Free FCSS_LED_AR-7.6 Questions Attempt

Goal: enforce captive portal authentication overHTTPSfor guests.

On FortiGate/FortiAuthenticator captive portal setups:

HTTP redirectis used so that when a guest browses to any HTTP site, their request is redirected to theportal URL.

Theportal URLitself must beHTTPSif you want a secure login page.

FortiOS captive portal and firewall authentication guidelines recommend:

EnablingHTTP redirectso unauthenticated HTTP traffic is transparently sent to the portal.

Configuring theportal URL with HTTPS, often referencing a certificate on FortiGate or FortiAuthenticator.

Therefore:

A. Enable HTTP redirect in the user authentication settings.✔This ensures unauthenticated HTTP requests are redirected to the (now HTTPS) portal.

D. Update the captive portal URL to use HTTPS on FortiGate and FortiAuthenticator.✔This makes the login itself secure (TLS-protected).

Incorrect:

B– You don’t need a new SSID; the same SSID can use HTTPS portal.

C– Disabling HTTP admin access on the SSID doesn’t control the captive portal scheme; HTTPS enforcement is done by the portal configuration and redirect, not by admin-access flags.

In this design, FortiAuthenticator receivesRADIUS accounting (RSSO) messages, looks up the user in LDAP to get group information, theninjects FSSO logon eventstoward all FortiGate devices.

From the exhibits we know:

FortiAuthenticatoris receiving RADIUS accountingfrom the RADIUS server.

LDAP queries are successful and return group membership.

But FortiGatedoes not receive FSSO logons, so identity-based policies are not applied.

For FortiAuthenticator to create an FSSO logon, the RADIUS accounting record must be correctlyparsed into at least:

Username

Client IP address

These are mapped from the RADIUS attributes in theRADIUS Accounting SSO clientconfiguration (for example, User-Name and Framed-IP-Address). If these are not defined or mapped incorrectly, FortiAuthenticator can see the accounting packet butcannot build a valid FSSO session, so no update is sent to FortiGate.

Thus the most likely root cause is:

✔The RADIUS Username and Client IPv4 attributes are not correctly definedfor that RADIUS Accounting SSO client (optionA).

Other options conflict with the scenario:

B– LDAP is already successfully returning groups.

C– FSSO user group attribute is separate; even without it, FSSO logons would still be created (just without group mapping).

D– The interfaceisreceiving RADIUS accounting, so it is clearly enabled.

In user certificates used with FortiGate / FortiAuthenticator / SSL-VPN / 802.1X, the following attributes are important:

Subject field & UPN

Provide a unique identity for the user (CN and/or UPN).

FortiGate can use theSAN/UPNfield for LDAP-integrated certificate authentication.

Expiration date

Limits how long the certificate is valid, enforcing lifecycle and rotation.

CRL URL & OCSP URL

Tell FortiGate (or any relying party)where to check if the certificate has been revoked.

Enablesnear real-time revocationusing OCSP or periodic CRL downloads instead of relying only on expiration.

By carefully configuring these fields:

The certificate uniquely and correctly identifies the user.

Relying systems can performaccurate and timely revocation checks, improving security.

Why other options are wrong:

A: It does the opposite—CRL/OCSP increase automation, not manual revocation.

B: These attributes do not inherently limit a cert to specific devices; that’s done via key usage, EKU, or device certs.

D: They don’t “ensure universal validity”; they make the certprecisely boundto one identity with enforceable lifetime and revocation.