FCSS_LED_AR-7.6 Fortinet NSE 6 - LAN Edge 7.6 Architect Questions and Answers

The problem states:

FortiGate receivesRADIUS accounting messagesonport3.

User-Nameattribute contains the username.

Classattribute contains the group membership.

Goal: authenticate users through RSSO and map them to the correct user groups.

To achieve this, three critical components must be configured:

✔A. RADIUS Attribute Value in the RSSO group must match the Class attribute

This is mandatory because:

RSSO user groups on FortiGate match users based onthe value inside the RADIUS attribute(usually Class).

For group assignment to work, FortiGate must compare:

RSSO User Group → RADIUS Class Attribute Value

This isexactly how FortiGate maps RSSO users to groups.

✔D. RSSO agent’s sso-attribute must be set to Class

Thesso-attributedefineswhich RADIUS attribute contains the group information.

Because group membership is carried in:

➡Class attribute

You must configure:

config user radius

set sso-attribute Class

end

This tells FortiGate:

" Use the Class attribute to derive user group membership. "

✔E. rsso-endpoint-attribute must be set to User-Name

This identifieswhich RADIUS attributecarries the actualusername.

In this scenario:

RADIUS accounting messages contain the username inUser-Name.

So the correct setting is:

config user radius

set rsso-endpoint-attribute User-Name

end

This ensures the RSSO user object uses the correct username.

❌Incorrect Options Explained

B. Assign RSSO user groups to all firewall policies

Not required.

You only assign them to policies where RSSO authentication is used.

C. Device detection and Security Fabric Connection should be enabled on port3

Totally irrelevant to RSSO.

RSSO only needs RADIUS accounting, not device detection or Fabric services.

The correct answer is A.

The LAN Edge 7.6 Architect study guide explicitly explains the difference between the two quarantine actions:

“IP ban: Traffic from the compromised device IP address is blocked on FortiGate, but intra-VLAN traffic is still allowed.”

It also states:

“Access-layer quarantine: Inter-VLAN and intra-VLAN traffic from the compromised device MAC address is blocked using FortiGate and FortiSwitch.”

That exactly matches the symptom in the question. The device has lost internet and inter-VLAN access, but it can still communicate with devices in the same VLAN. That behavior is the expected result of an IP Ban action, not full access-layer quarantine.

The study guide further explains MAC-based quarantine behavior:

“Isolation means that a quarantined device can communicate only with FortiGate. If the device tries to communicate with any other host on the network, the communication is blocked.”

And it adds:

“In both modes: Intra-VLAN traffic is blocked automatically by FortiGate.”

So to block same-VLAN communication as well, the automation action must use Access Layer Quarantine instead of IP Ban.

Why the other options are incorrect:

B. Incorrect. There is no separate “IP Ban settings to the Quarantine action” correction described in the study guide. The fix is to use the correct automation action type, which is Access Layer Quarantine

C. Incorrect. The IOC has already worked well enough to trigger the stitch. The issue is not IOC detection, but the wrong quarantine action being used, as shown by the behavior and the log/widget evidence.

D. Incorrect. The study guide does not describe a separate setting to “enable intra-VLAN traffic blocking” for Security Fabric quarantine. Instead, intra-VLAN blocking is achieved by using Access Layer Quarantine, not IP Ban

Final verified conclusion:

Because the current behavior matches IP Ban, and same-VLAN traffic is still allowed, the required fix is to replace the IP Ban action with Access Layer Quarantine.

So the correct answer is A.

In an SD-Branch deployment (FortiGate + FortiSwitch + FortiAP),FortiAIOps:

Collects telemetry and logs from Fabric devices

Usesmachine-learning / AI analyticsto:

Spot anomalies (latency, packet loss, RF issues, misconfigurations)

Highlight root causes

Proposeoptimization recommendations(e.g., channel changes, power tuning, config fixes)

It doesnot:

Automatically disable devices (Afalse)

Replace SD-WAN config or all routing (Cfalse)

Fixallissues with zero human input (Dis marketing fantasy, not reality)

The correct answer is C.

The LAN Edge 7.6 Architect study guide states: “If you are using an external captive portal server, you must configure a firewall policy and exempt web traffic to the external captive portal IP address.”

It also states: “Just selecting and applying the address object and selecting the services is not enough to allow the traffic to pass through FortiGate. You must also have a corresponding firewall policy in place that allows the pinhole traffic to pass through FortiGate.”

The guide further explains: “An alternative method to exempt captive portal traffic is to create a firewall policy and enable the Exempt from Captive Portal option.”

In this case, the external captive portal URL is correct, but users still cannot reach the login page. That means the traffic needed to reach the external captive portal is not being exempted properly through the firewall policy. Therefore, the missing correction is to use the firewall policy with the captive-portal-exempt option.

Why the other options are incorrect:

A. Incorrect. The study guide refers to exempting traffic to the external captive portal destination, not adding FortiAuthenticator and WindowsAD as exempt sources

B. Incorrect. External captive portal authentication does not require WPA2 Enterprise. The SSID can remain open and use captive portal authentication instead

D. Incorrect. The guest user group is used on the policy that allows authenticated users onward access after login, not on the exempt policy that lets unauthenticated users reach the portal first

According to the Fortinet LAN Edge architecture regarding device discovery and management:

FortiLink Discovery Mechanism: Managed FortiSwitches are designed to be discovered automatically by the FortiGate switch controller. For this discovery to occur, a management IP address must be assigned to the switch so it can communicate with the FortiGate via the FortiLink protocol.

DHCP Requirement: All FortiGate devices include a factory-default FortiLink interface. Once this interface is configured with an IP address and netmask, the FortiGate automatically establishes a DHCP scope dedicated to assigning IP addresses and other network parameters to the connected managed switches.

Troubleshooting Discovery: If a FortiSwitch does not appear in the interface, it indicates a failure in the initial discovery phase. The most common cause is the switch failing to receive an IP address. Therefore, the first logical troubleshooting step is to verify that the FortiGate ' s DHCP server on the FortiLink interface is active and successfully leasing an IP address to the FortiSwitch.

Authorization: Once the switch receives an IP and is discovered, it will typically show as " Unauthorized " until the administrator manually authorizes it (unless " Automatically authorize devices " is enabled). If it doesn ' t appear at all, the issue precedes authorization and likely relates to basic IP connectivity provided by DHCP.

Analysis of Incorrect Options:

A: Security policies on the FortiGate control traffic passing through the firewall (transit traffic), not the management traffic between the FortiGate itself and its managed switches.

B: While static IPs are technically possible, the standard architectural design for LAN Edge relies on DHCP for plug-and-play functionality; manually assigning a static IP is a more advanced step, not the first troubleshooting action.

D: Internet access is not required for the FortiSwitch to be managed locally by a FortiGate via FortiLink.

From the exhibits:

FortiSwitch Ports viewshows:

port2

Mode: Static

Native VLAN: Students

Allowed VLANs: quarantine.fortilink (quarantine)

NAC policy “Training”:

Switch FortiLink: fortilink

Category:Device

Matching criteria:

MAC Address: 70:88:6b:8c:4b:0e (enabled)

Operating System:Linux(enabled)

Switch Controller Action:

Assign VLAN = Students

Bounce Port = enabled

Design intent:

Device with that MAC + OS Linux, when plugged intoport2, should be dynamically moved to VLANStudentsby the NAC policy.

Why it doesn’t work now

On FortiLink NAC,dynamic NAC decisions only apply on ports whose “Access Mode” is set to NAC:

NAC mode = FortiGate controls theonboarding VLAN, evaluates NAC policies, and then dynamically reassigns the switch port VLAN (access, quarantine, etc.).

Static mode(what we see on port2) means the port just uses its configurednative/allowed VLANs, andno NAC classificationhappens.

Right now:

port2 is astatic access portwith Native VLAN = Students.

The NAC policy exists, butFortiSwitch is not in NAC enforcement mode on that port, so the policy is never evaluated for traffic on port2.

Therefore, themissing configurationis:

Setport2toNAC mode(sometimes called “Access mode: NAC” or “NAC LAN edge port”).

Once port2 is changed to NAC mode:

Device initially lands in the onboarding/quarantine VLAN.

FortiGate collects device info (MAC, OS, etc.).

NAC policy “Training” matches MAC + Linux.

Switch controller actionAssign VLAN = Studentsis applied.

Port is bounced (if configured), bringing the device back up in VLAN Students.

Why the other options are wrong

B. MAC or OS misconfigured

Possible in general, but the question asks forwhich configuration is missing, and the exhibits clearly focus on port mode. Also, even with wrong MAC/OS, the port would still be in NAC mode; here NAC isn’t even active.

C. Port Policy mode

Port policy (edge/trunk) is separate from NAC; NAC requires the specificNAC access mode.

D. Students VLAN should be Allowed VLANs instead of Native VLAN

For an access port, having Students as thenative VLANis correct. NAC policy’s Assign VLAN will set that as access VLAN; no need to make it an allowed trunk VLAN.

The DHCP configuration shows:

set vci-match enable

set vci-string " FortiSwitch " " FortiExtender "

What this means

VCI = Vendor Class Identifier (DHCP option 60)

When vci-match is enabled, the DHCP server will only respond to DHCP requests from clients whose VCI string matches the configured vendor identifiers.

FortiSwitch and FortiExtender both send DHCP option 60 with:

" FortiSwitch "

" FortiExtender "

This is used in FortiLink deployments so only these devices receive IP addresses on the FortiLink network.

Therefore:

C. To connect, devices must match the VCI string; otherwise, they will not receive an IP address.

✔Correct.

This perfectly matches FortiGate FortiLink DHCP behavior.

Summary of incorrect options

A — Ignore FortiSwitch/FortiExtender

❌Opposite behavior.

B — Restrict based on hostname

❌VCI does NOT check hostname.

D — Reserve IPs

❌No reservation occurs; it ' s filtering, not reserving.

FortiAnalyzer requires a specific license to evaluateIndicators of Compromise (IOC).

From theFortiAnalyzer 7.4.1 Administration Guide:

IOC identification requires theThreat Detection Servicelicense on FortiAnalyzer.

This license enables:

IOC database updates

Compromised host detection

Event correlation based on FortiGuard threat intelligence

Fabric-wide IOC automation triggers

Why the other answers are incorrect:

A: IoT Security add-on is unrelated to IOC rules.

B: There isnoIOC subscription license type for FortiAnalyzer.

C: FAZ-Basic license doesNOTinclude IOC detection.

In a LAN Edge deployment:

FortiSwitch is managedthrough FortiGate via FortiLink.

FortiAIOps integrates withFortiGateas the single managed device; from there it gains visibility intoall Fabric and LAN-edge devices(FortiSwitch, FortiAP) that are registered to that FortiGate.

Once the FortiGate is successfully added to FortiAIOps (as shown in the exhibit, statusOnline / Successfully Discovered), all FortiSwitches managed by that FortiGate are:

Discovered automatically through the FortiGate–FortiAIOps connection

Shown under the appropriate inventory / switch views withno separate onboarding stepfor each switch.

This is why no extra IP, serial number, or credential entry is required for FortiSwitch.

So:

AandBsuggest manual per-switch onboarding, which is not how FortiAIOps works with LAN Edge.

Dsimilarly assumes direct FortiSwitch management, but FortiAIOps talks toFortiGate, not the switch.

Therefore the correct behavior is that theFortiSwitch is added automatically (C)once its managing FortiGate is connected to FortiAIOps.

The correct answers are A and B.

The LAN Edge 7.6 Architect study guide explains that when LDAP is the back-end server, CHAP, MS-CHAP, and MS-CHAPv2 do not work because the client sends a one-way password hash, while LDAP expects the actual password:

“If FortiGate is configured to authenticate clients using a remote LDAP server, VPN and wireless clients using CHAP schemes are not able to authenticate... The reason is that during CHAP, MS-CHAP, and MS-CHAPv2 authentication, a client sends a one-way hash of the password. However, the LDAP server, which is on the back end, is expecting the password itself.”

The same study guide then gives the two valid solutions:

“Two possible methods that you can use to solve the CHAP and LDAP problem are:”

“Use RADIUS: Change your back-end server from LDAP to RADIUS.”

and

“If you are using Windows AD as your LDAP server, an alternative is to use FortiAuthenticator as an authentication proxy... You must also configure FortiAuthenticator to log in to the Windows domain using the credentials of a Windows administrator. This adds FortiAuthenticator as a trusted device on the Windows AD domain, allowing FortiAuthenticator to proxy the password hash from the client to the Windows server, using NTLM.”

That directly matches:

A. Enable Windows Active Directory domain authentication on FortiAuthenticator.

B. Configure FortiAuthenticator to use RADIUS instead of LDAP as the back-end authentication server.

The study guide also states this explicitly in the FortiAuthenticator LDAP configuration section:

“If you want FortiAuthenticator to relay CHAP, MS-CHAP, and MS-CHAPv2 authentication to a Windows AD server, you must enable Windows Active Directory Domain Authentication and enter the credentials for a Windows administrator.”

And it separately confirms RADIUS as another supported back-end proxy model:

“You can configure FortiAuthenticator to connect to existing RADIUS servers... If the local user database is not used, FortiAuthenticator proxies RADIUS authentication requests.”

Why the other options are incorrect:

C. Incorrect. RADIUS attribute filtering does not solve the CHAP/MS-CHAPv2 versus LDAP hash problem. The issue is the back-end authentication method, not attribute filtering.

D. Incorrect. Changing from MS-CHAPv2 to CHAP does not fix it, because the study guide says the same limitation applies to CHAP, MS-CHAP, and MS-CHAPv2 when LDAP is the back end

Final verified conclusion:

To enable MS-CHAPv2 authentication in this scenario, the two valid solutions are:

A. Enable Windows Active Directory domain authentication on FortiAuthenticator.

B. Configure FortiAuthenticator to use RADIUS instead of LDAP as the back-end authentication server.

The correct answers are A and E.

The LAN Edge 7.6 Architect study guide explicitly states that guest portals on FortiAuthenticator support social login:

“The guest portal ... provides user account and pre-login services ... Social login option”

More importantly, in the portal policy configuration, the guide states:

“The social user login option allows users to authenticate using third-party single sign-on (SSO) services such as Facebook, LinkedIn, and so on. You must configure social login profiles to use this method.”

That directly proves E is required.

The same exact extract also says:

“If you have enabled social users as an authentication type, you will select the social platforms that will be available for user authentication. The options are Facebook, Google, Twitter, Linkedin, Phone number, and Email. For each option, other than phone number and email, you will need to configured a remote open authorization (OAuth) server.”

That directly proves A is required.

Why the other options are incorrect:

B. Incorrect. The study guide explicitly says social login is supported in the guest portal, so it is false to say social media login cannot be used with captive portals

C. Incorrect. Account Login is a different authentication method. The guide says: “Account login means that user credentials are provided by the FortiAuthenticator internal database or remote authentication server.” That is for standard account-based login, not required for social login

D. Incorrect. FortiAuthenticator internal database can be used for account login, but the question asks specifically for visitors authenticating with existing social media accounts. That uses social login profiles and OAuth servers, not the internal database as the primary source

Final verified conclusion:

To enable captive portal authentication using social media accounts, you must:

configure social login profiles

configure a remote OAuth server for each selected social platform

So the correct answers are A and E.