FCSS_LED_AR-7.6 Questions and Answers

The LAN Edge 7.6 Architect Study Guide defines exactly four captive portal types in the " Captive Portal Types " section:

" There are four types of captive portals that you can enable on an interface: Authentication, Disclaimer + Authentication, Disclaimer Only, and Email Collection. "

The guide further describes each:

Authentication — " Authentication type captive portals request users to authenticate before they are allowed access to the network. " This requires a login, satisfying the tracking requirement.

Disclaimer + Authentication — " Disclaimer + Authentication captive portals present users with a disclaimer page and an authentication page. The user must accept a disclaimer and authenticate successfully in order to get network access. " This also requires a login, satisfying the tracking requirement.

Disclaimer Only — Users accept a disclaimer but do NOT authenticate. No login required.

Email Collection — Users provide an email address only; no username/password authentication.

Since the requirement is specifically to require visitors to log in for tracking purposes, only the two types that enforce login credentials qualify: Authentication (E) and Disclaimer + Authentication (C).

Why the other options are wrong:

A is incorrect — " Terms Acknowledgment Without Authentication " does not exist as a captive portal type in FortiOS. This matches Disclaimer Only, which does NOT require login.

B is incorrect — " Email Notification Only " is not one of the four captive portal types. The study guide names it " Email Collection " — and even that only collects an email address, not a full login credential.

D is incorrect — " Guest Pass Access " is not listed as a captive portal type in the LAN Edge 7.6 study guide. It is not one of the four defined types.

???? Typing Error Corrections Made: " racking purposes " in the original question corrected to " tracking purposes. "

The correct answer is D.

The LAN Edge 7.6 Architect study guide directly explains this exact behavior for SSIDs configured on FortiManager.

The study guide states:

“In central management mode, profiles are created and stored on FortiManager. An AP profile is distributed to a controller when at least one of its supported APs is assigned the profile and the device settings are installed. SSID profiles are delivered only when you select Manual in the SSID field.”

It further says:

“If you create an SSID profile centrally and configure all the AP profiles to be tunnel or bridge, the SSID profile is not delivered to FortiGate. FortiManager does not know which of the SSID profiles to distribute to which FortiGate.”

And the guide gives the exact fix:

“A manual SSID explicitly tells FortiManager which SSID profile to broadcast on the AP and, as a result, the required SSID profile is delivered to the controller.”

Another extract from the same section confirms:

“When you want to broadcast an SSID, you must configure the AP profile that is being used by the APs that are to transmit it... Manual: You can select a mix of SSIDs to broadcast.”

So in this scenario, the AP profile must be changed from Bridge or Tunnel to Manual, and then the required SSIDs must be explicitly selected.

Why the other options are incorrect:

A. Incorrect. The issue is not the AP platform. The study guide identifies the problem as SSID delivery and mapping from FortiManager to FortiGate, not AP hardware support

B. Incorrect. The study guide explicitly says Manual can be used to “select a mix of SSIDs to broadcast,” so a mix is supported when Manual is chosen

C. Incorrect. Transmit Power Mode affects RF behavior, not whether FortiManager delivers SSID profiles to FortiGate. The problem here is SSID assignment and profile distribution, not radio power.

Extra confirmation from FortiGate Cloud administration guidance:

“To configure the SSID that you created select Manual for SSIDs then select the SSID from the dialog.”

Final verified conclusion:

Because the SSIDs were created on FortiManager and are not being broadcast, the AP profile must use Manual in the SSIDs field and the intended SSIDs must be explicitly selected.

So the correct answer is D.

From the exhibit, the DHCP server configured on the fortilink interface contains:

set vci-match enable

set vci-string " FortiExtender "

That is the key problem. This DHCP scope is tied to a Vendor Class Identifier match for FortiExtender, not FortiSwitch. As a result, the FortiSwitch will not match the DHCP offer and may fail to receive an IP address on the FortiLink network, which prevents FortiGate from discovering and managing it.

The LAN Edge 7.6 Architect study guide says that for FortiLink troubleshooting, you must verify DHCP on the FortiLink interface and confirm the switch receives an IP address:

“On FortiGate verify that DHCP is enabled for the FortiLink interface” and on FortiSwitch “Verify that the interface is getting an IP address from FortiLink”

It also says to use:

#execute switch-controller diagnose-connection for “Interface, DHCP, and NTP connection status”

#get system interface on FortiSwitch to verify that it is getting an IP address from FortiLink

So if the switch stays offline and cabling is correct, DHCP mismatch is a valid root cause.

Further confirmation comes from the FortiOS Administration Guide, which explains VCI-based DHCP assignment:

“VCIs (vendor class identifiers) are supported in DHCP to allow VCI pattern matching as a condition for IP or DHCP option assignment.”

It also states:

“When enabled only DHCP requests with a matching VCI are served with this range.”

That matches this scenario exactly. Because the DHCP pool is restricted to vci-string " FortiExtender " , a FortiSwitch DHCP request will not match that pool.

Why the other options are incorrect:

A. Incorrect. ip-managed-by-fortiipam disable is shown in the FortiLink interface exhibit, but the study guide does not identify this as a requirement for FortiSwitch discovery. It is not the reason the switch would remain offline here.

B. Incorrect. The FortiLink interface member is port4, and the topology exhibit shows the FortiGate connected from port4 to the FortiSwitch port24. That matches the physical topology, so the interface member is not the issue.

C. Incorrect. The study guide explicitly says the FortiLink interface is a LAG by default:

“All FortiGate devices come with a factory default FortiLink interface... By default, the interface is created as a link aggregation group (LAG) interface.”

So type aggregate is normal and valid. It does not need to be physical.

Final verified conclusion:

The FortiSwitch remains offline because the DHCP server on the FortiLink interface is configured with the wrong VCI match string, FortiExtender, which prevents the FortiSwitch from obtaining an IP address from FortiLink.

So the correct answer is D.

WithAD machine authenticationvia FortiAuthenticator:

When a machine successfully authenticates, FortiAuthenticator records:

Machine account / identity

MAC addressof the device

Associated IP and session info

To handle sleep/hibernation:

FortiAuthenticator keeps acache of authenticated MAC addressesfor a configured timeout.

When the device wakes up and sends traffic again, FortiAuthenticator/FSSO can still treat it as authenticated as long as its MAC is in cache, so access is maintained without forcing a full machine re-auth immediately.

This matches optionD.

A(guest VLAN) is not the standard behavior here.

B(WoL) is unrelated.

C(IP-based) would break as IPs can change; MAC-based caching is what’s used.

The problem states:

FortiGate receivesRADIUS accounting messagesonport3.

User-Nameattribute contains the username.

Classattribute contains the group membership.

Goal: authenticate users through RSSO and map them to the correct user groups.

To achieve this, three critical components must be configured:

✔A. RADIUS Attribute Value in the RSSO group must match the Class attribute

This is mandatory because:

RSSO user groups on FortiGate match users based onthe value inside the RADIUS attribute(usually Class).

For group assignment to work, FortiGate must compare:

RSSO User Group → RADIUS Class Attribute Value

This isexactly how FortiGate maps RSSO users to groups.

✔D. RSSO agent’s sso-attribute must be set to Class

Thesso-attributedefineswhich RADIUS attribute contains the group information.

Because group membership is carried in:

➡Class attribute

You must configure:

config user radius

set sso-attribute Class

end

This tells FortiGate:

" Use the Class attribute to derive user group membership. "

✔E. rsso-endpoint-attribute must be set to User-Name

This identifieswhich RADIUS attributecarries the actualusername.

In this scenario:

RADIUS accounting messages contain the username inUser-Name.

So the correct setting is:

config user radius

set rsso-endpoint-attribute User-Name

end

This ensures the RSSO user object uses the correct username.

❌Incorrect Options Explained

B. Assign RSSO user groups to all firewall policies

Not required.

You only assign them to policies where RSSO authentication is used.

C. Device detection and Security Fabric Connection should be enabled on port3

Totally irrelevant to RSSO.

RSSO only needs RADIUS accounting, not device detection or Fabric services.

FortiLink NACis the NAC (Network Access Control) engine built into FortiGate when it manages FortiSwitch devices.

It performs:

✔Automated device onboarding

Automatically detects new devices connecting to switches.

Uses MAC, vendor, DHCP fingerprinting, or IoT database to classify devices.

No manual VLAN assignment required.

✔Security posture verification

Works with FortiClient EMS, ZTNA tags, IoT detection.

Applies policies based on:

Device type

User role

Endpoint compliance

IoT vulnerability status

✔Dynamic VLAN assignment

Automatically moves devices into proper VLANs, quarantine networks, or guest zones.

✔Integration with LAN Edge & Zero Trust

Uses FortiGate + FortiSwitch + FortiAP to enforce zero-trust access.

This matches the LAN Edge 7.6 Architect explanation of FortiLink NAC.

❌Why other answers are wrong

A. Extend security policies across FortiGate firewalls

Not NAC. That refers to Security Fabric or SD-WAN.

C. Apply manual firewall rules

FortiLink NAC is specifically designed toautomateaccess control.

D. Manually place devices in VLANs

NAC eliminates manual VLAN assignment — it is dynamic.

From the exhibits:

FortiSwitch Ports viewshows:

port2

Mode: Static

Native VLAN: Students

Allowed VLANs: quarantine.fortilink (quarantine)

NAC policy “Training”:

Switch FortiLink: fortilink

Category:Device

Matching criteria:

MAC Address: 70:88:6b:8c:4b:0e (enabled)

Operating System:Linux(enabled)

Switch Controller Action:

Assign VLAN = Students

Bounce Port = enabled

Design intent:

Device with that MAC + OS Linux, when plugged intoport2, should be dynamically moved to VLANStudentsby the NAC policy.

Why it doesn’t work now

On FortiLink NAC,dynamic NAC decisions only apply on ports whose “Access Mode” is set to NAC:

NAC mode = FortiGate controls theonboarding VLAN, evaluates NAC policies, and then dynamically reassigns the switch port VLAN (access, quarantine, etc.).

Static mode(what we see on port2) means the port just uses its configurednative/allowed VLANs, andno NAC classificationhappens.

Right now:

port2 is astatic access portwith Native VLAN = Students.

The NAC policy exists, butFortiSwitch is not in NAC enforcement mode on that port, so the policy is never evaluated for traffic on port2.

Therefore, themissing configurationis:

Setport2toNAC mode(sometimes called “Access mode: NAC” or “NAC LAN edge port”).

Once port2 is changed to NAC mode:

Device initially lands in the onboarding/quarantine VLAN.

FortiGate collects device info (MAC, OS, etc.).

NAC policy “Training” matches MAC + Linux.

Switch controller actionAssign VLAN = Studentsis applied.

Port is bounced (if configured), bringing the device back up in VLAN Students.

Why the other options are wrong

B. MAC or OS misconfigured

Possible in general, but the question asks forwhich configuration is missing, and the exhibits clearly focus on port mode. Also, even with wrong MAC/OS, the port would still be in NAC mode; here NAC isn’t even active.

C. Port Policy mode

Port policy (edge/trunk) is separate from NAC; NAC requires the specificNAC access mode.

D. Students VLAN should be Allowed VLANs instead of Native VLAN

For an access port, having Students as thenative VLANis correct. NAC policy’s Assign VLAN will set that as access VLAN; no need to make it an allowed trunk VLAN.

From the exhibits:

The AP profile shows:

SSIDs: Tunnel | Bridge | Manual

The current setting isBridge, not Manual.

WhenBridgeorTunnelis selected, the AP profiledoes NOT automatically broadcast SSIDsunless the corresponding VAPs were explicitly mapped in the AP profile.

FortiManager SSID profiles are created, but unless these are explicitly applied underManual SSIDs selection, the AP will not broadcast any SSID.

Fortinet documentation states:

“To control which SSIDs an AP broadcasts, the AP Profile must have SSIDs set toManual, and the desired SSIDs must be selected.”

Therefore, to make the AP broadcast the intended SSIDs:

✔You must switch the SSIDs setting to Manual, and manually select the SSIDs (CompanyPrinters, Student01, Guest-CorpPort, PSK).

Why the other options are incorrect:

A. Adjust AP profile to avoid mixing bridge/tunnelMixed modes ARE supported. Not the issue.

B. Change platformThe platform (FAP231F) already supports all listed SSIDs.

D. Set transmit power mode to autoPower settings have nothing to do with SSID broadcasting.

In user certificates used with FortiGate / FortiAuthenticator / SSL-VPN / 802.1X, the following attributes are important:

Subject field & UPN

Provide a unique identity for the user (CN and/or UPN).

FortiGate can use theSAN/UPNfield for LDAP-integrated certificate authentication.

Expiration date

Limits how long the certificate is valid, enforcing lifecycle and rotation.

CRL URL & OCSP URL

Tell FortiGate (or any relying party)where to check if the certificate has been revoked.

Enablesnear real-time revocationusing OCSP or periodic CRL downloads instead of relying only on expiration.

By carefully configuring these fields:

The certificate uniquely and correctly identifies the user.

Relying systems can performaccurate and timely revocation checks, improving security.

Why other options are wrong:

A: It does the opposite—CRL/OCSP increase automation, not manual revocation.

B: These attributes do not inherently limit a cert to specific devices; that’s done via key usage, EKU, or device certs.

D: They don’t “ensure universal validity”; they make the certprecisely boundto one identity with enforceable lifetime and revocation.