NSE6_FAC-6.4 Fortinet NSE 6 - FortiAuthenticator 6.4 Free Practice Exam Questions (2025 Updated)

PEAP is known as the outer authentication method because it establishes a secure tunnel between the client and the server using TLS. The inner authentication method, such as EAP-GTC, EAP-TLS, or MSCHAPV2, is then used to authenticate the client within the tunnel.

References: https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/wireless-802-1x-authentication#peap

Guest accounts are associated with the sponsor that creates the guest account. A sponsor is a user who has permission to create and manage guest accounts on behalf of other users3. A sponsor can create guest accounts using the sponsor portal or the REST API3. The sponsor’s username is recorded as a field in the guest account’s profile3.

References: 3 https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/guest-management#sponsors

Network HSM is a feature that allows FortiAuthenticator to keep local CA cryptographic keys stored in a central location. HSM stands for Hardware Security Module, which is a physical device that provides secure storage and generation of cryptographic keys. Network HSM allows FortiAuthenticator to use an external HSM device to store and manage the private keys of its local CAs, instead of storing them locally on the FortiAuthenticator device.

References: https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration- guide/906179/certificate-management#network-hsm

TOTP stands for Time-based One-time Password, which is a type of OTP that is generated based on two pieces of information: time and seed. The time is the current timestamp that is synchronized between the client and the server. The seed is a secret key that is shared between the client and the server. The TOTP algorithm combines the time and the seed to generate a unique and short-lived OTP that can be used for two-factor authentication.

References: https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/two-factor-authentication#totp

FortiAuthenticator supports various captive or guest portal authentication methods, including social media login with Linkedln, Facebook, Twitter, Google+, or WeChat; email verification; SMS verification; voucher code; username and password; and MAC address bypass. Apple ID and Instagram are not supported as authentication methods. References: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372404/guest-management/372405/authentication-methods

Both sponsor and administrator account permissions are assigned using admin profiles. An admin profile is a set of permissions that defines what actions an administrator or a sponsor can perform on FortiAuthenticator. An admin profile can be assigned to an admin group or an individual admin user. A sponsor is a special type of admin user who can create and manage guest accounts on behalf of other users.

References: https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/administrators#admin-profiles

The best method to migrate local users from one FortiAuthenticator device to another is to export the users from the current device as a CSV file and then import the CSV file into the new device. This method preserves all the user attributes and settings and allows you to modify them if needed before importing. The other methods are not suitable for migrating local users because they either require an external RADIUS server or do not transfer all the user information. References: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372409/user-management

FortiAuthenticator can be configured as a SAML identity provider (IdP) or a SAML service provider (SP). As an IdP, FortiAuthenticator authenticates users and issues SAML assertions to SPs. As an SP, FortiAuthenticator receives SAML assertions from IdPs and grants access to users based on the attributes in the assertions. Principal and assertion server are not valid SAML roles. References: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372407/saml

To monitor FortiAuthenticator system information and receive FortiAuthenticator traps through SNMP, two configurations must be performed after enabling SNMP access on the FortiAuthenticator interface:

Set the thresholds to trigger SNMP traps for various system events, such as CPU usage, disk usage, memory usage, or temperature.

Upload management information base (MIB) files to SNMP server to enable the server to interpret the SNMP traps sent by FortiAuthenticator.

References: https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/system-settings#snmp

A digital certificate, also known as an X.509 certificate, contains two pieces of information:

Issuer, which is the identity of the certificate authority (CA) that issued the certificate

Public key, which is the public part of the asymmetric key pair that is associated with the certificate subject

References: https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/certificate-management#certificate-components

Adaptive Authentication is a feature that allows administrators to bypass the need for two-factor authentication for users accessing from specific secured networks. Adaptive Authentication uses geolocation information from IP addresses to determine whether a user is accessing from a trusted network or not. If the user is accessing from a trusted network, FortiAuthenticator can skip the second factor of authentication and grant access based on the first factor only.

References: https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/authentication-policies#adaptive-authentication

The screenshot shows that the account registration feature is enabled for the guest portal and that the guest group is set to Guest_Portal_Users. This means that all guest accounts created using this feature will be placed under that group1. The screenshot also shows that email validation is enabled for the guest portal and that the email validation link expires after 24 hours. This means that all accounts registered through the guest portal must be validated through email within that time frame1.

References: 1 https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/guest-management#account-registration