FCSS_LED_AR-7.6 Exam Dumps - Fortinet Certified Solution Specialist Questions and Answers

The correct answer is A.

The LAN Edge 7.6 Architect study guide explicitly explains the difference between the two quarantine actions:

“IP ban: Traffic from the compromised device IP address is blocked on FortiGate, but intra-VLAN traffic is still allowed.”

It also states:

“Access-layer quarantine: Inter-VLAN and intra-VLAN traffic from the compromised device MAC address is blocked using FortiGate and FortiSwitch.”

That exactly matches the symptom in the question. The device has lost internet and inter-VLAN access, but it can still communicate with devices in the same VLAN. That behavior is the expected result of an IP Ban action, not full access-layer quarantine.

The study guide further explains MAC-based quarantine behavior:

“Isolation means that a quarantined device can communicate only with FortiGate. If the device tries to communicate with any other host on the network, the communication is blocked.”

And it adds:

“In both modes: Intra-VLAN traffic is blocked automatically by FortiGate.”

So to block same-VLAN communication as well, the automation action must use Access Layer Quarantine instead of IP Ban.

Why the other options are incorrect:

B. Incorrect. There is no separate “IP Ban settings to the Quarantine action” correction described in the study guide. The fix is to use the correct automation action type, which is Access Layer Quarantine

C. Incorrect. The IOC has already worked well enough to trigger the stitch. The issue is not IOC detection, but the wrong quarantine action being used, as shown by the behavior and the log/widget evidence.

D. Incorrect. The study guide does not describe a separate setting to “enable intra-VLAN traffic blocking” for Security Fabric quarantine. Instead, intra-VLAN blocking is achieved by using Access Layer Quarantine, not IP Ban

Final verified conclusion:

Because the current behavior matches IP Ban, and same-VLAN traffic is still allowed, the required fix is to replace the IP Ban action with Access Layer Quarantine.

So the correct answer is A.

The correct answer is C.

The key clue is in the port3 interface exhibit: the RADIUSAccounting administrative access option is not enabled.

The LAN Edge 7.6 Architect study guide states:

“First, you must enable RADIUS Accounting in the Administrative Access section on the FortiGate interface where you expect to receive RSSO messages.”

The FortiOS Administration Guide says the same thing more explicitly:

“In the Administrative Access section select the RADIUS Accounting checkbox. This will open listening for port 1813 on this interface. The FortiGate will then be ready to receive RADIUS accounting messages.”

The study guide also explains what those accounting messages contain:

“These messages are sent by RADIUS clients to report user session details such as start time, stop time, interim updates, and other relevant session information.”

So if port3 is the interface used for this communication, but RADIUSAccounting is not enabled on that interface, the accounting records carrying session and usage details are not handled correctly on that interface. That makes C the best answer.

Why the other options are incorrect:

A. Incorrect. If the RADIUS shared password were wrong, RSSO authentication would not be functioning correctly. The study guide says the shared secret must match the one on the RADIUS accounting server

B. Incorrect. set rsso-radius-response enable is recommended so FortiGate sends responses to the accounting sender. Fortinet documentation says this should be enabled because otherwise some RADIUS servers may resend the same accounting message repeatedly, but it does not describe this as the main cause of missing session-detail visibility

D. Incorrect. A mismatch between sso-attribute and the RSSO group’s RADIUS Attribute Value would affect user-to-group matching on FortiGate. But the question says authentication and RSSO activity are already functioning as expected, so this is not the most likely cause

Final verified conclusion:

Because port3 is the interface carrying the RSSO communication and the exhibit shows RADIUSAccounting is not enabled there, the most likely issue is:

C. Misconfigured interface port3

From the exhibits:

The AP profile shows:

SSIDs: Tunnel | Bridge | Manual

The current setting isBridge, not Manual.

WhenBridgeorTunnelis selected, the AP profiledoes NOT automatically broadcast SSIDsunless the corresponding VAPs were explicitly mapped in the AP profile.

FortiManager SSID profiles are created, but unless these are explicitly applied underManual SSIDs selection, the AP will not broadcast any SSID.

Fortinet documentation states:

“To control which SSIDs an AP broadcasts, the AP Profile must have SSIDs set toManual, and the desired SSIDs must be selected.”

Therefore, to make the AP broadcast the intended SSIDs:

✔You must switch the SSIDs setting to Manual, and manually select the SSIDs (CompanyPrinters, Student01, Guest-CorpPort, PSK).

Why the other options are incorrect:

A. Adjust AP profile to avoid mixing bridge/tunnelMixed modes ARE supported. Not the issue.

B. Change platformThe platform (FAP231F) already supports all listed SSIDs.

D. Set transmit power mode to autoPower settings have nothing to do with SSID broadcasting.

From the exhibits:

FortiSwitch Ports viewshows:

port2

Mode: Static

Native VLAN: Students

Allowed VLANs: quarantine.fortilink (quarantine)

NAC policy “Training”:

Switch FortiLink: fortilink

Category:Device

Matching criteria:

MAC Address: 70:88:6b:8c:4b:0e (enabled)

Operating System:Linux(enabled)

Switch Controller Action:

Assign VLAN = Students

Bounce Port = enabled

Design intent:

Device with that MAC + OS Linux, when plugged intoport2, should be dynamically moved to VLANStudentsby the NAC policy.

Why it doesn’t work now

On FortiLink NAC,dynamic NAC decisions only apply on ports whose “Access Mode” is set to NAC:

NAC mode = FortiGate controls theonboarding VLAN, evaluates NAC policies, and then dynamically reassigns the switch port VLAN (access, quarantine, etc.).

Static mode(what we see on port2) means the port just uses its configurednative/allowed VLANs, andno NAC classificationhappens.

Right now:

port2 is astatic access portwith Native VLAN = Students.

The NAC policy exists, butFortiSwitch is not in NAC enforcement mode on that port, so the policy is never evaluated for traffic on port2.

Therefore, themissing configurationis:

Setport2toNAC mode(sometimes called “Access mode: NAC” or “NAC LAN edge port”).

Once port2 is changed to NAC mode:

Device initially lands in the onboarding/quarantine VLAN.

FortiGate collects device info (MAC, OS, etc.).

NAC policy “Training” matches MAC + Linux.

Switch controller actionAssign VLAN = Studentsis applied.

Port is bounced (if configured), bringing the device back up in VLAN Students.

Why the other options are wrong

B. MAC or OS misconfigured

Possible in general, but the question asks forwhich configuration is missing, and the exhibits clearly focus on port mode. Also, even with wrong MAC/OS, the port would still be in NAC mode; here NAC isn’t even active.

C. Port Policy mode

Port policy (edge/trunk) is separate from NAC; NAC requires the specificNAC access mode.

D. Students VLAN should be Allowed VLANs instead of Native VLAN

For an access port, having Students as thenative VLANis correct. NAC policy’s Assign VLAN will set that as access VLAN; no need to make it an allowed trunk VLAN.

When FortiAuthenticator is used as anFSSO agentbased onsyslog, it must:

Parse incoming syslog messagesfrom devices (firewalls, WLAN controllers, VPN concentrators, etc.).

Extract identity fieldssuch as:

Username

IP address

Login/logout event indicators

Syslogmatching ruleson FortiAuthenticator define:

Which syslog messages are relevant (by facility, message pattern, or regex).

How to capture specific fields (username, IP, group, event type).

FortiAuthenticator then uses this parsed data toinject logon sessions into FSSO, so FortiGate can apply identity-based policies.

Thus, the role of syslog matching rules is exactly as described inC.

A: Group mapping is handled separately via directory groups / FSSO config, not directly by matching rules.

B: Enforcement of authentication policies is done on FortiGate, not directly by the matching rules.

D: While irrelevant logs can be ignored via rules, the primary purpose isparsing and extraction, not generic filtering.

Goal: enforce captive portal authentication overHTTPSfor guests.

On FortiGate/FortiAuthenticator captive portal setups:

HTTP redirectis used so that when a guest browses to any HTTP site, their request is redirected to theportal URL.

Theportal URLitself must beHTTPSif you want a secure login page.

FortiOS captive portal and firewall authentication guidelines recommend:

EnablingHTTP redirectso unauthenticated HTTP traffic is transparently sent to the portal.

Configuring theportal URL with HTTPS, often referencing a certificate on FortiGate or FortiAuthenticator.

Therefore:

A. Enable HTTP redirect in the user authentication settings.✔This ensures unauthenticated HTTP requests are redirected to the (now HTTPS) portal.

D. Update the captive portal URL to use HTTPS on FortiGate and FortiAuthenticator.✔This makes the login itself secure (TLS-protected).

Incorrect:

B– You don’t need a new SSID; the same SSID can use HTTPS portal.

C– Disabling HTTP admin access on the SSID doesn’t control the captive portal scheme; HTTPS enforcement is done by the portal configuration and redirect, not by admin-access flags.

In a LAN Edge deployment:

FortiSwitch is managedthrough FortiGate via FortiLink.

FortiAIOps integrates withFortiGateas the single managed device; from there it gains visibility intoall Fabric and LAN-edge devices(FortiSwitch, FortiAP) that are registered to that FortiGate.

Once the FortiGate is successfully added to FortiAIOps (as shown in the exhibit, statusOnline / Successfully Discovered), all FortiSwitches managed by that FortiGate are:

Discovered automatically through the FortiGate–FortiAIOps connection

Shown under the appropriate inventory / switch views withno separate onboarding stepfor each switch.

This is why no extra IP, serial number, or credential entry is required for FortiSwitch.

So:

AandBsuggest manual per-switch onboarding, which is not how FortiAIOps works with LAN Edge.

Dsimilarly assumes direct FortiSwitch management, but FortiAIOps talks toFortiGate, not the switch.

Therefore the correct behavior is that theFortiSwitch is added automatically (C)once its managing FortiGate is connected to FortiAIOps.

From the FortiManager NAC policy:

Category =Device

Match criteria includeMAC addressandOperating System = Linux

Action =Assign VLAN “Students”

From the FortiGate CLI:

diagnose switch-controller switch-info mac-table ...

MAC: 70:88:6b:8c:4a:ce VLAN: 4089 Port: port2

diagnose switch-controller mac-device mac onboarding

VLAN 4089 MAC 70:88:6b:8c:4a:ce

So the device is stuck inVLAN 4089, which is theonboarding VLAN. No NAC policy is matched.

For a NAC policy to match, FortiGate needsdevice-identity information, which comes fromdevice detection on the VLAN / FortiLink interfaceplus theattributes that the policy expects(OS, MAC, etc.).

A. Device detection is not enabled on VLAN 4089.

If device detection is disabled on the interface/VLAN where the endpoint lives, FortiGate cannot learn OS / device info.

Without this, the NAC engine cannot compare against the NAC policy (which relies on OS and other attributes), so the device remains in the onboarding VLAN.✅This is a valid root cause.

B. The device operating system detected by FortiGate is not Linux.

The NAC policy explicitly requiresOperating System = Linux.

If the endpoint is actually Windows/macOS, or the OS fingerprint is still “Unknown”, the policy will never match, and the device stays in onboarding.✅Also a valid reason.

C. Management communication between FortiGate and FortiSwitch is down.

CLI output (switch-info mac-table and mac-device) proves FortiGate is talking to the switch and sees MAC/VLAN/port information.❌Not a valid reason.

D. The MAC address configured on the NAC policy is incorrect.

The exhibits show the MAC in the NAC policy matches the MAC appearing in the MAC table.❌Not the cause here.

Analysis of the VAP Configuration (Image 1): The VAP named " Corporate " has set vlan-pooling wtp-group, which maps directly to the Managed AP Group VLAN pooling method. The study guide states: " The Managed AP Group load balance method assigns VLANs from pools based on AP location. " This means VLAN assignment is NOT load-balanced (no round-robin or hash) — instead, it is determined by which WTP (Wireless Termination Point) group the AP physically belongs to:

APs in wtp-group " Floor_1 " → assigned VLAN 101 (Corp.101)

APs in wtp-group " Office " → assigned VLAN 102 (Corp.102)

Why C is CORRECT: From Image 2, the interface Corp.101 (VLAN 101 — assigned to the Floor_1 AP group) shows an IP address of 0.0.0.0/0.0.0.0, meaning no IP address or DHCP server is configured on that interface. Therefore, clients connecting to APs in the Floor_1 group will be placed on VLAN 101 but will not be able to obtain an IP address — confirming option C.

Why D is CORRECT: The VAP configuration explicitly maps wtp-group " Office " to VLAN 102. The study guide confirms that with the Managed AP Group method, VLANs are assigned based on AP group membership. APs belonging to the " Office " group will have all their clients assigned to VLAN 102 (Corp.102), which has a configured IP of 10.0.20.1/255.255.255.0 — confirming option D.

Why the other options are wrong:

A is incorrect — The wtp-group pooling method does not load balance; it assigns VLANs based on AP group location. Round-robin or hash would be needed for load balancing. Additionally, the subnet 10.0.3.0/24 does not exist anywhere in either exhibit.

B is incorrect — Corp.zone contains both Corp.101 and Corp.102. Since Corp.101 has no IP configured (0.0.0.0/0.0.0.0), clients on Floor_1 APs (VLAN 101) will not receive any IP address, let alone one from the 10.0.20.0/24 subnet. Only Corp.102 clients (Office group) receive addresses from 10.0.20.0/24.

The problem states:

FortiGate receivesRADIUS accounting messagesonport3.

User-Nameattribute contains the username.

Classattribute contains the group membership.

Goal: authenticate users through RSSO and map them to the correct user groups.

To achieve this, three critical components must be configured:

✔A. RADIUS Attribute Value in the RSSO group must match the Class attribute

This is mandatory because:

RSSO user groups on FortiGate match users based onthe value inside the RADIUS attribute(usually Class).

For group assignment to work, FortiGate must compare:

RSSO User Group → RADIUS Class Attribute Value

This isexactly how FortiGate maps RSSO users to groups.

✔D. RSSO agent’s sso-attribute must be set to Class

Thesso-attributedefineswhich RADIUS attribute contains the group information.

Because group membership is carried in:

➡Class attribute

You must configure:

config user radius

set sso-attribute Class

end

This tells FortiGate:

" Use the Class attribute to derive user group membership. "

✔E. rsso-endpoint-attribute must be set to User-Name

This identifieswhich RADIUS attributecarries the actualusername.

In this scenario:

RADIUS accounting messages contain the username inUser-Name.

So the correct setting is:

config user radius

set rsso-endpoint-attribute User-Name

end

This ensures the RSSO user object uses the correct username.

❌Incorrect Options Explained

B. Assign RSSO user groups to all firewall policies

Not required.

You only assign them to policies where RSSO authentication is used.

C. Device detection and Security Fabric Connection should be enabled on port3

Totally irrelevant to RSSO.

RSSO only needs RADIUS accounting, not device detection or Fabric services.