FCSS_LED_AR-7.6 Fortinet NSE 6 - LAN Edge 7.6 Architect Free Practice Exam Questions (2026 Updated)

In this design, FortiAuthenticator receivesRADIUS accounting (RSSO) messages, looks up the user in LDAP to get group information, theninjects FSSO logon eventstoward all FortiGate devices.

From the exhibits we know:

FortiAuthenticatoris receiving RADIUS accountingfrom the RADIUS server.

LDAP queries are successful and return group membership.

But FortiGatedoes not receive FSSO logons, so identity-based policies are not applied.

For FortiAuthenticator to create an FSSO logon, the RADIUS accounting record must be correctlyparsed into at least:

Username

Client IP address

These are mapped from the RADIUS attributes in theRADIUS Accounting SSO clientconfiguration (for example, User-Name and Framed-IP-Address). If these are not defined or mapped incorrectly, FortiAuthenticator can see the accounting packet butcannot build a valid FSSO session, so no update is sent to FortiGate.

Thus the most likely root cause is:

✔The RADIUS Username and Client IPv4 attributes are not correctly definedfor that RADIUS Accounting SSO client (optionA).

Other options conflict with the scenario:

B– LDAP is already successfully returning groups.

C– FSSO user group attribute is separate; even without it, FSSO logons would still be created (just without group mapping).

D– The interfaceisreceiving RADIUS accounting, so it is clearly enabled.

Observed behavior:

Devices in the VLANcan ping FortiGate→ gateway reachability OK.

FortiGatecan ping devicesin that VLAN → return path OK.

Inter-VLAN routingworks → FortiGate’s L3 and policies are fine.

Devices in the same VLAN cannot ping each other→ problem is on theL2 switching plane, not L3.

On FortiSwitch (managed by FortiGate), there is a feature calledAccess VLAN(sometimes described in NAC/dynamic segmentation context):

WhenAccess VLANis enabled on a VLAN, the switchdoes not perform normal L2 forwardingbetween hosts in that VLAN.

Instead, all traffic from endpoints in that VLAN isforced upstream to FortiGate, as if every frame were destined for the gateway.

This is used for designs where you wantall intra-VLAN traffic inspected by the firewall, implementing micro-segmentation.

Resulting behavior:

Host → FortiGate: works (frames are forwarded to FortiGate).

FortiGate → Host: works (routed back).

Host A → Host B (same VLAN):

Frame from A goes to FortiGate.

FortiGate seessource and destination in same subnet; depending on policy, it may drop or not have a policy allowing that traffic.

Even if allowed, certain designs still break pure L2 expectations.

In the exam scenario, the key point is:

IfAccess VLAN is enabled,local L2 communication within that VLAN is disabled, so hosts in the same VLAN cannot communicate directly.

That perfectly explains:

Same VLAN hosts can’t ping each other

But they can both reach FortiGate and beyond

Why the other options are less likely / incorrect

B. FortiSwitch MAC address table is missing entries

If MAC table were empty/bad,nothingin that VLAN would work properly, including pinging FortiGate.

C. FortiGate ARP table is missing entries

Then FortiGate couldn’t ping the devices either; but it can.

D. Native VLAN misconfigured on ports

That would affect connectivity to FortiGate too, not only host-to-host.

From the exhibit, LDAP on FortiGate is correctly configured and tested:

diagnose test authserver ldap FAC-LDAP wifi101 password

authenticate ' wifi101 ' against ' FAC-LDAP ' succeeded!

Group membership(s) - CN=Domain Users,...

So:

LDAP connectivity works

Bind DN, DN, CNID, and credentials are correct(so optionCis eliminated).

Firewall policies do not affect the802.1X / Wi-Fi authentication stepitself, soAis not the root cause.

Nothing in the scenario indicates that AD is enforcing LDAPS-only; the LDAP test already succeeds using the configured parameters, soBis also excluded.

The Wi-Fi supplicant is configured forPEAP with inner authentication = MSCHAPv2.

MSCHAPv2 is achallenge–response mechanism designed for RADIUS, not for LDAP simple bind. FortiGate’s LDAP implementation uses asimple bind (username/password) over LDAP or LDAPS, and it doesnotimplement MSCHAPv2 against LDAP backends.

In Fortinet’s design, if you needPEAP-MSCHAPv2 with Active Directory, you must use:

ARADIUS server(such as Windows NPS or FortiAuthenticator), and

Have FortiGate use RADIUS,notLDAP, as the authentication backend for 802.1X / Wi-Fi users.

Because FortiGate cannot process MSCHAPv2 exchanges directly against an LDAP server, authentication fails when the inner method is MSCHAPv2, even though LDAP works when tested with a simple bind from the CLI.

The FortiOS documentation explicitly states that a CSR used for certificate signing must contain accurate and valid fields, especially:

Common Name (CN)

Organization (O)

Country (C)

Public key parameters

According to the FortiGate certificate section:

Incorrect CSR field information can cause the CA to reject the request.

Reasons include:

The CA validates identity and organizational information.

Missing or malformed data invalidates PKI requirements.

The CSR is not corrected automatically by the CA.

Therefore:

✔A is correct.

Options B–D contradict PKI principles:

B is false: CAs do not issue certificates with mismatched identity fields for public trust.

C is false: CSR fields are not only for internal use; they define certificate identity.

D is false: CAs do not auto-correct CSR fields.

The correct answers are A and B.

The LAN Edge 7.6 Architect study guide explains that when LDAP is the back-end server, CHAP, MS-CHAP, and MS-CHAPv2 do not work because the client sends a one-way password hash, while LDAP expects the actual password:

“If FortiGate is configured to authenticate clients using a remote LDAP server, VPN and wireless clients using CHAP schemes are not able to authenticate... The reason is that during CHAP, MS-CHAP, and MS-CHAPv2 authentication, a client sends a one-way hash of the password. However, the LDAP server, which is on the back end, is expecting the password itself.”

The same study guide then gives the two valid solutions:

“Two possible methods that you can use to solve the CHAP and LDAP problem are:”

“Use RADIUS: Change your back-end server from LDAP to RADIUS.”

and

“If you are using Windows AD as your LDAP server, an alternative is to use FortiAuthenticator as an authentication proxy... You must also configure FortiAuthenticator to log in to the Windows domain using the credentials of a Windows administrator. This adds FortiAuthenticator as a trusted device on the Windows AD domain, allowing FortiAuthenticator to proxy the password hash from the client to the Windows server, using NTLM.”

That directly matches:

A. Enable Windows Active Directory domain authentication on FortiAuthenticator.

B. Configure FortiAuthenticator to use RADIUS instead of LDAP as the back-end authentication server.

The study guide also states this explicitly in the FortiAuthenticator LDAP configuration section:

“If you want FortiAuthenticator to relay CHAP, MS-CHAP, and MS-CHAPv2 authentication to a Windows AD server, you must enable Windows Active Directory Domain Authentication and enter the credentials for a Windows administrator.”

And it separately confirms RADIUS as another supported back-end proxy model:

“You can configure FortiAuthenticator to connect to existing RADIUS servers... If the local user database is not used, FortiAuthenticator proxies RADIUS authentication requests.”

Why the other options are incorrect:

C. Incorrect. RADIUS attribute filtering does not solve the CHAP/MS-CHAPv2 versus LDAP hash problem. The issue is the back-end authentication method, not attribute filtering.

D. Incorrect. Changing from MS-CHAPv2 to CHAP does not fix it, because the study guide says the same limitation applies to CHAP, MS-CHAP, and MS-CHAPv2 when LDAP is the back end

Final verified conclusion:

To enable MS-CHAPv2 authentication in this scenario, the two valid solutions are:

A. Enable Windows Active Directory domain authentication on FortiAuthenticator.

B. Configure FortiAuthenticator to use RADIUS instead of LDAP as the back-end authentication server.

The correct answers are A and E.

The LAN Edge 7.6 Architect study guide explicitly states that guest portals on FortiAuthenticator support social login:

“The guest portal ... provides user account and pre-login services ... Social login option”

More importantly, in the portal policy configuration, the guide states:

“The social user login option allows users to authenticate using third-party single sign-on (SSO) services such as Facebook, LinkedIn, and so on. You must configure social login profiles to use this method.”

That directly proves E is required.

The same exact extract also says:

“If you have enabled social users as an authentication type, you will select the social platforms that will be available for user authentication. The options are Facebook, Google, Twitter, Linkedin, Phone number, and Email. For each option, other than phone number and email, you will need to configured a remote open authorization (OAuth) server.”

That directly proves A is required.

Why the other options are incorrect:

B. Incorrect. The study guide explicitly says social login is supported in the guest portal, so it is false to say social media login cannot be used with captive portals

C. Incorrect. Account Login is a different authentication method. The guide says: “Account login means that user credentials are provided by the FortiAuthenticator internal database or remote authentication server.” That is for standard account-based login, not required for social login

D. Incorrect. FortiAuthenticator internal database can be used for account login, but the question asks specifically for visitors authenticating with existing social media accounts. That uses social login profiles and OAuth servers, not the internal database as the primary source

Final verified conclusion:

To enable captive portal authentication using social media accounts, you must:

configure social login profiles

configure a remote OAuth server for each selected social platform

So the correct answers are A and E.

When FortiAuthenticator is used as anFSSO agentbased onsyslog, it must:

Parse incoming syslog messagesfrom devices (firewalls, WLAN controllers, VPN concentrators, etc.).

Extract identity fieldssuch as:

Username

IP address

Login/logout event indicators

Syslogmatching ruleson FortiAuthenticator define:

Which syslog messages are relevant (by facility, message pattern, or regex).

How to capture specific fields (username, IP, group, event type).

FortiAuthenticator then uses this parsed data toinject logon sessions into FSSO, so FortiGate can apply identity-based policies.

Thus, the role of syslog matching rules is exactly as described inC.

A: Group mapping is handled separately via directory groups / FSSO config, not directly by matching rules.

B: Enforcement of authentication policies is done on FortiGate, not directly by the matching rules.

D: While irrelevant logs can be ignored via rules, the primary purpose isparsing and extraction, not generic filtering.

Analysis of the VAP Configuration (Image 1): The VAP named " Corporate " has set vlan-pooling wtp-group, which maps directly to the Managed AP Group VLAN pooling method. The study guide states: " The Managed AP Group load balance method assigns VLANs from pools based on AP location. " This means VLAN assignment is NOT load-balanced (no round-robin or hash) — instead, it is determined by which WTP (Wireless Termination Point) group the AP physically belongs to:

APs in wtp-group " Floor_1 " → assigned VLAN 101 (Corp.101)

APs in wtp-group " Office " → assigned VLAN 102 (Corp.102)

Why C is CORRECT: From Image 2, the interface Corp.101 (VLAN 101 — assigned to the Floor_1 AP group) shows an IP address of 0.0.0.0/0.0.0.0, meaning no IP address or DHCP server is configured on that interface. Therefore, clients connecting to APs in the Floor_1 group will be placed on VLAN 101 but will not be able to obtain an IP address — confirming option C.

Why D is CORRECT: The VAP configuration explicitly maps wtp-group " Office " to VLAN 102. The study guide confirms that with the Managed AP Group method, VLANs are assigned based on AP group membership. APs belonging to the " Office " group will have all their clients assigned to VLAN 102 (Corp.102), which has a configured IP of 10.0.20.1/255.255.255.0 — confirming option D.

Why the other options are wrong:

A is incorrect — The wtp-group pooling method does not load balance; it assigns VLANs based on AP group location. Round-robin or hash would be needed for load balancing. Additionally, the subnet 10.0.3.0/24 does not exist anywhere in either exhibit.

B is incorrect — Corp.zone contains both Corp.101 and Corp.102. Since Corp.101 has no IP configured (0.0.0.0/0.0.0.0), clients on Floor_1 APs (VLAN 101) will not receive any IP address, let alone one from the 10.0.20.0/24 subnet. Only Corp.102 clients (Office group) receive addresses from 10.0.20.0/24.

In an SD-Branch deployment (FortiGate + FortiSwitch + FortiAP),FortiAIOps:

Collects telemetry and logs from Fabric devices

Usesmachine-learning / AI analyticsto:

Spot anomalies (latency, packet loss, RF issues, misconfigurations)

Highlight root causes

Proposeoptimization recommendations(e.g., channel changes, power tuning, config fixes)

It doesnot:

Automatically disable devices (Afalse)

Replace SD-WAN config or all routing (Cfalse)

Fixallissues with zero human input (Dis marketing fantasy, not reality)

The correct answer is D.

The LAN Edge 7.6 Architect study guide explains that when using an external captive portal, configuring the portal URL and exempt destinations on the SSID is not enough by itself. FortiGate must also have a matching firewall policy that allows the unauthenticated client traffic path to the external portal.

The guide states: “If you are using an external captive portal server, you must configure a firewall policy and exempt web traffic to the external captive portal IP address.”

It also states: “Just selecting and applying the address object and selecting the services is not enough to allow the traffic to pass through FortiGate. You must also have a corresponding firewall policy in place that allows the pinhole traffic to pass through FortiGate.”

In the exhibit, the SSID already includes FortiAuthenticator and WindowsAD as exempt destinations/services, so option C is already configured. However, the wireless clients are connecting through the AP on port4, and the visible firewall policy shown is from the guest SSID interface to port1 for internet access. There is no policy shown that permits the required pre-authentication traffic path from the wireless side toward the external portal resources through the relevant source path. Therefore, the missing fix is the firewall policy using port4 as source.

Why the other options are incorrect:

A. Incorrect. External captive portal authentication is designed to work with an open SSID plus captive portal. WPA2-Enterprise is a different authentication model and is not required here

B. Incorrect. The study guide does not identify NAT on that policy as the reason users cannot reach the external captive portal login page. The key requirement is the exempt/pinhole firewall policy, not NAT behavior

C. Incorrect. Those address objects are already present in the SSID configuration under exempt destinations/services, so this is not the missing change.

Final verified conclusion:

Because the exempt destinations are already configured, the missing requirement is the corresponding firewall policy permitting the captive portal pinhole traffic from the wireless source path.

So the correct answer is D.

The DHCP configuration shows:

set vci-match enable

set vci-string " FortiSwitch " " FortiExtender "

What this means

VCI = Vendor Class Identifier (DHCP option 60)

When vci-match is enabled, the DHCP server will only respond to DHCP requests from clients whose VCI string matches the configured vendor identifiers.

FortiSwitch and FortiExtender both send DHCP option 60 with:

" FortiSwitch "

" FortiExtender "

This is used in FortiLink deployments so only these devices receive IP addresses on the FortiLink network.

Therefore:

C. To connect, devices must match the VCI string; otherwise, they will not receive an IP address.

✔Correct.

This perfectly matches FortiGate FortiLink DHCP behavior.

Summary of incorrect options

A — Ignore FortiSwitch/FortiExtender

❌Opposite behavior.

B — Restrict based on hostname

❌VCI does NOT check hostname.

D — Reserve IPs

❌No reservation occurs; it ' s filtering, not reserving.

In FortiGate captive portal workflows (local or external):

Client connects to SSID / interface that has captive portal enabled.

Client makes an HTTP/HTTPS request.

FortiGate intercepts and redirects to alogin page(local or external URL).

The portal form is submitted viaPOSTback to FortiGate.

To prevent tampering and to tie the POST back to thecorrect user session, FortiGate includes a special hidden parameter in the redirect and expects it in the POST:

The parameter is namedmagic.

The magic value:

Is aunique tokengenerated per captive-portal session.

Encodes/session-links the user’s IP, interface, and session info.

Allows FortiGate to ensure that:

The POST comes from the user who initiated the original request.

The request is not a random or replayed submission.

When troubleshooting:

If the external portal does notpreserve and resendthe magic parameter back to FortiGate exactly as received, authentication fails, and you’ll see errors like “session not found” or “invalid magic”.

Why the other fields are not used for this purpose

A. username– Just the login ID; multiple users can use the same username from different locations, so it can’t uniquely track the browser session.

B. redir– Contains the URL the user originally requested, so they can be sent back there after login. It is not a session integrity token.

D. email– Optional field used in some guest/registration flows; irrelevant to session validation.