Free Fortinet FCSS_LED_AR-7.6 Practice Exam with Questions & Answers

This question combines two FortiAP behaviors shown in the study guide:

AP handoff for load balancing

Frequency handoff for band steering to 5 GHz

From the WTP profile in the exhibit:

set handoff-rssi 30

set handoff-sta-thresh 30

The LAN Edge 7.6 Architect study guide explains AP handoff like this:

“If the number of clients is already at the defined threshold, new clients will be redirected to join the least busy nearby AP.” It also states: “The handoff-sta-thresh parameter defines the threshold value that triggers the handoff protocol for new clients.”

So, because the first AP 5 GHz radio already has 32 clients, it is above the threshold of 30, meaning AP handoff can be considered.

However, the same extract adds an important condition:

“The handoff-rssi threshold defined in the AP profile applies when a handed-off client tries to connect to the second AP. The client ' s signal strength must be equal to or greater than the defined RSSI value on the new AP.”

The second AP measures the client at -43 dBm. Based on the configured handoff RSSI threshold of 30, the second AP does not satisfy the required signal condition for the handoff target, so FortiGate does not redirect the client there.

Now consider band selection. The study guide explains frequency handoff:

“Frequency handoff is a band steering technique that FortiGate uses to encourage clients to use the 5 GHz frequency instead of the 2.4 GHz.”

It also says:

“When a client tries to connect, FortiGate checks whether it can support 5 GHz and, if so, how good the signals are. If a client supports the 5 GHz frequency and the signal is strong enough to connect, FortiGate ignores the client’s requests to join the network on 2.4 GHz until the request times out. The client will then automatically try to join the same network using 5 GHz.”

Because the client is dual-band capable and the first AP sees it at a very strong -33 dBm, FortiGate will steer it to 5 GHz on the first AP.

Why the other options are incorrect:

A. Incorrect. The study guide says frequency handoff encourages dual-band clients to use 5 GHz instead of 2.4 GHz when the 5 GHz signal is strong enough

C. Incorrect. Even though the second AP 5 GHz radio has fewer clients, AP handoff only occurs if the target AP meets the configured handoff RSSI requirement. The study guide explicitly makes that a condition

D. Incorrect. 2.4 GHz is not preferred here. The study guide specifically says FortiGate uses frequency handoff to encourage 5 GHz for dual-band-capable clients

Final verified conclusion:

The client will associate with the first AP 5 GHz radio because:

the client is dual-band capable

FortiGate prefers 5 GHz through frequency handoff

the first AP has the stronger signal at -33 dBm

the second AP does not qualify as the handoff target under the configured handoff RSSI condition

The DHCP configuration shows:

set vci-match enable

set vci-string " FortiSwitch " " FortiExtender "

What this means

VCI = Vendor Class Identifier (DHCP option 60)

When vci-match is enabled, the DHCP server will only respond to DHCP requests from clients whose VCI string matches the configured vendor identifiers.

FortiSwitch and FortiExtender both send DHCP option 60 with:

" FortiSwitch "

" FortiExtender "

This is used in FortiLink deployments so only these devices receive IP addresses on the FortiLink network.

Therefore:

C. To connect, devices must match the VCI string; otherwise, they will not receive an IP address.

✔Correct.

This perfectly matches FortiGate FortiLink DHCP behavior.

Summary of incorrect options

A — Ignore FortiSwitch/FortiExtender

❌Opposite behavior.

B — Restrict based on hostname

❌VCI does NOT check hostname.

D — Reserve IPs

❌No reservation occurs; it ' s filtering, not reserving.

Context: You’re troubleshootingSyslog-based SSOonFortiAuthenticator:

Devices (typically firewalls, WLAN controllers, VPN gateways) sendsyslog messagescontaining usernames, IPs, login/logout events.

FortiAuthenticator parses those logs usingSyslog SSO rulesand injects logon sessions intoFSSOfor FortiGate.

When users are not mapping correctly, you need to see:

Did the syslog message arrive?

Which matching rule (if any) caught it?

What username and IP were extracted?

Why was a message ignored or rejected?

FortiAuthenticator has a dedicated debug area for this:

Debug logs → Single Sign-On → Syslog SSO

This view shows:

Raw syslog lines received

Thematching ruleapplied (or “no match”)

Parsed fields (username, IP, group)

Any parsing errors

This is exactly the tool designed totroubleshoot and diagnose Syslog SSO issues.

Why the other options are not the best for this issue

A. Debug logs > Remote Servers > Syslog Viewer

Lets you see syslog traffic in general, but doesnotshow how SSO rules are applied or why they fail. Good for connectivity checks, not SSO logic.

B. Parsing Test Tool

Useful totestpatterns and rules manually by pasting sample log lines, but it doesn’t show live traffic or running SSO sessions.

C. Debug logs > SSO Sessions page

Shows existing SSO sessions (who is logged in), but notwhya particular syslog message did not create a session.

When a FortiGate is deployed usingZero Touch Provisioning (ZTP)or auto-discovery:

FortiGate retrieves theFortiManager IP address(from DHCP Option 240, FortiCloud/ZTNA provisioning, or manual set).

The next step isnot UI authorizationor DHCP changes—it immediately attempts to form aFGFM (FortiGate–FortiManager) tunnel.

The FGFM protocol usesTCP port 541to establish a secure management channel.

FortiManager will still require manual authorization of the deviceinside FortiManager, but this occursafterthe tunnel is established.

Therefore, the first automatic action after retrieving the FMG address iscreating the secure FGFM tunnel on TCP/541.

The correct answer is A.

The LAN Edge 7.6 Architect study guide explicitly explains the difference between the two quarantine actions:

“IP ban: Traffic from the compromised device IP address is blocked on FortiGate, but intra-VLAN traffic is still allowed.”

It also states:

“Access-layer quarantine: Inter-VLAN and intra-VLAN traffic from the compromised device MAC address is blocked using FortiGate and FortiSwitch.”

That exactly matches the symptom in the question. The device has lost internet and inter-VLAN access, but it can still communicate with devices in the same VLAN. That behavior is the expected result of an IP Ban action, not full access-layer quarantine.

The study guide further explains MAC-based quarantine behavior:

“Isolation means that a quarantined device can communicate only with FortiGate. If the device tries to communicate with any other host on the network, the communication is blocked.”

And it adds:

“In both modes: Intra-VLAN traffic is blocked automatically by FortiGate.”

So to block same-VLAN communication as well, the automation action must use Access Layer Quarantine instead of IP Ban.

Why the other options are incorrect:

B. Incorrect. There is no separate “IP Ban settings to the Quarantine action” correction described in the study guide. The fix is to use the correct automation action type, which is Access Layer Quarantine

C. Incorrect. The IOC has already worked well enough to trigger the stitch. The issue is not IOC detection, but the wrong quarantine action being used, as shown by the behavior and the log/widget evidence.

D. Incorrect. The study guide does not describe a separate setting to “enable intra-VLAN traffic blocking” for Security Fabric quarantine. Instead, intra-VLAN blocking is achieved by using Access Layer Quarantine, not IP Ban

Final verified conclusion:

Because the current behavior matches IP Ban, and same-VLAN traffic is still allowed, the required fix is to replace the IP Ban action with Access Layer Quarantine.

So the correct answer is A.

From the exhibit, LDAP on FortiGate is correctly configured and tested:

diagnose test authserver ldap FAC-LDAP wifi101 password

authenticate ' wifi101 ' against ' FAC-LDAP ' succeeded!

Group membership(s) - CN=Domain Users,...

So:

LDAP connectivity works

Bind DN, DN, CNID, and credentials are correct(so optionCis eliminated).

Firewall policies do not affect the802.1X / Wi-Fi authentication stepitself, soAis not the root cause.

Nothing in the scenario indicates that AD is enforcing LDAPS-only; the LDAP test already succeeds using the configured parameters, soBis also excluded.

The Wi-Fi supplicant is configured forPEAP with inner authentication = MSCHAPv2.

MSCHAPv2 is achallenge–response mechanism designed for RADIUS, not for LDAP simple bind. FortiGate’s LDAP implementation uses asimple bind (username/password) over LDAP or LDAPS, and it doesnotimplement MSCHAPv2 against LDAP backends.

In Fortinet’s design, if you needPEAP-MSCHAPv2 with Active Directory, you must use:

ARADIUS server(such as Windows NPS or FortiAuthenticator), and

Have FortiGate use RADIUS,notLDAP, as the authentication backend for 802.1X / Wi-Fi users.

Because FortiGate cannot process MSCHAPv2 exchanges directly against an LDAP server, authentication fails when the inner method is MSCHAPv2, even though LDAP works when tested with a simple bind from the CLI.

Observed behavior:

Devices in the VLANcan ping FortiGate→ gateway reachability OK.

FortiGatecan ping devicesin that VLAN → return path OK.

Inter-VLAN routingworks → FortiGate’s L3 and policies are fine.

Devices in the same VLAN cannot ping each other→ problem is on theL2 switching plane, not L3.

On FortiSwitch (managed by FortiGate), there is a feature calledAccess VLAN(sometimes described in NAC/dynamic segmentation context):

WhenAccess VLANis enabled on a VLAN, the switchdoes not perform normal L2 forwardingbetween hosts in that VLAN.

Instead, all traffic from endpoints in that VLAN isforced upstream to FortiGate, as if every frame were destined for the gateway.

This is used for designs where you wantall intra-VLAN traffic inspected by the firewall, implementing micro-segmentation.

Resulting behavior:

Host → FortiGate: works (frames are forwarded to FortiGate).

FortiGate → Host: works (routed back).

Host A → Host B (same VLAN):

Frame from A goes to FortiGate.

FortiGate seessource and destination in same subnet; depending on policy, it may drop or not have a policy allowing that traffic.

Even if allowed, certain designs still break pure L2 expectations.

In the exam scenario, the key point is:

IfAccess VLAN is enabled,local L2 communication within that VLAN is disabled, so hosts in the same VLAN cannot communicate directly.

That perfectly explains:

Same VLAN hosts can’t ping each other

But they can both reach FortiGate and beyond

Why the other options are less likely / incorrect

B. FortiSwitch MAC address table is missing entries

If MAC table were empty/bad,nothingin that VLAN would work properly, including pinging FortiGate.

C. FortiGate ARP table is missing entries

Then FortiGate couldn’t ping the devices either; but it can.

D. Native VLAN misconfigured on ports

That would affect connectivity to FortiGate too, not only host-to-host.

The problem states:

FortiGate receivesRADIUS accounting messagesonport3.

User-Nameattribute contains the username.

Classattribute contains the group membership.

Goal: authenticate users through RSSO and map them to the correct user groups.

To achieve this, three critical components must be configured:

✔A. RADIUS Attribute Value in the RSSO group must match the Class attribute

This is mandatory because:

RSSO user groups on FortiGate match users based onthe value inside the RADIUS attribute(usually Class).

For group assignment to work, FortiGate must compare:

RSSO User Group → RADIUS Class Attribute Value

This isexactly how FortiGate maps RSSO users to groups.

✔D. RSSO agent’s sso-attribute must be set to Class

Thesso-attributedefineswhich RADIUS attribute contains the group information.

Because group membership is carried in:

➡Class attribute

You must configure:

config user radius

set sso-attribute Class

end

This tells FortiGate:

" Use the Class attribute to derive user group membership. "

✔E. rsso-endpoint-attribute must be set to User-Name

This identifieswhich RADIUS attributecarries the actualusername.

In this scenario:

RADIUS accounting messages contain the username inUser-Name.

So the correct setting is:

config user radius

set rsso-endpoint-attribute User-Name

end

This ensures the RSSO user object uses the correct username.

❌Incorrect Options Explained

B. Assign RSSO user groups to all firewall policies

Not required.

You only assign them to policies where RSSO authentication is used.

C. Device detection and Security Fabric Connection should be enabled on port3

Totally irrelevant to RSSO.

RSSO only needs RADIUS accounting, not device detection or Fabric services.

The correct answer is D.

The LAN Edge 7.6 Architect study guide states: “Note that suppression of rogue APs is becoming increasingly more difficult, because new wireless security standards are beginning to mandate management frame protection (802.11w). This requires that clients authenticate management frames as being legitimate, preventing spoofing attacks. Because rogue suppression is a form of spoofing attack, an AP that the client is not connected to is trying to send deauthentication frames and, as a result, 802.11w prevents the client from taking notice of the dedicated monitoring AP.”

This exactly matches option D. Rogue AP suppression relies on spoofed deauthentication behavior, and 802.11w protects management frames, making that suppression method less effective.

Why the other options are incorrect:

A. Incorrect. The study guide does not say 802.11w makes suppression harder because of processing overhead. It specifically points to management frame protection and spoofing prevention

B. Incorrect. The study guide does not mention reduced wireless range as the reason.

C. Incorrect. The issue is not data traffic encryption. The study guide specifically refers to authentication of management frames, not general traffic encryption

The LAN Edge 7.6 Architect Study Guide defines exactly four captive portal types in the " Captive Portal Types " section:

" There are four types of captive portals that you can enable on an interface: Authentication, Disclaimer + Authentication, Disclaimer Only, and Email Collection. "

The guide further describes each:

Authentication — " Authentication type captive portals request users to authenticate before they are allowed access to the network. " This requires a login, satisfying the tracking requirement.

Disclaimer + Authentication — " Disclaimer + Authentication captive portals present users with a disclaimer page and an authentication page. The user must accept a disclaimer and authenticate successfully in order to get network access. " This also requires a login, satisfying the tracking requirement.

Disclaimer Only — Users accept a disclaimer but do NOT authenticate. No login required.

Email Collection — Users provide an email address only; no username/password authentication.

Since the requirement is specifically to require visitors to log in for tracking purposes, only the two types that enforce login credentials qualify: Authentication (E) and Disclaimer + Authentication (C).

Why the other options are wrong:

A is incorrect — " Terms Acknowledgment Without Authentication " does not exist as a captive portal type in FortiOS. This matches Disclaimer Only, which does NOT require login.

B is incorrect — " Email Notification Only " is not one of the four captive portal types. The study guide names it " Email Collection " — and even that only collects an email address, not a full login credential.

D is incorrect — " Guest Pass Access " is not listed as a captive portal type in the LAN Edge 7.6 study guide. It is not one of the four defined types.

???? Typing Error Corrections Made: " racking purposes " in the original question corrected to " tracking purposes. "