigned the Remediation role.

Referring to the exhibit, to which RADIUS Return Attributes Policy will the user be assigned?

Exhibit:

A. CorporateVLANB. EmployeeVLANC. RemediationVLAN

D. GuestVLAN



QUESTION 22You are setting up a Junos Pulse Access Control Service. You cannot obtain a device certificate from anexternal certificate authority.

Which tool should you use to generate a device certificate?

A. OpenSSLB. OpenSSHC. OpenLDAPD. OpenRADIUS



QUESTION 23In a Junos Pulse Access Control Service active/active clustered environment, which statement is true aboutVIPs?

A. VIP is not required when using only agentless access for all endpoint platforms.B. VIP is not required when using Junos Pulse or Odyssey Access Client for all endpoint platforms.C. VIP is not required when using Junos Pulse and agentless access for all endpoint platforms.D. VIP is not required when using Odyssey Access Client and agentless access for all endpoint platforms.



QUESTION 24What are two features provided by the Junos Pulse client? (Choose two.)

A. 802.1XB. video messagingC. IPsecD. VoIP

Correct Answer: BDSection: (none)Explanation


QUESTION 25You are installing a new deployment of the Junos Pulse Access Control Service. You have an existing

RADIUS server that has a populated user file. You are considering using the RADIUS proxy feature.

Which consideration must you take into account?

A. Your RADIUS server database must be replicated onto another device for redundancy.B. Inner proxy creates a tunnel between the supplicant and the external server.C. RADIUS proxy causes the role assignment process to be skipped.D. Outer proxy configuration passes authentication data to the external RADIUS server in clear text.



QUESTION 26A customer is trying to determine which client to deploy. The customer wants to be able to perform Layer 2authentication as well as connect to the Junos Pulse Secure Access Service.

Which client should the customer deploy?

A. Windows native supplicantB. Odyssey Access ClientC. Junos PulseD. Network Connect



QUESTION 27You are configuring an LDAP authentication server, and you want to configure role-mapping rules based ongroup membership. When you attempt to search for groups in the server catalog, no groups appear.

Assuming the LDAP server is reachable and functioning properly, in the admin GUI. Which two parts of theconfiguration should you verify are correct? (Choose two.)

A. Finding user entriesB. Authentication required?C. LDAP Server TypeD. Determining group membership



QUESTION 28Click the Exhibit button.

A user logs in, is assigned the default role, and successfully loads the Host Enforcer policies shown in theexhibit.

Which three statements are true? (Choose three.)

Exhibit:

A. The local host will respond to ICMP echo-request packets from 192.168.53.10.B. The local host will respond to UDP port 53 requests from 192.168.1.25.C. The local host can send any packet of any type to host 172.16.1.1.D. The local host will accept any packet of any type from host 172.16.1.1.E. The local host can send packets to UDP port512 on server 192.168.53.10.

Correct Answer: ACDSection: (none)Explanation


QUESTION 29An outside vendor is eligible for the guest role and the contractor role when accessing your network, that issecured with the Junos Pulse Access Control Service.

What is the default role-mapping behavior?

A. The vendor must select a role from a list of eligible roles.B. The vendor must select a rule from a list of eligible rules.C. The vendor is automatically mapped to the first configured roleD. The vendor is automatically granted a merged role.



QUESTION 30You want to create a security policy on an SRX240 that redirects unauthenticated users back to the JunosPulse Access Control Service.

Which two steps must you take to accomplish this task? (Choose two.)

A. Configure a captive-portal service that redirects all traffic back to the Junos Pulse Access ControlService.

B. Configure a security policy that references the unified-access-control captive-portal service.C. Configure a captive-portal service that redirects unauthenticated traffic back to the Junos Pulse Access

Control Service.D. Configure a security policy that references the unified-access-control intranet-controller service.

Correct Answer: BCSection: (none)Explanation


QUESTION 31Which three authentication resources are grouped within an authentication realm? (Choose three.)

A. Authentication enforcerB. Directory serverC. Captive authenticationD. Authentication policyE. Role-mapping rules

Correct Answer: BDESection: (none)Explanation


QUESTION 32A customer has purchased a new Junos Pulse Access Control Service and wants to install it in an existingcluster. After initial configuration, the customer finds that the firmware version running on the Junos PulseAccess Control Service is 4.1 r5, but the existing cluster is running firmware version 4.1 r3.

Which two actions must be performed to allow the new Junos Pulse Access Control Service to load theolder version of firmware? (Choose two.)

A. Install a valid license on the new Junos Pulse Access Control Service.B. When loading the older firmware, delete all the existing data on the Junos Pulse Access Control

Service.C. Add the new Junos Pulse Access Control Service to the existing cluster.D. Download the 4.1 r3 version firmware from the Juniper support website.



QUESTION 33Without calling JTAC, which two troubleshooting tools on a MAG Series device would you use to identify thecause of an authentication failure?

A. Remote DebuggingB. System SnapshotC. User Access logsD. Policy Tracing



QUESTION 34Two MAG4610s are running in an active/passive cluster configuration. The system administrator is planningto apply a service package to the cluster.

Which process should the administrator follow?

A. Perform the upgrade on the active node of the cluster. When completed, the node reboots and thenpushes the service package to the passive node automatically.

B. Perform the upgrade on the passive node of the cluster. When completed, the node reboots and thenpushes the service package to the active node automatically.

C. On the clustering status page, disable the active node. Perform the upgrade on the disabled node.When completed and the node reboots, enable the node on the clustering status page.Repeat the process on the passive node.

D. On the clustering status page, disable the passive node. Perform the upgrade on the disabled node.When completed and the node reboots, enable the node on the clustering status page.Repeat the process on the active node.



QUESTION 35When configuring resource access policies in a Junos Pulse Access Control Service device, which entry ispermitted when defining the specific resources?

A. HostnameB. fully qualified domain nameC. IP addressD. address book entry



QUESTION 36You are customizing the user interface options for the finance department in your organization. Users in thedepartment are able to see a session counter on the Web interface of the Junos Pulse Access ControlService. The CFO is unable to see the session counter.

Which explanation would cause this behavior?

A. The CFO is mapped to the finance role, but the session counter was enabled prior to the role mapping.B. The CFO is mapped to the finance role, but the session counter was enabled after the role mapping.C. The CFO is mapped to the executive and finance roles, but the CFO was mapped to the executive role

first, which does not have the session counter enabled.D. The CFO is mapped to the executive and finance roles, but the CFO was mapped to the executive role

last, which does not have the session counter enabled.



QUESTION 37You are an administrator of an active/passive cluster of MAG Series devices running in mixed- modeconfiguration (IF-MAP server and authenticating users). The active user count is quickly approaching themaximum limit of the cluster. You have been directed to reconfigure the cluster to an active/active clusterand add a new license to increase the total number of active users the cluster can support.

What must you do before changing the cluster configuration?

A. Apply the new license to the passive node of the cluster.B. Configure an external load balancer to hold the VIP.C. Disable the active node in the cluster.D. Remove the IF-MAP server configuration.



QUESTION 38Which protocol is used for communication between the Junos Pulse client and 802.1X-compliant switcheswhen performing Layer 2 enforcement?

A. EAPB. RADIUSC. SSLD. EAP-o-HTTP



QUESTION 39You have configured Junos Pulse on your Windows desktop and want to verify that the IPsec configurationpolicy is being pushed down to your workstation upon network authentication and login.

Which utility program do you use to see this configuration and where do you find it?

A. the Pulse Diagnostics Tool in the "File" > "Tools" menu option in the Pulse GUIB. the Pulse Diagnostics Tool in the "Start" > "All Programs" > "Juniper Networks" > "Junos Pulse" menu

folder next to the Junos Pulse applicationC. the Pulse Diagnostics Viewer, which you access by simultaneously pressing "Ctrl" and "F2"D. the Pulse Diagnostics Viewer in the "File" > "Tools" menu option in the Pulse GUI



QUESTION 40How would an end user add both a Junos Pulse Access Control Service URL and a Junos Pulse SecureAccess Service URL to the same Junos Pulse client?

A. By adding two separate connections in the connections dialog boxB. By adding two separate intranet Controllers under the configuration hierarchyC. By adding one intranet Controller and one SA under the configuration hierarchyD. By adding two URLs under a connection in the connections dialog box



Exam B

QUESTION 1Which service is provided by a MAG Series device?

A. RoutingB. MPLS VPNsC. Access controlD. Intrusion detection



QUESTION 2A user calls the help desk and explains that they just purchased a Macintosh computer. When they log intothe network, the Odyssey Access Client is not automatically downloaded as it was when the user used theirWindows PC.

How do you resolve this issue?

A. Download the Macintosh installer from the Junos Pulse Access Control Service and manually install theOdyssey Access Client.

B. Provide the user with the sign-in URL you set up for Macintosh users; this will push the Odyssey AccessClient to the user's machine.

C. Assist the user to configure the Macintosh native supplicant and provide the AppleScnptto expose theEAP-JUAC inner authentication protocol.

D. Configure the user's role to install the Java agent, which is a requirement to allow the Junos PulseAccess Control Service to deploy the Odyssey Access Client.



QUESTION 3You want to provide 802.1X access for Windows clients using Junos Pulse as the agent. Which twoconsiderations must you take into account? (Choose two.)

A. Junos Pulse outer authentication uses EAP-PEAP.B. Junos Pulse outer authentication uses EAP-TTLS.C. Junos Pulse inner authentication uses EAP-MSCHAP-V2.D. The endpoint must use the native Microsoft 802.1X supplicant.



QUESTION 4At which point in the authentication process does the Junos Pulse Access Control Service determinewhether the endpoint complies with a realm's authentication policy?

A. Before the user credentials are submitted to the authentication serverB. After the user has successfully been authenticated by the authentication serverC. During the role-mapping processD. After the user has been assigned a role



QUESTION 5You are installing a MAG Series device for access control using an SRX Series device as the firewallenforcer. The MAG Series device resides in the same security zone as users. However, the users reside indifferent subnets and use the SRX Series device as an IP gateway.

Which statement is true?

A. You must configure a security policy on the SRX Series device to allow traffic to flow from the userdevices to the MAG Series device.

B. No security policy is necessary on the SRX Series device to allow traffic to flow from the user devices tothe MAG Series device.

C. You must configure host-inbound traffic on the SRX Series device to allow SSL traffic between the MAGSeries device and the user devices.

D. You must configure host-inbound traffic on the SRX Series device to allow EAP traffic between the MAGSeries device and the user devices.



QUESTION 6Which Junos Pulse Access Control Service client provides a built-in viewer to access local logs?

A. Odyssey Access ClientB. Junos PulseC. Java agentD. Agent less access



QUESTION 7A user logs in and is mapped to two roles. The first role has a maximum timeout value of 600 minutes andthe default Juniper Networks logo on the user interface page. The second role has a maximum timeoutvalue of 1200 minutes and a custom logo on the user interface page.

Based on the merging of these two roles, which two will be applied? (Choose two.)

A. A custom logo on the user interface pageB. A maximum timeout value of 600 minutesC. A maximum time out value of 1200 minutes

D. A default Juniper Networks logo on the user interface page



QUESTION 8What are two benefits of integrating Junos Pulse Access Control Service with Security Threat ResponseManager (STRM)? (Choose two.)

A. The ability to detect and prevent malicious traffic.B. The ability to associate security breaches with a specific user.C. Converged management of network and security events, network flow data, and identity information.D. Consistent device management across administrative realms.



QUESTION 9End users want to map a network drive on their PCs when they are connected to the Junos Pulse AccessControl Service. The mapped drive must be removed when users disconnect their session.

Which feature addresses this requirement?

A. agent session scriptsB. preconfiguration installerC. Junos Pulse component setD. agent actions



QUESTION 10Your corporate security policy requires that a user performing attacks must have limited network accessand activities until an administrator can investigate.

In the admin GUI, which sensor event policy action must you configure in "Configuration" > "Sensors" >"Sensor Event Policies" > [rule name] to accomplish this?

A. IgnoreB. Replace user's roleC. Terminate user sessionD. Disable user account


Explanation/Reference:

Explanation:

QUESTION 11You are the network administrator for your company. A user is complaining that they are not able to accessthe network with the Junos Pulse client. You run a packet capture on the network interface to monitor the802.1X authentication process. You notice that after the EAP- request/identity packet is received, and thesupplicant responds with an EAP-response/identity packet, no further communication occurs for severalseconds.

What are three causes for this behavior? (Choose three.)

A. The authenticator is not licensed to support Junos Pulse.B. The authenticator did not receive the EAP-response/identity packet.C. The authentication server is not receiving the RADIUS packet containing the EAP- response/identity

data.D. The authenticator is sending the request over its loopback interface.E. The authentication server is sending back a RADIUS response packet, but the authenticator is not

forwarding the response back to the supplicant.

Correct Answer: BCESection: (none)Explanation


QUESTION 12When using RADIUS as an external authentication method for 802.1X authentication for the Junos PulseAccess Control Service, what must you do to ensure that the RADIUS authentication works properly?

A. Configure IP helper to forward the authentication requests from the clients to the external RADIUSserver

B. Configure the supplicant as anexternal authentication serverC. Configure RADIUS proxy on the realmD. Specify the correct RADIUS port 389 on the Junos Pulse Access Control Service



QUESTION 13You are validating the configuration of your SRX Series device and see the output shown below.

What does this indicate?

A. The SRX Series device has been configured correctly, the Junos Pulse Access Control Service isreachable on the network, and the SRX Series device is waiting to receive the initial connection from theJunos Pulse Access Control Service.

B. The SRX Series device has confirmed that the Junos Pulse Access Control Service is configured and isreachable on the network, the SRX Series device is waiting to receive the connection from the JunosPulse Access Control Service, and all that remains to be accomplished is to configure the SRX Seriesdevice.

C. The SRX Series device is configured correctly and connected to the Junos Pulse Access Control

Service. All that remains to be done to complete the configuration is to configure the SRX Series deviceon the Junos Pulse Access Control Service.

D. Both the Junos Pulse Access Control Service and the SRX Series device are configured correctly andcommunicating with each other.



QUESTION 14Which three features are supported with the Junos Pulse client? (Choose three.)

A. third-party RADIUS supportB. Host EnforcerC. Host CheckerD. IPsecE. soft tokens

Correct Answer: CDESection: (none)Explanation


QUESTION 15You are configuring captive portal on your SRX Series device for guest user access.

When would you use the redirect-traffic all command?

A. When you want all unauthenticated traffic to be redirectedB. When you want all clear text traffic to be redirected.C. When you want all authenticated traffic to be redirected.D. When you want all encrypted traffic to be redirected.



QUESTION 16You administer a network with Windows-based endpoints that have custom software images. You want touse Host Checker to require that endpoints are running the custom software image.

Which two Host Checker policy rules would be used to enforce this requirement? (Choose two.)

A. Isolate a file name unique to the custom image and create a custom rule-type of "File" which matcheson the file. Select the "Required" option under the custom rule.

B. Identify the MAC address unique to network cards installed in PCs with the custom image and create acustom rule-type of "MAC Address" which matches on the appropriate MAC address.Select the "Required" option under the custom rule

C. Identify the IP address unique to the network cards installed in PCs with the custom image and create acustom rule-type of "IP Address" which matches on the appropriate IP address. Select the "Required"option under the custom rule.

D. Isolate or create a unique Windows registry key for the custom image and create a custom rule- type of

"Registry Setting" which matches on the name of the registry key.



QUESTION 17A new software engineer has been hired. As part of the normal hiring process, the user was added to theActive Directory and placed into the Domain Users group and the SW_DEV group. The Domain Usersgroup has access to the company's intranet website and time card system. The SW_DEV group hasaccess to the source code library server. You have created roles that correspond to each Active Directorygroup. The user calls the help desk stating that they cannot access the source code library server.

Which two troubleshooting tools would you use on the Junos Pulse Access Control Service to resolve theissue? (Choose two.)

A. Perform a policy trace for the specific user and review the output to isolate the problem.B. Review the Events log.C. Review the Admin Access log to verify that the user has the correct permissions to access the

SVVJDEV resource.D. Review the User Access log to verify that the user is getting mapped to both the Domain User role and

the SW_DEV role.



QUESTION 18What are three elements the Junos Pulse Access Control Service uses to establish endpoint access toprotected resources? (Choose three.)

A. sign-in policyB. authentication realmsC. role restrictionsD. policy realmsE. routing policy

Correct Answer: ABCSection: (none)Explanation


QUESTION 19What are two roles of the authenticator as described in the 802.1X standard? (Choose two.)

A. It proxies the authentication information between the supplicant and the authentication server.B. It controls physical access to the network.C. It communicates with the authentication server only.D. It is responsible for verifying the identity of the supplicant through the use of an internal database.

Correct Answer: ABSection: (none)

Explanation


QUESTION 20What are three necessary steps for enabling 802.1X access when configuring Layer 2 enforcement?(Choose three.)

A. Configure a location groupB. Createan authentication protocol setC. Configure the RADIUS AV pair listD. Configure RADIUS clientsE. Configure role and role-mapping rules

Correct Answer: ADESection: (none)Explanation


QUESTION 21On the Junos Pulse Access Control Service, you have created a role called Secret that you only want toprovide to users who present a certificate.

Using the admin GUI, which two features would you configure to satisfy this requirement? (Choose two.)

A. Sign-in PolicyB. Role Mapping RuleC. Role RestrictionsD. Trusted Server CA



QUESTION 22Your IT manager has requested that you start providing weekly reports of CPU utilization on all networkdevices.

Which monitoring function should be enabled on the MAG Series device?

A. Admin loggingB. SNMP loggingC. Syslog server loggingD. Event logging



QUESTION 23What are three default role-mapping rule values that are available for all realms? (Choose three.)

A. UsernameB. LDAP userC. CertificateD. Custom expressionsE. Source y IP

Correct Answer: ACDSection: (none)Explanation


QUESTION 24You must configure access to the corporate network for employees using a client access method. Usersrequire IPsec tunneling to protected resources and an 802.1X supplicant. Users will access the networkusing Windows platforms.

Which two client access methods would support these requirements? (Choose two.)

A. Junos PulseB. Java AgentC. Odyssey Access ClientD. Native 802.1X supplicant

Correct Answer: ACSection: (none)Explanation


QUESTION 25You are performing the initial setup of a new MAG Series device and have installed a valid CA- signedcertificate on the MAG Series device. Connectivity to an existing SRX Series firewall enforcer cannot beobtained.

What are two explanations for this behavior? (Choose two.)

A. The MAG Series device has multiple ports associated with the certificate.B. The MAG Series device's serial number needs to be configured on the SRX Series device.C. The SRX Series device must have a certificate signed by the same authority as the MAG Series device.D. The MAG Series device and SRX Series device are not synchronized to an NTP server.



QUESTION 26You are installing a new deployment of the Junos Pulse Access Control Service. In your environment, youhave VoIP handsets that support 802.1X authentication with EAP-MD5.

Which deployment constraint must you consider?

A. EAP-MD5 is not supported by the Junos Pulse Access Control ServiceB. EAP-MD5 requires passwords to be stored in an encrypted format.

C. EAP-MD5 requires passwords to be stored in a clear text format.D. EAP-MD5 performs a real time hash of the handset's MAC address.



QUESTION 27What is a Host Enforcer policy?

A. A policy that is defined on the endpoint that permits or denies inbound or outbound traffic.B. A policy that is sent to the endpoint that permits or denies inbound or outbound traffic.C. A policy that is sent to the protected resource that permits or denies inbound or outbound traffic.D. A policy that is defined on the protected resource that permits or denies inbound or outbound traffic.



QUESTION 28You want to provide all users in your corporation with a single agent that provides access to multipleconnection types conditionally. For example, you connect to the Junos Pulse Access Control Service if youare connected to the intranet, but you connect to the Junos Pulse Secure Access Service if you are on aremote network.

Which agent should you use for this type of connection requirement?

A. Junos Pulse should be configured with location awareness rules configured.B. Odyssey Access Client should be installed with Host Checker configured to check the client's location.C. Junos Pulse should be configured with all components installed.D. Agentless access should be enabled so that clients can connect to any service without concern for

installing an agent.



QUESTION 29You have created a Host Checker policy that contains multiple rules. You want to inform end users whichrule specifically has failed.

In the admin GUI, which configuration setting would you enable?

A. Enable Custom InstructionsB. Pre-auth notificationC. Remediation messageD. Send reason strings



QUESTION 30Your IT director has decided to allow employees to use their laptops at home as well as in the office. Youhave deployed the Junos Pulse client to allow access to the office's 802.1X-enabled wired network. Yourcompany also has the Junos Pulse Secure Access Service deployed. You want the Junos Pulse client toautomatically launch the appropriate access method depending on each user's location.

Which three are supported to determine the user's location? (Choose three.)

A. MAC addressB. DNS serverC. DHCP serverD. resolve addressE. endpoint address

Correct Answer: BDESection: (none)Explanation


QUESTION 31Which two considerations must you take into account when deploying a Junos Pulse Access ControlService cluster? (Choose two.)

A. State synchronization occurs only through the internal network interface card (NIC)B. Latency of the WAN must be less than 300 ms.C. Authenticating endpoints must be on the same LAN segment.D. Cluster members must use the same hardware platform.



QUESTION 32When configuring a single SRX210 as a firewall enforcer to a MAG4610 active/passive cluster, whichstatement supports a fault-tolerant configuration?

A. The cluster VIP is defined on the MAG4610 cluster, and the VIP of the cluster is defined as an instanceon the SRX Series device.

B. The cluster VIP is not defined on the MAG4610 cluster, and the IP address of both the active andpassive nodes of the cluster are defined as separate instances on the SRX Series device.

C. The cluster VIP is defined on the MAG4610 cluster, and the IP address of the active node is defined asan instance on the SRX Series device.

D. The cluster VIP is not defined on the MAG4610 cluster, and the IP address of the passive node isdefined as an instance on the SRX Series device.



QUESTION 33Using an LDAP authentication server, what do you configure to validate certificate attributes?

A. Use the "is exactly" or "contains" operators.B. Create a user filter matching the DN of the certificate.C. Verify that the certificate is issued by a publicly trusted CA.D. Match the certificate type and value with an attribute from the LDAP server.



QUESTION 34What are two steps to configure user authentication for a Junos Pulse Access Control Service? (Choosetwo.)

A. Configure an authentication policy as part of the user role definitions.B. Configure a Sign-in Policy.C. Configure authentication agents as part of the user role definitions.D. Configure an authentication policy as part of the authentication realm definition.



QUESTION 35Which parameter do you use to enable Junos Pulse Access Control Service enforcement on a policy on aScreenOS platform?

A. uac-policyB. ic-policyC. inyranet-authD. uac-auth



QUESTION 36You are configuring an SRX210 as a firewall enforcer that will tunnel IPsec traffic from several Junos Pulseusers. Which two parameters must you configure on the SRX210? (Choose two.)

A. access profileB. IKE parametersC. tunneled interfaceD. redirect policy

Correct Answer: ABSection: (none)

Explanation


QUESTION 37Which Junos Pulse feature allows the user to log in once through a Junos Pulse Secure Access Service onthe network and then access resources protected by a Junos Pulse Access Control Service withoutreauthentication?

A. Roaming SessionB. Session MigrationC. Location AwarenessD. Persistent Session



QUESTION 38You are the administrator of a Junos Pulse Access Control Service implementation. You must restrictauthenticated users connected from the branch offices to a few specific resources within the data center.However, when the authenticated users are connected at the corporate office, they are allowed moreaccess to the data center resources. You have created two roles with different levels of access and aretrying to determine the best way of controlling when a user is mapped to a specific role. Having the userprompted to manually select their role is possible, but you want to automate the process.

Which configuration solves this problem?

A. Implement a RADIUS request attribute policy to assist with realm selection and create different role-mapping rules for the user in each realm.

B. Implement a directory/attribute server on the realm and set up this server to determine by groupmembership the proper role to which a user should be mapped.

C. Reorder the role-mapping rules to allow for the more open role to be mapped first and then enable the"stop processing rules when this rule matches" function on this role.

D. Implement a Host Checker policy on the realm that determines the geographic location of the deviceand restricts the user based on the results of the policy.



QUESTION 39An authentication realm consists of which three authentication resources? (Choose three.)

A. Authentication serverB. Session optionsC. Authentication policyD. End-point security policyE. Role-mapping rules

Correct Answer: ACESection: (none)Explanation


QUESTION 40Your security policy requires that users authenticating to the Junos Pulse Access Control Service areconnecting from a domain member endpoint on the internal corporate network.

Which set of role access restrictions must you configure to enforce this security policy?

A. Source IP and browserB. Source IP and certificateC. Certificate and Host CheckerD. Host Checker and source IP


Explanation/Reference:


Documents

JUNIPER JN0-314 EXAM QUESTIONS & ANSWERS€¦ · 02/06/2014 · B. A certificate authentication policy that only allows users with a client-side certificate signed by a trusted client