FCSS_LED_AR-7.6 Exam Dumps - Fortinet Certified Solution Specialist Questions and Answers

In a LAN Edge deployment:

FortiSwitch is managedthrough FortiGate via FortiLink.

FortiAIOps integrates withFortiGateas the single managed device; from there it gains visibility intoall Fabric and LAN-edge devices(FortiSwitch, FortiAP) that are registered to that FortiGate.

Once the FortiGate is successfully added to FortiAIOps (as shown in the exhibit, statusOnline / Successfully Discovered), all FortiSwitches managed by that FortiGate are:

Discovered automatically through the FortiGate–FortiAIOps connection

Shown under the appropriate inventory / switch views withno separate onboarding stepfor each switch.

This is why no extra IP, serial number, or credential entry is required for FortiSwitch.

So:

AandBsuggest manual per-switch onboarding, which is not how FortiAIOps works with LAN Edge.

Dsimilarly assumes direct FortiSwitch management, but FortiAIOps talks toFortiGate, not the switch.

Therefore the correct behavior is that theFortiSwitch is added automatically (C)once its managing FortiGate is connected to FortiAIOps.

In this design, FortiAuthenticator receivesRADIUS accounting (RSSO) messages, looks up the user in LDAP to get group information, theninjects FSSO logon eventstoward all FortiGate devices.

From the exhibits we know:

FortiAuthenticatoris receiving RADIUS accountingfrom the RADIUS server.

LDAP queries are successful and return group membership.

But FortiGatedoes not receive FSSO logons, so identity-based policies are not applied.

For FortiAuthenticator to create an FSSO logon, the RADIUS accounting record must be correctlyparsed into at least:

Username

Client IP address

These are mapped from the RADIUS attributes in theRADIUS Accounting SSO clientconfiguration (for example, User-Name and Framed-IP-Address). If these are not defined or mapped incorrectly, FortiAuthenticator can see the accounting packet butcannot build a valid FSSO session, so no update is sent to FortiGate.

Thus the most likely root cause is:

✔The RADIUS Username and Client IPv4 attributes are not correctly definedfor that RADIUS Accounting SSO client (optionA).

Other options conflict with the scenario:

B– LDAP is already successfully returning groups.

C– FSSO user group attribute is separate; even without it, FSSO logons would still be created (just without group mapping).

D– The interfaceisreceiving RADIUS accounting, so it is clearly enabled.