Fortinet NSE7_LED-7.0 Exam Practice Test Instant Access

Question 1

Which CLI command should an administrator use on FortiGate to view the RSSO authentication process in real time?

Adiagnose debug application fnbamd -1

Bdiagnose debug application authd -1

Cdiagnose debug application radiusd -1

Ddiagnose debug application foauthd -1

Answer : A

Question 2

Refer to the exhibit.

Examine the RADIUS server configuration shown in the exhibit

An administrator has configured a RADIUS server on FortiGate that points to FortiAuthenticator FortiAuthenticator is acting as an authentication proxy and is configured to relay all authentication requests to a remote Windows AD server using LDAP

While testing the configuration the administrator noticed that the diagnose test authserver command worked with PAP, however authentication requests failed when using MSCHAP2

Which two solutions can the administrator implement to get MSCHAP2 authentication to work'' (Choose two.)

AOn FortiAuthenticator enable Windows Active Directory Domain Authentication to add FortiAuthenticator to the Windows domain

BOn FortiGate configure the NAS IP setting on the RADIUS server

COn FortiAuthenticator change the back-end authentication server from LDAP to RADIUS

DOn FortiGate update the Secret setting on the RADIUS server

Answer : A, C

According to the exhibit, the RADIUS server configuration on FortiGate points to FortiAuthenticator, which is acting as an authentication proxy and is configured to relay all authentication requests to a remote Windows AD server using LDAP. However, LDAP does not support MSCHAP2 authentication, which is required for RADIUS. Therefore, option A is true because on FortiAuthenticator, enabling Windows Active Directory Domain Authentication will add FortiAuthenticator to the Windows domain and allow it to use MSCHAP2 authentication with the AD server. Option C is also true because on FortiAuthenticator, changing the back-end authentication server from LDAP to RADIUS will allow it to use MSCHAP2 authentication with the AD server. Option B is false because on FortiGate, configuring the NAS IP setting on the RADIUS server will not affect the MSCHAP2 authentication, but rather the source IP address of the RADIUS packets. Option D is false because on FortiGate, updating the Secret setting on the RADIUS server will not affect the MSCHAP2 authentication, but rather the shared secret between FortiGate and FortiAuthenticator.

Question 3

Refer to the exhibit.

Examine the FortiSwitch port configuration and the FortiGate interface configuration shown in the exhibit.

Based on the configuration shown in the exhibit, which two statements about how port2 handles tagged and untagged traffic are true? (Choose two.)

APort2 accepts ingress untagged traffic for VLAN IDs 10, 4091, and 4093 only.

BPort2 assigns ingress untagged traffic to VLAN 10.

CPort2 tags egress traffic for VLAN 10.

DPort2 accepts ingress tagged traffic for VLAN IDs 4091 and 4093 only.

Answer : A, B

Question 4

Refer to the exhibit.

An administrator wants to telnet into the S224EPTF19005867 switch over the FortiGate FortiLink interface.

Which configuration change should the administrator make?

AEnable telnet access on the FortiLink interface.

BOn the default local-access profile, add telnet to the list of allowed protocols for mgmt-allowaccess.

COn the default local-access profile, add telnet to the list of allowed protocols for internal-allowaccess.

DFactory reset the switch to enable telnet access.

Answer : C

Question 5

Refer to the exhibit.

Examine the debug output shown in the exhibit

Which two statements about the RADIUS debug output are true'' (Choose two)

AThe user student belongs to the SSLVPN group

BUser authentication failed

CThe RADIUS server sent a vendor-specific attribute in the RADIUS response

DUser authentication succeeded using MSCHAP

Answer : A, C

Question 6

Refer to the exhibit.

Examine the FortiGate RSSO configuration shown in the exhibit.

FortiGate is configured to receive RADIUS accounting messages on port3 to authenticate RSSO users. The incoming RADIUS accounting messages contain the username and group membership information in the User-Name and Class RADIUS attributes, respectively.

Which three settings must you configure on FortiGate to successfully authenticate RSSO users and match them to the existing RSSO user groups? (Choose three)

AThe rasc-endpoint-attribute CLI setting in the RSSO agent configuration should be set to User-Name.

BDevice detection and Security Fabric Connection should be enabled on port3.

CThe RADIUS Attribute Value setting configured for an RSSO user group should match the Class RADIUS attribute value in the RADIUS accounting message.

DRSSO user groups should be assigned to all firewall policies.

EThe sso-attribute CLI setting in the RSSO agent configuration should be set to Class.

Answer : A, C, E

Question 7

Refer to the exhibit.

Examine the FortiManager information shown in the exhibit

Which two statements about the FortiManager status are true'' (Choose two)

AFortiSwitch manager is working in per-device management mode

BFortiSwitch is not authorized

CFortiSwitch manager is working in central management mode

DFortiSwitch is authorized and offline

Answer : A, D

Fortinet NSE 7 - LAN Edge 7.0 NSE7_LED-7.0 Exam Practice Test