FCSS_LED_AR-7.6 Fortinet NSE 6 - LAN Edge 7.6 Architect Questions and Answers

From the exhibits:

The AP profile shows:

SSIDs: Tunnel | Bridge | Manual

The current setting isBridge, not Manual.

WhenBridgeorTunnelis selected, the AP profiledoes NOT automatically broadcast SSIDsunless the corresponding VAPs were explicitly mapped in the AP profile.

FortiManager SSID profiles are created, but unless these are explicitly applied underManual SSIDs selection, the AP will not broadcast any SSID.

Fortinet documentation states:

“To control which SSIDs an AP broadcasts, the AP Profile must have SSIDs set toManual, and the desired SSIDs must be selected.”

Therefore, to make the AP broadcast the intended SSIDs:

✔You must switch the SSIDs setting to Manual, and manually select the SSIDs (CompanyPrinters, Student01, Guest-CorpPort, PSK).

Why the other options are incorrect:

A. Adjust AP profile to avoid mixing bridge/tunnelMixed modes ARE supported. Not the issue.

B. Change platformThe platform (FAP231F) already supports all listed SSIDs.

D. Set transmit power mode to autoPower settings have nothing to do with SSID broadcasting.

The problem states:

FortiGate receivesRADIUS accounting messagesonport3.

User-Nameattribute contains the username.

Classattribute contains the group membership.

Goal: authenticate users through RSSO and map them to the correct user groups.

To achieve this, three critical components must be configured:

✔A. RADIUS Attribute Value in the RSSO group must match the Class attribute

This is mandatory because:

RSSO user groups on FortiGate match users based onthe value inside the RADIUS attribute(usually Class).

For group assignment to work, FortiGate must compare:

RSSO User Group → RADIUS Class Attribute Value

This isexactly how FortiGate maps RSSO users to groups.

✔D. RSSO agent’s sso-attribute must be set to Class

Thesso-attributedefineswhich RADIUS attribute contains the group information.

Because group membership is carried in:

➡Class attribute

You must configure:

config user radius

set sso-attribute Class

end

This tells FortiGate:

"Use the Class attribute to derive user group membership."

✔E. rsso-endpoint-attribute must be set to User-Name

This identifieswhich RADIUS attributecarries the actualusername.

In this scenario:

RADIUS accounting messages contain the username inUser-Name.

So the correct setting is:

config user radius

set rsso-endpoint-attribute User-Name

end

This ensures the RSSO user object uses the correct username.

❌Incorrect Options Explained

B. Assign RSSO user groups to all firewall policies

Not required.

You only assign them to policies where RSSO authentication is used.

C. Device detection and Security Fabric Connection should be enabled on port3

Totally irrelevant to RSSO.

RSSO only needs RADIUS accounting, not device detection or Fabric services.

FortiGate and FortiSwitchmust share synchronized timewhen operating in FortiLink mode.

Documented reasons in FortiOS:

Accurate time synchronization is required for logs, authentication events, and fabric correlations.

Why it’s critical:

802.1X EAP and RADIUS timestamp validation

NAC policy enforcement timestamps

Certificate validation

Log correlation in Security Fabric / FortiAnalyzer

Incorrect options:

A: Firmware synchronization does NOT require NTP.

B: Switch-to-switch communication does not depend on NTP.

D: Standalone mode is unrelated to time sync.

From the exhibits:

Interface“APs”is a VLAN sub-interface onfortilinkwith IP10.10.100.254/24and a DHCP server scope 10.10.100.1–10.10.100.253.

This VLAN is assigned toport1on the managed FortiSwitch for FortiAPs.

The interface config showsonly allowaccess ping—Security Fabric Connection is not enabled.

In LAN Edge designs, FortiAPs connected through FortiSwitch are discovered and managed asLAN edge devices of the Security Fabric. FortiOS documentation states that FortiAPs and FortiSwitches appear in the Fabric topologyonly when connected on an interface with Security Fabric Connection enabled.

If the VLAN/AP management interface lacksSecurity Fabric Connection:

FortiGate does not treat that network as aFabric connection segment.

CAPWAP discovery from FortiAPs on that VLAN will not result in the AP being onboarded and shown for management.

Therefore the key misconfiguration is:

✔A – Security Fabric is disabled on the VLAN interface used for AP management.

Why the others are not the root cause:

B. Firmware incompatibility– would usually show as a “Managed (upgrade required)” or similar status after discovery, not complete non-detection. The scenario specifically points to a configuration issue, not firmware.

C. VLAN not tagged correctly on uplink– The FortiSwitch uplink to FortiGate is the FortiLink trunk, and the VLAN sub-interface APs is already bound to fortilink, so tagging on the uplink is correct by definition.

D. CAPWAP ports not open– CAPWAP (UDP 5246/5247) is terminated locally on FortiGate and does not depend on any firewall policy; these ports are open on the FortiGate itself by default.

From the exhibit, LDAP on FortiGate is correctly configured and tested:

diagnose test authserver ldap FAC-LDAP wifi101 password

authenticate 'wifi101' against 'FAC-LDAP' succeeded!

Group membership(s) - CN=Domain Users,...

So:

LDAP connectivity works

Bind DN, DN, CNID, and credentials are correct(so optionCis eliminated).

Firewall policies do not affect the802.1X / Wi-Fi authentication stepitself, soAis not the root cause.

Nothing in the scenario indicates that AD is enforcing LDAPS-only; the LDAP test already succeeds using the configured parameters, soBis also excluded.

The Wi-Fi supplicant is configured forPEAP with inner authentication = MSCHAPv2.

MSCHAPv2 is achallenge–response mechanism designed for RADIUS, not for LDAP simple bind. FortiGate’s LDAP implementation uses asimple bind (username/password) over LDAP or LDAPS, and it doesnotimplement MSCHAPv2 against LDAP backends.

In Fortinet’s design, if you needPEAP-MSCHAPv2 with Active Directory, you must use:

ARADIUS server(such as Windows NPS or FortiAuthenticator), and

Have FortiGate use RADIUS,notLDAP, as the authentication backend for 802.1X / Wi-Fi users.

Because FortiGate cannot process MSCHAPv2 exchanges directly against an LDAP server, authentication fails when the inner method is MSCHAPv2, even though LDAP works when tested with a simple bind from the CLI.

Context: You’re troubleshootingSyslog-based SSOonFortiAuthenticator:

Devices (typically firewalls, WLAN controllers, VPN gateways) sendsyslog messagescontaining usernames, IPs, login/logout events.

FortiAuthenticator parses those logs usingSyslog SSO rulesand injects logon sessions intoFSSOfor FortiGate.

When users are not mapping correctly, you need to see:

Did the syslog message arrive?

Which matching rule (if any) caught it?

What username and IP were extracted?

Why was a message ignored or rejected?

FortiAuthenticator has a dedicated debug area for this:

Debug logs → Single Sign-On → Syslog SSO

This view shows:

Raw syslog lines received

Thematching ruleapplied (or “no match”)

Parsed fields (username, IP, group)

Any parsing errors

This is exactly the tool designed totroubleshoot and diagnose Syslog SSO issues.

Why the other options are not the best for this issue

A. Debug logs > Remote Servers > Syslog Viewer

Lets you see syslog traffic in general, but doesnotshow how SSO rules are applied or why they fail. Good for connectivity checks, not SSO logic.

B. Parsing Test Tool

Useful totestpatterns and rules manually by pasting sample log lines, but it doesn’t show live traffic or running SSO sessions.

C. Debug logs > SSO Sessions page

Shows existing SSO sessions (who is logged in), but notwhya particular syslog message did not create a session.

In this design, FortiAuthenticator receivesRADIUS accounting (RSSO) messages, looks up the user in LDAP to get group information, theninjects FSSO logon eventstoward all FortiGate devices.

From the exhibits we know:

FortiAuthenticatoris receiving RADIUS accountingfrom the RADIUS server.

LDAP queries are successful and return group membership.

But FortiGatedoes not receive FSSO logons, so identity-based policies are not applied.

For FortiAuthenticator to create an FSSO logon, the RADIUS accounting record must be correctlyparsed into at least:

Username

Client IP address

These are mapped from the RADIUS attributes in theRADIUS Accounting SSO clientconfiguration (for example, User-Name and Framed-IP-Address). If these are not defined or mapped incorrectly, FortiAuthenticator can see the accounting packet butcannot build a valid FSSO session, so no update is sent to FortiGate.

Thus the most likely root cause is:

✔The RADIUS Username and Client IPv4 attributes are not correctly definedfor that RADIUS Accounting SSO client (optionA).

Other options conflict with the scenario:

B– LDAP is already successfully returning groups.

C– FSSO user group attribute is separate; even without it, FSSO logons would still be created (just without group mapping).

D– The interfaceisreceiving RADIUS accounting, so it is clearly enabled.

From the exhibits:

FortiSwitch Ports viewshows:

port2

Mode: Static

Native VLAN: Students

Allowed VLANs: quarantine.fortilink (quarantine)

NAC policy “Training”:

Switch FortiLink: fortilink

Category:Device

Matching criteria:

MAC Address: 70:88:6b:8c:4b:0e (enabled)

Operating System:Linux(enabled)

Switch Controller Action:

Assign VLAN = Students

Bounce Port = enabled

Design intent:

Device with that MAC + OS Linux, when plugged intoport2, should be dynamically moved to VLANStudentsby the NAC policy.

Why it doesn’t work now

On FortiLink NAC,dynamic NAC decisions only apply on ports whose “Access Mode” is set to NAC:

NAC mode = FortiGate controls theonboarding VLAN, evaluates NAC policies, and then dynamically reassigns the switch port VLAN (access, quarantine, etc.).

Static mode(what we see on port2) means the port just uses its configurednative/allowed VLANs, andno NAC classificationhappens.

Right now:

port2 is astatic access portwith Native VLAN = Students.

The NAC policy exists, butFortiSwitch is not in NAC enforcement mode on that port, so the policy is never evaluated for traffic on port2.

Therefore, themissing configurationis:

Setport2toNAC mode(sometimes called “Access mode: NAC” or “NAC LAN edge port”).

Once port2 is changed to NAC mode:

Device initially lands in the onboarding/quarantine VLAN.

FortiGate collects device info (MAC, OS, etc.).

NAC policy “Training” matches MAC + Linux.

Switch controller actionAssign VLAN = Studentsis applied.

Port is bounced (if configured), bringing the device back up in VLAN Students.

Why the other options are wrong

B. MAC or OS misconfigured

Possible in general, but the question asks forwhich configuration is missing, and the exhibits clearly focus on port mode. Also, even with wrong MAC/OS, the port would still be in NAC mode; here NAC isn’t even active.

C. Port Policy mode

Port policy (edge/trunk) is separate from NAC; NAC requires the specificNAC access mode.

D. Students VLAN should be Allowed VLANs instead of Native VLAN

For an access port, having Students as thenative VLANis correct. NAC policy’s Assign VLAN will set that as access VLAN; no need to make it an allowed trunk VLAN.