Fortinet NSE7_SAC-6.2 Exam Practice Test Instant Access

Question 1

A wireless network in a school provides guest access using a captive portal to allow unregistered users to self-register and access the network. The administrator is requested to update the existing configuration to provide captive portal authentication through a secure connection (HTTPS) to protect and encrypt guest user credentials after they receive the login information when registered for the first time.

Which two changes must the administrator make to enforce HTTPS authentication? (Choose two.)

AProvide instructions to users to use HTTPS to access the network

BCreate a new SSID with the HTTPS captive portal URL

CEnable Redirect HTTP Challenge to a Secure Channel (HTTPS) in the user authentication settings

DUpdate the captive portal URL to use HTTPS on FortiGate and FortiAuthenticator

Answer : B, D

Question 2

What does DHCP snooping MAC verification do?

ADrops DHCP release packets on untrusted ports

BDrops DHCP packets with no relay agent information (option 82) on untrusted ports

CDrops DHCP offer packets on untrusted ports

DDrops DHCP packets on untrusted ports when the client hardware address does not match the source MAC address

Answer : D

https://docs.fortinet.com/document/fortiswitch/6.4.2/administration-guide/335964/dhcp-snooping (note)

Question 3

Refer to the exhibit.

The exhibit shows two FortiGate devices in active-passive HA mode, including four FortiSwitch devices connected to a ring.

Which two configurations are required to deploy this network topology'' (Choose two.)

AConfigure link aggregation interfaces on the FortiLink interfaces.

BConfigure the trunk interfaces on the FortiSwitch devices as MCLAG-ISL.

CEnable f ortilink-split-interf ace on the FortiLink interfaces.

DEnable STP on the FortiGate interfaces.

Answer : C, D

https://www.fortinetguru.com/2019/07/fortilink-configuration-using-the-fortigate-gui/

Question 4

Refer to the exhibit.

Examine the packet capture shown in the exhibit, which contains a RADIUS access request packet sent by FortiSwitch to a RADIUS server.

Why does the User-Name field in the RADIUS access request packet contain a MAC address?

AThe FortiSwitch interface is configured for 802 IX port authentication with MAC address bypass, and the connected device does not support 802.1X.

BFortiSwitch authenticates itself using its MAC address as the user name.

CThe connected device is doing machine authentication

DFortiSwitch is replying to an access challenge packet sent by the RADIUS server and requesting the client MAC address.

Answer : D

Question 5

Which statement correctly describes the guest portal behavior on FortiAuthenticator?

ASponsored accounts cannot authenticate using guest portals.

BFortiAuthenticator uses POST parameters and a RADIUS client configuration to map the request to a guest portal for authentication.

CAll guest accounts must be activated using SMS or email activation codes.

DAll self-registered and sponsored accounts are listed on the local Users GUI page on FortiAuthenticator.

Answer : A

Question 6

Refer to the exhibit.

Given the network topology shown in the exhibit, which two ports should be configured as untrusted DHCP ports? (Choose two.)

AFortiSwitch B, port1

BFortiSwitch A, port2

CFortiSwitch B, port2

DFortiSwitch A, port1

Answer : C, D

Question 7

Examine the following RADIUS configuration:

An administrator has configured a RADIUS server on FortiGate that points to FortiAuthenticator. FortiAuthenticator is acting as an authentication proxy and is configured to relay all authentication requests to a remote Windows AD server using LDAP.

While testing the configuration, the administrator notices that the diagnose test authserver command works with PAP, however, authentication requests fail when using MSCHAPv2.

Which two changes should the administrator make to get MSCHAPv2 to work? (Choose two.)

AForce FortiGate to use the PAP authentication method in the RADIUS server configuration.

BChange the remote authentication server from LDAP to RADIUS on FortiAuthenticator.

CUse MSCHAP instead of using MSCHAPv2.

DEnable Windows Active Directory Domain Authentication on FortiAuthenticator to add FortiAuthenticator to the Windows domain

Answer : B, D

https://docs.fortinet.com/document/fortiauthenticator/6.0.0/administration-guide/641286/remote-authentication-servers

Fortinet NSE 7 - Secure Access 6.2 NSE7_SAC-6.2 Exam Practice Test