Fortinet NSE6_FAC-6.4 Exam Practice Test Instant Access

Question 1

Which option correctly describes an SP-initiated SSO SAML packet flow for a host without a SAML assertion?

AService provider contacts idendity provider, idendity provider validates principal for service provider, service provider establishes communication with principal

BPrincipal contacts idendity provider and is redirected to service provider, principal establishes connection with service provider, service provider validates authentication with identify provider

CPrincipal contacts service provider, service provider redirects principal to idendity provider, after succesfull authentication identify provider redirects principal to service provider

DPrincipal contacts idendity provider and authenticates, identity provider relays principal to service provider after valid authentication

Answer : C

SP-initiated SSO SAML packet flow for a host without a SAML assertion is as follows:

Principal contacts service provider, requesting access to a protected resource.

Service provider redirects principal to identity provider, sending a SAML authentication request.

Principal authenticates with identity provider using their credentials.

After successful authentication, identity provider redirects principal back to service provider, sending a SAML response with a SAML assertion containing the principal's attributes.

Service provider validates the SAML response and assertion, and grants access to the principal.

Question 2

At a minimum, which two configurations are required to enable guest portal services on FortiAuthenticator? (Choose two)

AConfiguring a portal policy

BConfiguring at least on post-login service

CConfiguring a RADIUS client

DConfiguring an external authentication portal

Answer : A, B

enable guest portal services on FortiAuthenticator, you need to configure a portal policy that defines the conditions for presenting the guest portal to users and the authentication methods to use. You also need to configure at least one post-login service that defines what actions to take after a user logs in successfully, such as sending an email confirmation, assigning a VLAN, or creating a user account. Configuring a RADIUS client or an external authentication portal are optional steps that depend on your network setup and requirements. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372404/guest-management

Question 3

At a minimum, which two configurations are required to enable guest portal services on FortiAuthenticator? (Choose two)

AConfiguring a portal policy

BConfiguring at least on post-login service

CConfiguring a RADIUS client

DConfiguring an external authentication portal

Answer : A, B

To enable guest portal services on FortiAuthenticator, you need to configure a portal policy that defines the conditions for presenting the guest portal to users and the authentication methods to use. You also need to configure at least one post-login service that defines what actions to take after a user logs in successfully, such as sending an email confirmation, assigning a VLAN, or creating a user account. Configuring a RADIUS client or an external authentication portal are optional steps that depend on your network setup and requirements. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372404/guest-management

Question 4

A system administrator wants to integrate FortiAuthenticator with an existing identity management system with the goal of authenticating and deauthenticating users into FSSO.

What feature does FortiAuthenticator offer for this type of integration?

AThe ability to import and export users from CSV files

BRADIUS learning mode for migrating users

CREST API

DSNMP monitoring and traps

Answer : C

REST API is a feature that allows FortiAuthenticator to integrate with an existing identity management system with the goal of authenticating and deauthenticating users into FSSO. REST API stands for Representational State Transfer Application Programming Interface, which is a method of exchanging data between different systems using HTTP requests and responses. FortiAuthenticator provides a REST API that can be used by external systems to perform various actions, such as creating, updating, deleting, or querying users and groups, or sending FSSO logon or logoff events.

Question 5

Which statement about captive portal policies is true, assuming a single policy has been defined?

APortal policies apply only to authentication requests coming from unknown RADIUS clients

BAll conditions in the policy must match before a user is presented with the captive portal.

CConditions in the policy apply only to wireless users.

DPortal policies can be used only for BYODs.

Answer : B

Captive portal policies are used to define the conditions and settings for presenting a captive portal to users who need to authenticate before accessing the network. A captive portal policy consists of a set of conditions and a set of actions. The conditions can be based on various attributes, such as source IP address, MAC address, user group, device type, or RADIUS client. The actions can include redirecting the user to a specific portal, applying a specific authentication method, or assigning a specific VLAN or firewall policy. A single policy can have multiple conditions, and all conditions in the policy must match before a user is presented with the captive portal.

Question 6

A device or user identity cannot be established transparently, such as with non-domain BYOD devices, and allow users to create their own credentialis.

In this case, which user idendity discovery method can Fortiauthenticator use?

ASyslog messaging or SAML IDP

BKerberos-base authentication

CRadius accounting

DPortal authentication

Answer : D

Portal authentication is a user identity discovery method that can be used when a device or user identity cannot be established transparently, such as with non-domain BYOD devices, and allow users to create their own credentials. Portal authentication requires users to enter their credentials on a web page before accessing network resources. The other methods are used for transparent identification of domain devices or users. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372406/user-identity-discovery

Question 7

Which two statements about the EAP-TTLS authentication method are true? (Choose two)

AUses mutual authentication

BUses digital certificates only on the server side

CRequires an EAP server certificate

DSupport a port access control (wired) solution only

Answer : B, C

EAP-TTLS is an authentication method that uses digital certificates only on the server side to establish a secure tunnel between the server and the client. The client does not need a certificate but can use any inner authentication method supported by the server, such as PAP, CHAP, MS-CHAP, or EAP-MD5. EAP-TTLS requires an EAP server certificate that is issued by a trusted CA and installed on the FortiAuthenticator device acting as the EAP server. EAP-TTLS supports both wireless and wired solutions for port access control. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372412/eap-ttls

Fortinet NSE 6 - FortiAuthenticator 6.4 NSE6_FAC-6.4 Exam Practice Test