Which two statements about the guest portal on FortiAuthenticator are true? (Choose two.)

1. A. Each remote user on FortiAuthenticator can sponsor up to 10 guest accounts
2. B. Administrators must approve all guest accounts before they can be used
3. C. The guest portal provides pre and post-log in services
4. D. Administrators can use one or more incoming parameters to configure a mapping rule for the guest portal

Correct Answer: CD
According to the FortiAuthenticator Administration Guide2, “The guest portal provides pre and post-log in services for users (such as password reset and token registration abilities), and rules and replacement messages can be configured.” Therefore, option C is true. The same guide also states that “Administrators can use one or more incoming parameters to configure a mapping rule for the guest portal.” Therefore, option D is true. Option A is false because remote users can sponsor any number of guest accounts, as long as they do not
exceed the maximum number of guest accounts allowed by the license. Option B is false because administrators can choose to approve or reject guest accounts, or enable auto-approval.

Refer to the exhibit

A device connected to port2 on FortiSwitch cannot access the network The port is assigned a security policy to enforce 802 1X authentication While troubleshooting the issue, the administrator obtains the debug output shown in the exhibit
Which two scenarios are likely to cause this issue? (Choose two.)

1. A. The device is not configured for 802 IX authentication.
2. B. The device has been quarantined for 3600 seconds.
3. C. The device has been assigned the guest VLAN
4. D. The device does not support 802 1X authentication

Correct Answer: AD
According to the exhibit, the debug output shows that the device connected to port2 on FortiSwitch is sending an EAPOL-Start message, which is the first step of the 802.1X authentication process. However, the output also shows that the device is not sending any EAP-Response messages, which are required to complete the authentication process. Therefore, option A is true because the device is not configured for 802.1X authentication, which means that it does not have the correct credentials or settings to authenticate with the RADIUS server. Option D is also true because the device does not support 802.1X authentication, which means that it does not have the capability or software to perform 802.1X authentication. Option B is false because the device has not been quarantined for 3600 seconds, but rather has a session timeout of 3600 seconds, which is the default value for 802.1X sessions. Option C is false because the device has not been assigned the guest VLAN, but rather has been assigned the default VLAN, which is VLAN 1.

Which two statements about the MAC-based 802 1X security mode available on FortiSwitch are true? (Choose two.)

1. A. FortiSwitch authenticates a single device and opens the port to other devices connected to the port
2. B. FortiSwitch authenticates each device connected to the port
3. C. It cannot be used in conjunction with MAC authentication bypass
4. D. FortiSwitch can grant different access levels to each device connected to the port

Correct Answer: BD
According to the FortiSwitch Administration Guide, “MAC-based 802.1X security mode allows you to authenticate each device connected to a port using its MAC address as the username and password.” Therefore, option B is true because it describes the MAC-based 802.1X security mode available on FortiSwitch. Option D is also true because FortiSwitch can grant different access levels to each device connected to the port based on the user group and security policy assigned to them. Option A is false because FortiSwitch does not authenticate a single device and open the port to other devices connected to the port, but rather authenticates each device individually. Option C is false because MAC-based 802.1X security mode can be used in conjunction with MAC authentication bypass (MAB) or EAP pass-through modes, which are fallback options for non-802.1X devices.

Refer to the exhibit.

Examine the FortiManager information shown in the exhibit
Which two statements about the FortiManager status are true'' (Choose two)

1. A. FortiSwitch manager is working in per-device management mode
2. B. FortiSwitch is not authorized
3. C. FortiSwitch manager is working in central management mode
4. D. FortiSwitch is authorized and offline

Correct Answer: CD
According to the FortiManager Administration Guide, “Central management mode allows you to manage all FortiSwitch devices from a single interface on the FortiManager device.” Therefore, option C is true because the exhibit shows that the FortiSwitch manager is enabled and the FortiSwitch device is managed by the FortiManager device. Option D is also true because the exhibit shows that the FortiSwitch device status is offline, which means that it is not reachable by the FortiManager device, but it is authorized, which means that it has been added to the FortiManager device. Option A is false because per-device management mode allows you to manage each FortiSwitch device individually from its own web-based manager or CLI, which is not the case in the exhibit. Option B is false because the FortiSwitch device is authorized, as explained above.

Refer to the exhibits

The exhibits show the wireless network (VAP) SSID profiles defined on FortiManager and an AP profile assigned to a group of APs that are supported by FortiGate
None of the APs are broadcasting the SSlDs defined by the AP profile
Which changes do you need to make to enable the SSIDs to broadcast?

1. A. In the SSIDs section enable Tunnel
2. B. Enable one channel in the Channels section
3. C. Enable multiple channels in the Channels section and enable Radio Resource Provision
4. D. In the SSIDs section enable Manual and assign the networks manually

Correct Answer: B
According to the FortiManager Administration Guide1, “To enable the SSID, you must select at least one channel for the radio. If no channels are selected, the SSID will not be enabled.” Therefore, enabling one channel in the Channels section will allow the SSIDs to broadcast.