FCP_FWF_AD-7.4 Questions and Answers

When a client moves out of range, the connection drops.

The normal behavior is for the client to disconnect and then seek out and connect to another AP with a stronger signal.

The AP does not force disconnection or send alerts; the client handles roaming.

Clients do not increase their own radio power substantially in response to poor signals due to hardware limits.

FortiPresence is Fortinet’s Wi-Fi analytics/cloud presence platform.

FortiAPs can be managed directly by FortiGate or FortiLAN Cloud and connect their analytics/events to the FortiPresence cloud for presence analytics.

FortiSASE and FortiSwitch Manager do not provide FortiPresence integration for APs.

For remote sites with no on-site IT, you should:

A: Use APs that support Fortinet UTM (i.e., FortiAPs that can tunnel traffic back to a FortiGate for UTM enforcement).

D: Use cloud-based management (FortiLAN Cloud) and configure tunnel SSIDs so all traffic from the AP is sent back for security inspection at a central FortiGate.

B refers to PoE power but isn’t essential if APs can be powered in another way.

C (bridge mode to local subnet) would not allow centralized UTM enforcement unless local FortiGate is present.

Analysis of the Exhibits and Scenario:

The DHCP server configuration is correct for dynamic assignment within a specified IP range for the interface “WLAN01”.

The RADIUS configuration for user1 includes:

Tunnel-Type (should be set to VLAN, but value is missing)

Tunnel-Medium-Type (set to IEEE-802, which is correct for Ethernet/WiFi)

Tunnel-Private-Group-Id (set to “infrastructure” as a string)

The problem described: Dynamic VLAN assignment is not working for user1.

How Dynamic VLAN Assignment Works in 802.1X/EAP (with FortiGate/FortiAP):

When a user authenticates, the RADIUS server returns attributes specifying the VLAN that should be assigned.

The critical attributes are:

Tunnel-Type (must be set to value “VLAN”, which is integer 13)

Tunnel-Medium-Type (must be “IEEE-802”, integer 6)

Tunnel-Private-Group-Id (can be the VLAN name or VLAN ID, depending on your configuration)

Problem in the Exhibit:

The Tunnel-Type value is missing!

It must be set to 13 (for VLAN).

The Tunnel-Medium-Type and Tunnel-Private-Group-Id are correctly set.

Corrective Action:

Update user1’s RADIUS attributes so that Tunnel-Type is set to the correct value for VLAN (integer 13).

Without this, FortiGate/FortiAP will not know to interpret the returned VLAN name or ID for dynamic assignment.

Review of Options:

Disable the DHCP server on ONBOARD to allow VLAN assignment.

Irrelevant; DHCP server presence does not affect dynamic VLAN assignment.

Add user1 in one of the VLAN names

This is not how dynamic VLAN assignment works. The RADIUS response must include the correct VLAN assignment.

Update user1 RADIUS attributes to include a VLAN ID attribute ID

Correct. You must set Tunnel-Type (13) and possibly provide the VLAN ID in Tunnel-Private-Group-Id.

Create a new VLAN name infrastructure' with a VLAN ID associated with it

Not the root cause; you must first ensure the correct attributes are present in the RADIUS response.

Summary:

The missing “Tunnel-Type” attribute value is the reason dynamic VLAN assignment is not working. The correct configuration requires setting Tunnel-Type = 13 (VLAN) for user1 in the RADIUS server.