Free and Premium Fortinet FCSS_LED_AR-7.6 Dumps Questions Answers

From the exhibits:

Interface“APs”is a VLAN sub-interface onfortilinkwith IP10.10.100.254/24and a DHCP server scope 10.10.100.1–10.10.100.253.

This VLAN is assigned toport1on the managed FortiSwitch for FortiAPs.

The interface config showsonly allowaccess ping—Security Fabric Connection is not enabled.

In LAN Edge designs, FortiAPs connected through FortiSwitch are discovered and managed asLAN edge devices of the Security Fabric. FortiOS documentation states that FortiAPs and FortiSwitches appear in the Fabric topologyonly when connected on an interface with Security Fabric Connection enabled.

If the VLAN/AP management interface lacksSecurity Fabric Connection:

FortiGate does not treat that network as aFabric connection segment.

CAPWAP discovery from FortiAPs on that VLAN will not result in the AP being onboarded and shown for management.

Therefore the key misconfiguration is:

✔A – Security Fabric is disabled on the VLAN interface used for AP management.

Why the others are not the root cause:

B. Firmware incompatibility– would usually show as a “Managed (upgrade required)” or similar status after discovery, not complete non-detection. The scenario specifically points to a configuration issue, not firmware.

C. VLAN not tagged correctly on uplink– The FortiSwitch uplink to FortiGate is the FortiLink trunk, and the VLAN sub-interface APs is already bound to fortilink, so tagging on the uplink is correct by definition.

D. CAPWAP ports not open– CAPWAP (UDP 5246/5247) is terminated locally on FortiGate and does not depend on any firewall policy; these ports are open on the FortiGate itself by default.

From the exhibits:

FortiSwitch Ports viewshows:

port2

Mode: Static

Native VLAN: Students

Allowed VLANs: quarantine.fortilink (quarantine)

NAC policy “Training”:

Switch FortiLink: fortilink

Category:Device

Matching criteria:

MAC Address: 70:88:6b:8c:4b:0e (enabled)

Operating System:Linux(enabled)

Switch Controller Action:

Assign VLAN = Students

Bounce Port = enabled

Design intent:

Device with that MAC + OS Linux, when plugged intoport2, should be dynamically moved to VLANStudentsby the NAC policy.

Why it doesn’t work now

On FortiLink NAC,dynamic NAC decisions only apply on ports whose “Access Mode” is set to NAC:

NAC mode = FortiGate controls theonboarding VLAN, evaluates NAC policies, and then dynamically reassigns the switch port VLAN (access, quarantine, etc.).

Static mode(what we see on port2) means the port just uses its configurednative/allowed VLANs, andno NAC classificationhappens.

Right now:

port2 is astatic access portwith Native VLAN = Students.

The NAC policy exists, butFortiSwitch is not in NAC enforcement mode on that port, so the policy is never evaluated for traffic on port2.

Therefore, themissing configurationis:

Setport2toNAC mode(sometimes called “Access mode: NAC” or “NAC LAN edge port”).

Once port2 is changed to NAC mode:

Device initially lands in the onboarding/quarantine VLAN.

FortiGate collects device info (MAC, OS, etc.).

NAC policy “Training” matches MAC + Linux.

Switch controller actionAssign VLAN = Studentsis applied.

Port is bounced (if configured), bringing the device back up in VLAN Students.

Why the other options are wrong

B. MAC or OS misconfigured

Possible in general, but the question asks forwhich configuration is missing, and the exhibits clearly focus on port mode. Also, even with wrong MAC/OS, the port would still be in NAC mode; here NAC isn’t even active.

C. Port Policy mode

Port policy (edge/trunk) is separate from NAC; NAC requires the specificNAC access mode.

D. Students VLAN should be Allowed VLANs instead of Native VLAN

For an access port, having Students as thenative VLANis correct. NAC policy’s Assign VLAN will set that as access VLAN; no need to make it an allowed trunk VLAN.

From theWTP profile:

set handoff-rssi 30

set handoff-sta-thresh 30

config radio-1

set band 802.11n-2G

set vaps "Student01"

config radio-2

set band 802.11ac-5G

set darrp enable

set arrp-profile "arrp-default"

set vaps "Student01"

Key points:

Same SSID (Student01)is broadcast onboth APsand onboth bands(2.4 and 5 GHz).

handoff-sta-thresh 30 enablesclient load-balancingbetween APs:

When an AP radio hasmore than 30 associated clients, it starts rejecting new associations so that clients connect to a neighboring AP instead (as long as RSSI is still acceptable).

Current client counts:

AP1:32 clients on 5 GHz, 22 on 2.4 GHz

AP2:12 clients on 5 GHz, 20 on 2.4 GHz

So on 5 GHz:

AP1’s 5-GHz radioexceedsthe 30-client threshold (32 > 30) → it will try topush new clients away.

AP2’s 5-GHz radio iswell belowthe threshold (12 clients) and will happily accept new clients.

The new dual-band client is seen at:

–33 dBmby AP1

–43 dBmby AP2

Even though AP1 has the stronger signal, its 5-GHz radio is already overloaded according to the configured threshold, so AP1 will refuse association attempts from that client. The client will then associate toAP2’s 5-GHz radio, which:

Hasfewer clients(better airtime per device), and

Still has an acceptable signal (–43 dBm is easily usable on 5 GHz).

That matches optionCexactly.

Other options are incorrect because they ignore the configuredclient-load-balancing thresholdsand assume association based purely on RSSI or prefer 2.4 GHz, which is not what this profile is tuned to do.

Auto TX power control on FortiAP is an RF-optimization feature:

FortiGate (as wireless controller) continuously evaluatesRSSI of associated clientson each FortiAP radio.

The algorithm focuses on theweakest client(the one with the worst signal) and adjusts the AP’s transmit power so that this client’s signal level stays within a configured / target range.

This helps balance coverage and limit co-channel interference: APs don’t transmit at maximum power when clients are close, but will increase power when the weakest client signal drops too low.

Therefore the correct behavior description is:

✔C– AP power is adjusted based on the weakest associated client’s signal.

Why the others are wrong:

AandBtalk about matching nearby APs’ power or forcing everything to –70 dBm, which is not how FortiAP auto TX works.

Dincorrectly states the AP “evaluates its own transmission from the client perspective”; the AP can only infer client-side conditions from theclient’s RSSI at the AP, not the inverse.

In FortiLink NAC for LAN Edge:

When a device first connects, it is placed into theonboarding VLAN.

NAC policies then classify the device (by MAC, OS, user, EMS tag, etc.).

If a NAC policy matches, the device may be moved to anaccess VLANorquarantine VLAN.

Ifno NAC policy matches, the device simplystays in the onboarding VLAN.

FortiOS / LAN Edge documentation describes the onboarding VLAN as thedefault VLAN for unknown or unclassified devices, until NAC policy evaluation moves them elsewhere.

The DHCP configuration shows:

set vci-match enable

set vci-string "FortiSwitch" "FortiExtender"

What this means

VCI = Vendor Class Identifier (DHCP option 60)

When vci-match is enabled, the DHCP server will only respond to DHCP requests from clients whose VCI string matches the configured vendor identifiers.

FortiSwitch and FortiExtender both send DHCP option 60 with:

"FortiSwitch"

"FortiExtender"

This is used in FortiLink deployments so only these devices receive IP addresses on the FortiLink network.

Therefore:

C. To connect, devices must match the VCI string; otherwise, they will not receive an IP address.

✔Correct.

This perfectly matches FortiGate FortiLink DHCP behavior.

Summary of incorrect options

A — Ignore FortiSwitch/FortiExtender

❌Opposite behavior.

B — Restrict based on hostname

❌VCI does NOT check hostname.

D — Reserve IPs

❌No reservation occurs; it's filtering, not reserving.

WithAD machine authenticationvia FortiAuthenticator:

When a machine successfully authenticates, FortiAuthenticator records:

Machine account / identity

MAC addressof the device

Associated IP and session info

To handle sleep/hibernation:

FortiAuthenticator keeps acache of authenticated MAC addressesfor a configured timeout.

When the device wakes up and sends traffic again, FortiAuthenticator/FSSO can still treat it as authenticated as long as its MAC is in cache, so access is maintained without forcing a full machine re-auth immediately.

This matches optionD.

A(guest VLAN) is not the standard behavior here.

B(WoL) is unrelated.

C(IP-based) would break as IPs can change; MAC-based caching is what’s used.

From the exhibits:

SSID “Guest”

Security mode:Open

Captive Portal: Enabled, portal typeAuthentication → External

External portal URL: (FortiAuthenticator)

Exempt destinations/services:FortiAuthenticator and WindowsAD

Firewall policy

From theGuest interface/zonetoport1 (Internet)

Source user group:guest.portal(authenticated users)

The flow for anexternal captive portalis:

Client associates to theopen Guest SSID.

Client makes an HTTP(S) request.

FortiGate intercepts and redirects the client to theexternal portal.

Client must be able toreach FortiAuthenticator’s IP(and AD if the portal needs it)before authentication.

In this setup:

Theexempt destinationsetting tells the captive portal logicnot to require authenticationfor traffic going to FortiAuthenticator and WindowsAD.

However, there still must be a firewall policy that allows traffic from the Guest SSID subnet to those exempt destinations.

The existing firewall policy uses theguest.portal user groupas a source condition, which only matchesaftersuccessful portal authentication. Before login, the client has no user identity, so:

Traffic from the unauthenticated Guest client → FortiAuthenticator isnot matchedby that policy.

It hits theimplicit deny, so the browser never reaches the login page.

To fix this, the administrator must:

Create or modify a firewall policy thatallows traffic from the Guest SSID subnet/interface to FortiAuthenticator and WindowsAD without requiring user authentication.

That is exactly what optionDdescribes.

Why the others are wrong:

A. Change SSID security mode to WPA2-Enterprise– External captive portals are normally used withopenSSIDs; WPA2-Enterprise uses 802.1X, not captive portal.

B. Disable HTTPS redirection– Redirection is required so users are sent to the portal; disabling it doesn’t solve reachability.

C. Exclude FortiAuthenticator and Windows AD from filtering– They’re already listed asexempt destinationsin the SSID configuration; the missing piece is thefirewall policy, not the exemption.

Goal: enforce captive portal authentication overHTTPSfor guests.

On FortiGate/FortiAuthenticator captive portal setups:

HTTP redirectis used so that when a guest browses to any HTTP site, their request is redirected to theportal URL.

Theportal URLitself must beHTTPSif you want a secure login page.

FortiOS captive portal and firewall authentication guidelines recommend:

EnablingHTTP redirectso unauthenticated HTTP traffic is transparently sent to the portal.

Configuring theportal URL with HTTPS, often referencing a certificate on FortiGate or FortiAuthenticator.

Therefore:

A. Enable HTTP redirect in the user authentication settings.✔This ensures unauthenticated HTTP requests are redirected to the (now HTTPS) portal.

D. Update the captive portal URL to use HTTPS on FortiGate and FortiAuthenticator.✔This makes the login itself secure (TLS-protected).

Incorrect:

B– You don’t need a new SSID; the same SSID can use HTTPS portal.

C– Disabling HTTP admin access on the SSID doesn’t control the captive portal scheme; HTTPS enforcement is done by the portal configuration and redirect, not by admin-access flags.

In this design, FortiAuthenticator receivesRADIUS accounting (RSSO) messages, looks up the user in LDAP to get group information, theninjects FSSO logon eventstoward all FortiGate devices.

From the exhibits we know:

FortiAuthenticatoris receiving RADIUS accountingfrom the RADIUS server.

LDAP queries are successful and return group membership.

But FortiGatedoes not receive FSSO logons, so identity-based policies are not applied.

For FortiAuthenticator to create an FSSO logon, the RADIUS accounting record must be correctlyparsed into at least:

Username

Client IP address

These are mapped from the RADIUS attributes in theRADIUS Accounting SSO clientconfiguration (for example, User-Name and Framed-IP-Address). If these are not defined or mapped incorrectly, FortiAuthenticator can see the accounting packet butcannot build a valid FSSO session, so no update is sent to FortiGate.

Thus the most likely root cause is:

✔The RADIUS Username and Client IPv4 attributes are not correctly definedfor that RADIUS Accounting SSO client (optionA).

Other options conflict with the scenario:

B– LDAP is already successfully returning groups.

C– FSSO user group attribute is separate; even without it, FSSO logons would still be created (just without group mapping).

D– The interfaceisreceiving RADIUS accounting, so it is clearly enabled.

In user certificates used with FortiGate / FortiAuthenticator / SSL-VPN / 802.1X, the following attributes are important:

Subject field & UPN

Provide a unique identity for the user (CN and/or UPN).

FortiGate can use theSAN/UPNfield for LDAP-integrated certificate authentication.

Expiration date

Limits how long the certificate is valid, enforcing lifecycle and rotation.

CRL URL & OCSP URL

Tell FortiGate (or any relying party)where to check if the certificate has been revoked.

Enablesnear real-time revocationusing OCSP or periodic CRL downloads instead of relying only on expiration.

By carefully configuring these fields:

The certificate uniquely and correctly identifies the user.

Relying systems can performaccurate and timely revocation checks, improving security.

Why other options are wrong:

A: It does the opposite—CRL/OCSP increase automation, not manual revocation.

B: These attributes do not inherently limit a cert to specific devices; that’s done via key usage, EKU, or device certs.

D: They don’t “ensure universal validity”; they make the certprecisely boundto one identity with enforceable lifetime and revocation.