You are on page 1of 36

Juniper JN0-141

JN0-141 Juniper Networks Certified Internet Associate,


AC (JNCIA-AC)
Practice Test
Version 1.3
Juniper JN0-141: Practice Exam
QUESTION NO: 1

What are two ScreeuOS commands son can run on the overlay enforcer to troubleshoot
communication with the Infranet Controller? (Choose two.)

A. get event
B. get controller status
C. get auth table infranet
D. execinfranet controller connect

Answer: A,D

QUESTION NO: 2

Your company requires that users who authenticate using the Web run an approved Web browser
and have current antivirus signatures to present their credentials for authentication. If they do not
have current signatures or are running an unauthorized browser; they cannot authenticate. What
do yon configure on the Infranet Controller to implement your company's authentication policy?

A. abrowser restriction on the users role and a Host Checker restriction on the users role
B. abrowser restriction on the users realm and a Host Checker restriction on the users role
C. abrowser restriction on the user's role and a Host Checker restriction on the user's realm
D. abrowser restriction on the users realm and a Host Checker restriction on the user's realm

Answer: D

QUESTION NO: 3

Yon have created a Host Enforcer policy and want to verify that it has been applied In which
two places would yon look to determine if the policy is being enforced? (Choose two.)

A. client browser
B. overlay enforcer
C. Infranet Controller
D. Odyssey Access Client

Answer: C,D

QUESTION NO: 4

Which two options must be defined to enable the Infranet Controller to respond to RADINS
requests from an 802.1X-compliant network access device? (Choose two.)

A Composite Solution With Just One Click - Certification Guaranteed 2


Juniper JN0-141: Practice Exam
A. a sign-in policy
B. a shared secret
C. the IP address of the network access device
D. the proper vendor-specific attributes for the network access device

Answer: B,C

QUESTION NO: 5

if Host Checker restrictions are applied at the role level and the Allow access to the role if any
ONE of the select policies is passed option is selected, which statement is true?

A. Host Checker must be set toRequire and enforce.


B. The role will not be removed if the Host Checker stale changes.
C. The endpoint will be assigned the role as long as one policy passes.
D. The endpoint will be assigned the role as long as one rule in the policy passes.

Answer: C

QUESTION NO: 6

Which log contains information about service restarts, system errors, warbubgs. and
requests to check server connectivity?

A. Events log
B. System log
C. User Access log
D. Admin Access log

Answer: A

QUESTION NO: 7

What are three functions of the infranet Controller? (Choose three.)

A. Verifiescompliance with policies. B.Actsasa802.1 Xenforcer if needed.


C. Assignsroles and resources to users.
D. EnforcesLayer 3 policies dynamically.
E. Maintains communication with client during session.

Answer: A

A Composite Solution With Just One Click - Certification Guaranteed 3


Juniper JN0-141: Practice Exam

QUESTION NO: 8

What are the three main components of Juniper Networks Unified Access Control
(UAC) solution? (Choose three.)

A. Infra net Controller


B. endpoint agent software
C. RADINS accounting server
D. distributed policy enforcement points
E. intrusion detection and prevention device

Answer: A,B,D

QUESTION NO: 9

Which statement is true about the operation of the overlay enforcer?

A. It assigns users a set of roles.


B. It enforces resource access policies.
C. It verifies whether anendponbtneets security Requirements.
D. It configures the UAC agent to allow or deny access to resources.

Answer: B

QUESTION NO: 10

What is the function of the Host Checker?

A. Runson the Infranet Controller and ensures reach ability agents.


B. Communication with the overlay enforcer and restricts access to resources
C. Communicates with theinfranet Controller and checksendpoint security compliance
D. Runson the endpoint and checks for healthy communication with the overlay enforcer and the
infranet Controller.

Answer: C

QUESTION NO: 11

Which statement is accurate about the integrated Odyssey Access Client agent?

A Composite Solution With Just One Click - Certification Guaranteed 4


Juniper JN0-141: Practice Exam
A. The agent is installed by the Layer 2 enforcer.
B. The agent is installed by the overlay enforcer.
C. The agent is installed by theInfranet Controller.
D. The agent communicates with the overlay enforcer inagentless mode.

Answer: C

QUESTION NO: 12

When is it necessary to use the Odyssey Access Ghent?

A. to perform overlay enforcement


B. to enable 802.1Xsupport on the endpoint
C. to communicate with theinfranet Controller
D. tobinldan IPsec tunnel between endpoint and enforcer

Answer: D

QUESTION NO: 13

Of the network access issues listed below, which two are addressed by the UAC solution?
(Choose two.)

A. Prevent a host from being infected by a virus


B. Allow contractors to gain access to some, but not all network resources.
C. Prevent an authorized user from launching a denial of service attack on company resources.
D. Allow visitors to a branch office to gain intranet access without compromising network security
policies.

Answer: B,D

QUESTION NO: 14

What kind of security does the UAC solution provide?

A. endpoint security
B. perirneter security
C. network security on a per-device basis
D. network security on a per-network basis

Answer: C

A Composite Solution With Just One Click - Certification Guaranteed 5


Juniper JN0-141: Practice Exam

QUESTION NO: 15

Which deployment option is used to protect data center resources from unauthorized
users and noncompliant endpoints?

A. WAN Gateway
B. Campus Wired
C. ServerFrout End
D. DistributedEnterprise

Answer: C

QUESTION NO: 16

Which two deployment options are used to check a users compliance before allowing
access to the local LAN? (Choose two.)

A. Campus Wired
B. ServerFrout End
C. Campus Wireless
D. DistributedEnterprise

Answer: A,C

QUESTION NO: 17

Which three configuration elements are Required during the initial configuration of the
infranet Controller? (Choose three.)

A. gateway
B. hostname
C. license agreement
D. CA-signed certificate
E. self-signed certificate

Answer: A,C,E

QUESTION NO: 18

A Composite Solution With Just One Click - Certification Guaranteed 6


Juniper JN0-141: Practice Exam
What are three steps in the initial console configuration of the infranet Controller? (Choose
three.)

A. Install license
B. Configure interface.
C. Complete initial boot.
D. Create user accounts
E. Create self-signed certificate.

Answer: B,C,E

QUESTION NO: 19

Which configuration option can be set either in the initial console menu or the Admin IN of
the Intranet Controller?

A. VLAN ID
B. Hostname
C. Domain name
D. administrative timeout

Answer: C

QUESTION NO: 20

What information is Required to generate an infranet Controller license? (Choose two.)

A. hostname
B. IP address
C. hardware ID
D. authorization code

Answer: C,D

QUESTION NO: 21

Which two actions are Required to configure an overlay enforcer to communicate with an infranet
Controller? (Choose two.)

A. Enable SSH.
B. Configure DNS.

A Composite Solution With Just One Click - Certification Guaranteed 7


Juniper JN0-141: Practice Exam
C. Enable route mode.
D. Set certificate validation options.

Answer: A,B,C,D

Explanation:
QIESTION NO: 22
What Information is Required to add an infranet Controller instance Joan overlay enforcer?
(Choose two.)
A. gateway
B. selected CA
C. source interface
D. Infra net Controller admin credentials

QUESTION NO: 22

Lithe infranet Controller admin IN. how can yon verify communication with the overlay
enforcer

A. PIng the overlay enforcer.


B. SSH to the overlay enforcer.
C. Check the enforcer icon in the System Status window.
D. Click the Check Connection button on the Overlay Enforcer Connection page.

Answer: C

QUESTION NO: 23

What are two elements of Juniper Networks Access Management Framework? (Choose two.)

A. user account
B. sign-in policy
C. role access policy
D. authentication realm

Answer: B,D

QUESTION NO: 24

What is an element of the access management framework?

A Composite Solution With Just One Click - Certification Guaranteed 8


Juniper JN0-141: Practice Exam
A. user interface
B. role restriction
C. networkcoutrol
D. resource allocation

Answer: B

QUESTION NO: 25

What is the correct order of the infranet Controller connection process?

A. user authentication > IC authorization > role mapping > policyevaInation


B. user authentication > role mapping > policyevaInation > IC authorization
C. user authentication > IC authorization > policyevaInation > role mapping
D. IC authorization > user authentication > role mapping > policyevaInation

Answer: A

QUESTION NO: 26

Which two elements of the access management framework can be used to ensure an
endpoint meets security Requirements? (Choose two.)

A. role restriction
B. authentication realm
C. network access policy
D. resource access policy

Answer: A,B

QUESTION NO: 27

Which settings determine the logo presented to a clientless user after authentication?

A. IN options
B. sign-in policy
C. session options
D. agentless options

Answer: A

A Composite Solution With Just One Click - Certification Guaranteed 9


Juniper JN0-141: Practice Exam
QUESTION NO: 28

Which three settings can yon configure under user session options? (Choose three.)

A. Set idle tune outvaIne.


B. Enable time out reminder
C. Set a session length vaIne.
D. Select roaming session options.
E. Configure persistent session option.

Answer: C,D,E

QUESTION NO: 29

Which additional, I configuration must be completed when setting up role restrictions using
certificates?

A. Set up a certificate authentication server


B. Configure the authentication realm to remember certificate information.
C. Configure the authentication realm to use a certificate server for authentication.
D. Configure a role mapping rule recurring certification information to map user to role.

Answer: B

QUESTION NO: 30

Which three options are valid role restrictions? (Choose three.)

A. group
B. browser
C. certificate
D. password
E. source IP

Answer: B,C,E

QUESTION NO: 31

A customer wants to allow agentless access for certain roles. Which navigation path should be
used to set this option?

A. Users > Users Roles > [RoleNarne] > Agentless

A Composite Solution With Just One Click - Certification Guaranteed 10


Juniper JN0-141: Practice Exam
B. Users > Users Roles > [RoleNarne] > Agent Options
C. Users > Users Roles > [RoleNarne] > General > IN Options
D. Users > Users Roles > [RoleNarne] > General > Session Options

Answer: A

QUESTION NO: 32

When using agent-based access, what are two agent settings yon can configure on a
user role? (Choose two.)

A. set frequency
B. enable Host Enforcer
C. specify session scripts
D. specify delivery method

Answer: B,C

QUESTION NO: 33

Which action is optional when addingan authentication realm for use onan infranet
Controller?

A. Modify sign-in policy.


B. Configure role mapping
C. Assign authentication server.
D. Configure authentication policy.

Answer: D

QUESTION NO: 34

Yon have configured the PEAP-based 802.1X authentication protocol set shown below.
EAP-MS-CHAP-V2
EAP-JUAC
EAP-SOH
EAP-Geueric Token Card
Which protocol will be offered first?

A. EAP-SOH
B. EAP-JUAC

A Composite Solution With Just One Click - Certification Guaranteed 11


Juniper JN0-141: Practice Exam
C. EAP-MS-CHAP-V2
D. EAP-Generic Token Card

Answer: A

QUESTION NO: 35

Yon have configured Coordinated Threat Control, for which three actions can yon configure the
infranet Controller if it receives a message from the IDP sensor? (Choose three )

A. Terminate the user session.


B. Place the user's account into quarantine.
C. Replace the user's roles with another role.
D. Close the port on the802.1X-complaint access switch.
E. Remove the authentication table entry from the overlay enforcers.

Answer: A,B,C

QUESTION NO: 36

When configuring Coordinated Threat Control, which configuration element differs


between a stand-alone IDP sensor and an IDP sensor integrated into an ISG?

A. Yon must place the integrated sensor into a location group


B. Yon must specify the serial number of the stand-alone sensor.
C. Yon must specify specific IDP messages to match on an integrated sensor
D. Yon must specify a range of monitored IP addresses for a stand-alone sensor.

Answer: D

QUESTION NO: 37

What are three settings yon can configure in a realm? (Choose three.)

A. IPsec routing policy


B. authentication policy
C. RADINS attribute policy
D. dynamic policyevaInation
E. Host checker access restriction

Answer: B,D,E

A Composite Solution With Just One Click - Certification Guaranteed 12


Juniper JN0-141: Practice Exam

QUESTION NO: 38

A user is authenticating to the infranet Controller with username "fin-jdoe" in a realm with "Merge
settings for all assigned roles" selected. Which two role mapping rulesets will result in that user
being eligible for both the Employee and Finance roles? (Choose two.)

A. username="*"->employeeStop usemame="fin-*"-> Finance


B. username=fin-*" -> Finance username="*"->EmployeeStop
C. username="*"-> Employeeuseruanie="fin-*"-> FinanceStop
D. username="fin-*"->FInanceStop username="*"-> Employee

Answer: B,C

QUESTION NO: 39

A user is authenticating to the infranet Controller with username "fin-jdoe" in a realm


with "Merge settings for all assigned roles" selected. The rule mapping rules are as follows
username="*"-> EmployeeStop
useruaine="fin-*"-> FinanceStop
What will be the resulting role(s) assigned to this user?

A. User will be assigned the Finance role only.


B. User will be assigned the Employee role only.
C. User will be assigned both the Employeeroleand Finance role.
D. User will be presented with the option of selecting either the Employee role or Finance role.

Answer: B

QUESTION NO: 40

A user is authenticating to the infranet Controller with username "fin-jdoe" in a realm with
"User must select from among assigned roles" selected. The rule mapping rules are as
follows
username="*"-> Employee
username="fin-*"-> FinanceStop
What will be the resulting role(s) assigned to this user?

A. User will be assigned the Finance role only.


B. User will be assigned the Employee role only.
C. User will be assigned both the Employee role and Finance role.

A Composite Solution With Just One Click - Certification Guaranteed 13


Juniper JN0-141: Practice Exam
D. User will be presented with the option of selecting a role from a list

Answer: D

QUESTION NO: 41

What are two reasons for using arealm-level Host Checker restriction? (Choose two.)

A. To assign a user to a role based on whether the user's antivirus is running.


B. To Require an acceptable level of browser encryption before a user logs in.
C. To prevent a user from entering the user's credentials if a keystroke logger is present
D. To prevent a user from accessing resources if the user's endpoint is not running the authorized
OS.

Answer: B,C

QUESTION NO: 42

Which three authentication servers does the Infranet Controller support? (Choose three.)

A. RADINS
B. SiteFinder
C. Certificate
D. TACACS+
E. Active Directory

Answer: A,C,E

QUESTION NO: 43

Which three elements are configured as part of au authentication realm? (Choose three.)

A. directory server
B. role restrictions
C. role mapping rules
D. authentication server
E. authentication protocol set

Answer: A,B,D

A Composite Solution With Just One Click - Certification Guaranteed 14


Juniper JN0-141: Practice Exam
QUESTION NO: 44

Which three are Required when defining sign-in policies? (Choose three.)

A. sign-in URL
B. sign-in page
C. authorization server
D. authentication server
E. authentication realm

Answer: A,B,E

QUESTION NO: 45

What is the function of the sign-in policy?

A. It controls whether a user can signin, based on role membership.


B. It controls which options ate available onThe login screen, based on the user's permissions.
C. It controls who can accessThe login page, based on IP address. Host Checker, and other
criteria.
D. it defines the URLs and corresponding sign-in pages that users and administrators can use to
access the Infranet Controller.

Answer: D

QUESTION NO: 46

Yon have configured two sign-in policies as follows


1. The first policy uses the */users URL and maps to a default sign-in page.
2. The second policy uses The company.com/users URL and maps to a custom sign-in page.
What happens when a user accesses the Infranet Controller by browsing to the
company..com/users page?

A. The user will be presented with the default sign-in page.


B. The user will be presented with the custom sign-in page
C. The user will be presented with the error "Page not found."
D. The user will be given the option lo select the preferred page

Answer: A

QUESTION NO: 47

A Composite Solution With Just One Click - Certification Guaranteed 15


Juniper JN0-141: Practice Exam
Yon have configured multiple sign-in policies as follows:
1. The first policy uses the ^engineering/ URL and maps to a default engineering page.
2. The second policy uses the ^engineering/software URL and maps to a custom software
engineering page.
Wliathappensw'heuauseraccessestheinfranetControllerbybrow'singlonie
company.com/engineering/software page?

A. The user will be presented withThe error "Page not found."


B. The user will be presented with the default engineering page
C. The user will be given the option to selectThe preferred page
D. The user will be presented with die custom software engineering page.

Answer: D

QUESTION NO: 48

What are two policies used on a ScreeuOS overlay enforcer? (Choose two.)

A. IPsec policy
B. source IP policy
C. resource access policy
D. auth table mapping policy

Answer: A,B

QUESTION NO: 49

What are Two policies used on a Infranet Controller device? (Choose Two.)

A. source IP policy
B. IPsec routing policy
C. role restriction policy
D. resource access policy

Answer: B,D

QUESTION NO: 50

At which point in the enforcement process does The enforcer know the destination address and
services that are to be protected by au infranet-auth policy?

A Composite Solution With Just One Click - Certification Guaranteed 16


Juniper JN0-141: Practice Exam
A. as lire source IP policy is configured on die enforcer
B. as the end user authenticates to theInfranet Controller
C. as resource policies are configured ondie Infranet Controller
D. as the Infranet Controller completes The role mapping process and sends an auth table entry lo
The enforcer

Answer: C

QUESTION NO: 51

At which point in The enforcement process does The enforcer leant the endpoint source address
to be used in enforcing the access restrictions of au urirauel-aulli policy? (Assume that The
enforcer is running ScreeuOS 6.1 orlaler.)

A. as lire source IP policy is configured on die enforcer


B. as the end user authenticates to theInfranet Controller
C. as resource policies are configured ondie Infranet Controller
D. as the Infranet Controller completes the role mapping process and seuds au auth table entry lo
The enforcer

Answer: D

QUESTION NO: 52

What is true about the enforcers auth table? (Assume the enforcer is running ScreeuOS 6.1 or
later.)

A. Only contains entries for users dial have been authenticated.


B. Only contains entries for users actively accessing resources.
C. Only contains entries for users dial have been mapped to roles.
D. Only contains entries for users dial are defined inThe local user database

Answer: B

QUESTION NO: 53

At which point in the enforcement process does die enforcer allow au endpoint lo access a
protected resource?

A. immediately upon attempting to access the protected resource


B. when a matching entry for the enforcer is found in theaulh table

A Composite Solution With Just One Click - Certification Guaranteed 17


Juniper JN0-141: Practice Exam
C. immediately after the end user authenticates to the Infranet Controller
D. after dieInfranet Controller provides endpoint information for die auth table

Answer: D

QUESTION NO: 54

When the Infranet Enforcer is set up in transparent mode, which additional resource
policy must be configured to use OAC for IPsec enforcement?

A. IPsec ronling
B. access control
C. IP address pool
D. source interface

Answer: D

QUESTION NO: 55

in addition to an IPsec routing policy, which resource policy must be configured in order to support
NAT devices between die endpoint and enforcer?

A. Host Enforcer
B. access control
C. IP address pool
D. auth table mapping

Answer: C

QUESTION NO: 56

When the Host Enforcer option is enabled, all traffic is denied by default except for which
two? (Choose two.)

A. NTP
B. PING
C. DHCP
D. traceroute

Answer: B,C

A Composite Solution With Just One Click - Certification Guaranteed 18


Juniper JN0-141: Practice Exam
QUESTION NO: 57

On au Infranet Controller running 2.2 software, where are resource access policies configured?

A. UAC > Network Access > Resource Access


B. UAC >Infranet Enforcer > Resource Access
C. Policies> Network Access > Resource Access
D. Policies > Infranet Enforcer > Resource Access

Answer: B

QUESTION NO: 58

In a resource access policy, which three specific options for resources can be specified? (Choose
three.)

A. hostname
B. IP address
C. pc-ri number
D. network mask
E. IP application name (for example. HTTP)

Answer: B,C,D

QUESTION NO: 59

How is a user associated with a specific resource access policy?

A. The overlay enforcer maps a policy to a user based on the user's role.
B. The Infranet Controller maps a policy lo a user based on the users role.
C. The overlay enforcer maps a policy to a user based on the user's source IP address
D. The Infranet Controller maps a policy to a user based on the users source IP address

Answer: B

QUESTION NO: 60

Which Infranet Enforcer CLI command shows users that were authenicated using the
Infranet Controller?

A. get policy id #
B. gel aulh table

A Composite Solution With Just One Click - Certification Guaranteed 19


Juniper JN0-141: Practice Exam
C. gel adrnin auth table
D. set -uinfranet policy command "get all"

Answer: B

QUESTION NO: 61

Which method of user authentication is used by The Infranet Conholler for IPsec enforcement?

A. sunple password
B. IKE authentication
C. XAUTHautheulication
D. shared IKEaulhenticalion

Answer: C

QUESTION NO: 62

Which three policies are required on the Lifranet Controller when configuring IPsec in route mode
with NAT? (Choose three.)

A. IP pools
B. IPsec routing
C. source interface
D. resource access
E. auth table mapping

Answer: A,B,D

QUESTION NO: 63

Which three options are Required to configure a sonice IP enforcement policy on an overlay
enforcer? (Choose three.)

A. logging
B. sonice zone
C. permit action
D. address translation
E. destination address

Answer: B,C,E

A Composite Solution With Just One Click - Certification Guaranteed 20


Juniper JN0-141: Practice Exam

QUESTION NO: 64

On the overlay enforcer, which option must be configured on the Source IP enforcement policy?
(Choose two.)

A. authentication: auth server


B. authentication:iinranet-auth
C. redirectunautneuticaled traffic
D. position policy at the top of the policy list

Answer: B,D

QUESTION NO: 65

Which three devices are elements described in the 802. IX specification? (Choose three.)

A. supplicant
B. access point
C. aulheuticalor
D. endpoint client
E. authentication server

Answer: A,C,E

QUESTION NO: 66

Which two statenteuls about EAP protocols are true? (Choose two.)

A. EAP defines a framework for authentication exchanges


B. EAP defines anenciypted authentication method for 802. lXaccess.
C. EAP is au extension of the Point-to-Point Protocol (PPP) specification.
D. EAP specifiesThe use of RADINS between the authenticator and the authentication server.

Answer: A,C

QUESTION NO: 67

Which statement about outer authentication is true?

A Composite Solution With Just One Click - Certification Guaranteed 21


Juniper JN0-141: Practice Exam
A. Outer authentication is au encrypted exchange.
B. Outer authentication is required for all EAP protocols.
C. Outer authentication is initiated by the authentication server.
D. Outer authentication proves the identity of the authentication server toThe supplicant.

Answer: D

QUESTION NO: 68

Yon want to use Host Checker to validate devices counseling through au 802.1X-capable wireless
access point. Which two combinations of EAP protocols ate valid? (Choose two.)

A. EAP-TLS for the outer protocol; EAP-JUAC for the inner protocol
B. EAP-PEAP for the outer protocol EAP-SOH for the inner protocol
C. EAP-TTLS for the outer protocol: EAP-JUAC for theinuei protocol
D. EAP-PEAP for the outer protocol EAP-JUAC for the inner protocol

Answer: B,C

QUESTION NO: 69

Which RADINS server element is optional?

A. user list
B client list
C. veudor list
D. attribute dictionary

Answer: A

QUESTION NO: 70

Yon have decided lo use outer RADINS proxy for your 802. IX UAC implementation
Which statement is true?

A. Outer proxy allows for the use of any external authentication server.
B. Communication between The supplicant and the external authentication server is encrypted
end-lo-end.
C. The Infranet Controller adds the authenticator configuration attributes to the messages sent
from the external authenticator server to the authenticator
D. The Infranet Controller authenticates the end user, then relays the information lo the external
authentication server to retrieve The authenticator configuration attributes.
A Composite Solution With Just One Click - Certification Guaranteed 22
Juniper JN0-141: Practice Exam
Answer: B

QUESTION NO: 71

Which configuration element on the Infranet Controller allows yon to specify quality-of-service
(QoS) functions such as bandwidth restrictions foi users who ate assigned to a particular role?

A. authentication policy
B. role session options
C. network access policy
D. resource access policy

Answer: C

QUESTION NO: 72

What can be specified by a network access policy?

A. IPsec tunnel endpoint


B. port VLAN assignment
C. permitted IP destinations
D. pennitted MAC addresses

Answer: B

QUESTION NO: 73

What must be configured to enabled the Infranet Controller to respond to a EAP-over-


RADINS request from a network access device?

A. sign-in policy
B. RADINS client
C. location group
D. network access policy

Answer: B

QUESTION NO: 74

Which configuration element determines the authentication protocol set used for EAP
Decollations in an 802.IX configuration?

A Composite Solution With Just One Click - Certification Guaranteed 23


Juniper JN0-141: Practice Exam
A. the sign-in policy
B. the location group
C. the authentication realm
D. die network access policy

Answer: A

QUESTION NO: 75

What must yon do to ensure that the correct RADINS attributes for your 802.IX-
compliant access device are available to the Infranet Controller?

A. Add the attributes to die server catalog.


B. Add the device lo The RADINS client list.
C. Load the vendor dictionary for your device.
D. Create a location group for each device type.

Answer: C

QUESTION NO: 76

Yon want to use the Infranet Controller to assign VLANs to ports on your 802. IX-
complaint access device. What must be configure on the access device?

A. VLAN ID numbers
B. RSTP on the ports
C. blinking on the ports
D. RADINS attributes for VLANs

Answer: A

QUESTION NO: 77

Yon want lo use the Infranet Controller to assign access filters to ports on yoni 802.IX-
compliant access device. What must be configured on die access device?

A. access filters
B. RSTP on the ports
C. RADINS attributes for filters
D. MAC addresses on the ports

A Composite Solution With Just One Click - Certification Guaranteed 24


Juniper JN0-141: Practice Exam
Answer: A

QUESTION NO: 78

What is The primary purpose of creating a location group?

A. to associate more than one realm with au authentication server


B. to logically group network access devices and associate them with specific sign-in policies
C. to allow or prevent users from accessing resources in specific locations on die network
D. to define the URL that users of network access devices can use lo access dieInfranet Controller

Answer: B

QUESTION NO: 79

What must be specified when configuring a location group?

A. a sign-in policy
B. au authentication realm
C. the authentication protocol set
D. the IP addresses of all RADINS clients in the location group

Answer: A

QUESTION NO: 80

Which three statement are true about Host Checker? (Choose Three.)

A. Host Checker can collect information for use with MAC authentication
B. Host Checker can modifyarole assignment immediately if a policy fads
C. Host Checker can be invoked before a user is allowed to sign in lo theInfranet Controller.
D. The Host Checker Integrity Measurement Verifier (IMV) works only with Odyssey Access Client
E. The Host Clieckei Integrity Measurement Collector (IMC) can ruu on Windows, Mac, and Linux
systems.

Answer: B,C,E

QUESTION NO: 81

Which two automatic remediation options can the Infranet Controller perform? (Choose two)
A Redirect an endpoint lo a PaicliLink server.

A Composite Solution With Just One Click - Certification Guaranteed 25


Juniper JN0-141: Practice Exam
A. Delete a file matched by* a HostChecket rule.
B. Kill a process matched by a Host Checker rule.
C. Redirect an endpoint to aShavlik patch disinbution server.

Answer: B,C

QUESTION NO: 82

What happens when Host Checker is configured to perform checks every "0" manures?

A. Host Checker is disabled.


B. Host Checker performance continues checks.
C. Host Checker performance check only when The user must logs in.
D. Host Checker performance check when the user attempts to access a resource.

Answer: C

QUESTION NO: 83

How would yon configure Host Checker lo perform checks only when die user first logs in?

A. Check the Perform check at login box.


B. Change the Perform check every* value to 0.
C. Change the Performcheck every value to -1.
D. Delete the Perform in the Performcheck every box.

Answer: B

QUESTION NO: 84

Which statement regarding Host Checker policies is true?

A. Yon cannot use predefined rules fat Mac and Linux platforms
B. Yon cannot combine rules for multiple platforms in a single policy.
C. Ah rules in the Host Checker policy must pass for the policy lo pass.
D. Yon cannot use predefined rules raid custom rules in a single policy.

Answer: A

QUESTION NO: 85

A Composite Solution With Just One Click - Certification Guaranteed 26


Juniper JN0-141: Practice Exam
Which statement about Host Checker policies is true?

A. Yon cannotmi& predefined and custom rules in a single policy.


B. Yon can seta policy to slop processing if one of the rules matches.
C. Policy rules are processed in the cider displayed in the configuration
D. Yon can use Boolean equations to create a custom set of rule Requirements.

Answer: D

QUESTION NO: 86

What must yon enable at die realm level to enforce Host Checker policies only at The role
level?

A. Configure noting at the realm level.


B. Select evaluate; select Require and Enforce.
C. Select evaluate; do not selectRequire and Enforce
D. Do not select evaluate: selectRequire and Enforce.

Answer: C

QUESTION NO: 87

Which two statements are true about applying Host Checker at the role level?(Choose two.)

A. The Infranet Controller can reassign roles immediately if a Host Checker policy result changes
B. The Infranet Controller concatenates all Host Checker policies for all roles, the evaluates the
policies.
C. By default, au endpoint must pass all Hosl Checker policies associated with a role to be
assigned The role.
D. Host Checket ruus after the Infranet Controller has determined the fist of possible roles based
on role mapping rules

Answer: A,C

QUESTION NO: 88

If Host Checker restrictions are applied at the role level and the Allow access to the role if any
ONE of the select policies is passed option is not selected, whichtwo statements are true?
(Choose two.)

A Composite Solution With Just One Click - Certification Guaranteed 27


Juniper JN0-141: Practice Exam
A. Each role isevaluate separately.
B. The endpoint must pass all policies to accessThe role.
C. Host Checker must be set loRequire and enforce.
D. The endpoint must pass all rulesra die policy to access the role.

Answer: A,B

QUESTION NO: 89

What must be updated regularly to detect the newest versions of personal firewalls on endpoints?

A. Infranet Controller service package


B. Host Security* Assessment Plug-in (HSAP)
C. Endpoint Security Assessment Plug-in (ESAP)
D. Host Checker Integrity Measurement Collector (IMC)

Answer: C

QUESTION NO: 90

Which element is updated by The Endpoint Security Assessment Phig-In (ESAP)?

A. Statement of Health rule options


B. virus signature version monitoring
C. patchmanagement info monitoring
D. predefined antivirus integrity checks

Answer: D

QUESTION NO: 91

What makes RADINS unique from other authentication servers used by the infranet
Controller?

A. It can be used to obtain user attribute information


B. ft can be used to obtain group attribute information.
C. It can be used to do both authentication and accounting.
D. It can be used as botha authorization server and authentication server.

Answer: C

A Composite Solution With Just One Click - Certification Guaranteed 28


Juniper JN0-141: Practice Exam
QUESTION NO: 92

When configuring a RADINS server as an authentication server, w*hat inforination is


optional?

A. name
B. NAS-identifier
C. shared secret
D. authentication port

Answer: B

QUESTION NO: 93

if yon include the domain administrator name and password when defining au ADs-iT
authentication server, what does this allow yon lo do?

A. Allows the user to change their password on the AD/NT authentication server.
B. Allows theinfranet Controller to change its password on die AD.2JT authentication server.
C. Allows the user lo query The AD/NT authentication for user infuriation for role mapping
purposes.
D. Allows the Infranet Controller lo query the ADT4T authentication server for group information for
role mapping purposes.

Answer: D

QUESTION NO: 94

Which three configured options are validated when The Test Configuration button is clicked during
the configuration of AD.2JT Authentication Server? (Choose three.)

A. whether the computer name is valid


B. whether the authentication protocol works
C. whether the admin name and password are valid
D. whether the configured domain exists on the server
E. whether the domain controller is a valid AD controller

Answer: B,D,E

QUESTION NO: 95

A Composite Solution With Just One Click - Certification Guaranteed 29


Juniper JN0-141: Practice Exam
The Base DN. Fillet, Member Attribute, Query Attribute, and Nested Group Level are
aspects of which authentication server?

A. NTS
B. LDAP
C. RADINS
D. Active Directory/Windows NT

Answer: B

QUESTION NO: 96

For which type of authentication server are yon able to configure two backup servers?

A. NTS
B. LDAP
C. RADINS
D. Active Directory/Windows NT

Answer: B

QUESTION NO: 97

Your authentication realm is configured to use au Active Directory server for


authentication and au LDAP server for directory/attribute information. Which statement is
true?

A. Dynamic policy evaluation cannot be used on this realm.


B. When yoni LDAP server is down son cannot authenticate users.
C. Users can be mapped to roles based on their AD group membership
D. Users can be assigned resource policies based on their LDAP attributes

Answer: D

QUESTION NO: 98

Which two authentication and directory (authorization) combinations are possible at the
realm level? (Choose two.)

A. Authentication: Active DirectoryDirectory (authorization) :LDAP


B. Authentication: Active DirectoryDirectory (authorization):ACE

A Composite Solution With Just One Click - Certification Guaranteed 30


Juniper JN0-141: Practice Exam
C. Authentication:RADrUS Dueclory(aulhorization): Active Directory
D. Authentication: AnonymousDirectory(authorization):LDAP

Answer: A,C

QUESTION NO: 99

100. Yon ate using LDAP as an authentication and directory/attributeserver. Yon waut to use
group membership to assign roles, but when yon attempt to create a role-mapping rule, the groups
defined on the server are not visible in the Available Groups list What do yon need to do next?

A. Opendie server catalog and populate the group fist.


B. Verify that yoni LDAP server is reachable from theInfranet Controller.
C. Do nothing. LDAP can only be used for user attribute-based role assignment
D. Click Update after selecting Group membership from the drop-down menu.

Answer: A

QUESTION NO: 100

Your company has a mix of employees and contractors. Yon need to give employees access to all
resources and give contractors access to a limited set of resources. Employee and contractor
roles have been created with The appropriate access privileges, and die realm is set to merge
settings for all assigned roles. Winch role mapping rule set would result in the correct access
privileges being assigned?

A. group=employee-> Employee-role group=*-> Coutractor-roleStop


B. group=*-> Contractor-role group=entplo\ee-> employee-roleStop
C. group=*-> employee-roleStop group=contractor-> Contractor-role
D. group=contactor-> Contractor-role group=employee-> Employee-role

Answer: D

QUESTION NO: 101

When Clearing role mapping rules, which Two Rule based on: options allow yon lo automatically
retrieve and populate a list of evadable server catalog attributes from LDAP? (Choose two.)

A. certificate
B. user attribute
C. group membership

A Composite Solution With Just One Click - Certification Guaranteed 31


Juniper JN0-141: Practice Exam
D. custom expression

Answer: B,C

QUESTION NO: 102

When yon initiate an upgrade of the Infranet Controller, what can yon delete lo reduce the
upgrade time?

A. system log
B. digital certificates
C. user configuration
D. system configuration

Answer: A

QUESTION NO: 103

What is a prerequisite when yon upgrade an Infranet Controller?

A. Yon must have installed the device-specific licenses.


B. Yon must have au active Juniper Networks support account.
C. Yon must have installed die CA-generatedinfranet Controller certificate.
D. Yon must have downloaded the service package lo die administrator workstation.

Answer: D

QUESTION NO: 104

Which Infranet Controller feature would help with making a large number of
changes to The configuration?

A. XML Import/Export
B. Configuration Export
C. Import/Export Users
D. Configuration > Tools

Answer: A

QUESTION NO: 105

A Composite Solution With Just One Click - Certification Guaranteed 32


Juniper JN0-141: Practice Exam
Which three logs are default log files for the Infranet Controller? (Choose three.)

A. Traffic logs
B. Event logs
C. System logs
D. User Access log
E. Aduuu Access log

Answer: B,D,E

QUESTION NO: 106

Which three statements about dynamic lag fillers are true? (Choose three.)

A. Dynamic log fillerscrieateria query statement.


B. Dynamic log filters can select any log field to filter.
C. Dynamic log filters haveanoption lo save the query*
D. Dynamic log filters redisplay the log when yon select a variable link.
E. Dynamic log filters changeThe data the Infranet Controller saves in the log

Answer: A,C,D

QUESTION NO: 107

Yon are creating a custom log filter. Which three statements are true? (Choose three.)

A. Yon must include a filter name.


B. Yon must create a custom format.
C. Yon can specify date range lo filter.
D. The filler can contain only a single query variable.
E. The filter can be applied to anyInfranet Controller log.

Answer: A,C,E

QUESTION NO: 108

Which Three tools would son use to troubleshoot component connectivity? (Choose three.)

A. policy trace
B. RADINS diagnostic log
C. overlay enforcer event log

A Composite Solution With Just One Click - Certification Guaranteed 33


Juniper JN0-141: Practice Exam
D. Infra net Controller eveul log
E. reach ability testing (for example, traceroute)

Answer: C,D,E

QUESTION NO: 109

Which three tools would yon use to troubleshoot user interaction problems? (Choose three.)

A. policy trace
B. RADINS diagnostic log
C. overlay enforcereveut log
D. Infranet Controller eveul log
E. reach ability testing (for example, traceroute)

Answer: A,B,D

QUESTION NO: 110

One of yoni users cannot access a protected resource. When son examine the output of
debug auth infranet on the overlay enforcer, yon see the following output
##2008-07-10 21:01:06 : notify drop: 10.4.2.5
4*0 2008-07-10 21:01:20 : updateJps_a_b: authjd 3. src_ip 10.4.2.5, user bob
##2008-07-10 21:01:20 : roles 1213902732.796213.0. role-names Employee, user
ctx,idle_timeout 0
##2008-07-10 21:01:20 : AUTHID: 1 NOT FOUND
Whatcanyondeducefionitnis output?

A. The end user has not authenticated to theInfranet Controller.


B. TheInfniae! Coutrollei has not relayed die resource access policy lo die enforcer.
C. The Infranet Controller has not relayed die user authentication data to the enforcer.
D. The end user has not been assigned the role associated withThe resource access policy
protecting the resource.

Answer: C

QUESTION NO: 111

Click the Exhibit button.

A Composite Solution With Just One Click - Certification Guaranteed 34


Juniper JN0-141: Practice Exam

You have run a policy trace for user "alice".


What can be determined from the pohcy trace output shown in the exhibit? (Choose two.)

A. User "alice" has passed authentication.


B. User "alice" has been mapped to three roles.
C. User "alice" is a member of two LDAP groups.
D. User "alice" is authenticating to an LDAP server.

Answer: A,C

QUESTION NO: 112

You are configurmg an Intranet Controller cInster. Which situation requires you to use a virtual IP
address?

A. Endpornts use agentless access.


B. Endpornts use Odyssey Access Client.
C. The overlay enforcer is in an NSRPcInster.
D. The Intranet Controller cInster is an active/passive cInster.

Answer: A

QUESTION NO: 113

When configuring an Infranet Controller cInster, which task must be completed first?

A. Add the secondary devices to thecInster.


B. Install thecInster license on the primary device.
C. Install thecInster license on the secondary devices.
D. Define thecInster members on the primary device.

Answer: D

QUESTION NO: 114

A Composite Solution With Just One Click - Certification Guaranteed 35


Juniper JN0-141: Practice Exam
Your overlay enforcer is in transparent mode, and your endpoints need to establish IPsec
connections. In addition to the usual resource access and IPsec routing policies, what else must
you configure?

A. On the overlay enforcer, configure the zone to be used for incomingIPsec connections
B. On the overlay enforcer, configure the interface to be used for incomingIPsec connections.
C. On the Infranet Controller, configure a source interface policy to specify the interface used for
incoming IPsec connections.
D. Use the Infranet Controller to configure the generic IPsec pohcy for the overlay enforcer rather
than configuring it directly on the enforcer.

Answer: C

QUESTION NO: 115

Your overlay enforcers are running NSRP. What must you configure on the Infranet Controller to
support this protocol?

A. EnablecInstering on the Infranet Controller.


B. Add each member of the NSRPcInster as a separate enforcer.
C. Add the VSI address of the NSRPcInster to the enforcer configuration.
D. Add the serial numbers of all NSRPcInster members to a single enforcer instance.

Answer: D

QUESTION NO: 116

Which two statements about support for the Microsoft Network Access Protection (NAP)
client are true? (Choose two.)

A. Support includes Layer 2 and overlay enforcement.


B. Implementation requires the use of a Microsoft Network Policy Server.
C. The NAP agent is responsible for enforcing quarantine if the endpoint does not pass the Host
Checker policy.
D. IC-embedded Statement of Health Host Checker policies use endpoint scan results reported by
the Windows Security Center.

Answer: C,D

A Composite Solution With Just One Click - Certification Guaranteed 36