[Q14-Q37] 2025 Verified NSE7_LED-7.0 dumps Q&As on your NSE 7 Network Security Architect Exam Questions Certain Success!

2025 Verified NSE7_LED-7.0 dumps Q&As on your NSE 7 Network Security Architect Exam Questions Certain Success!

NSE7_LED-7.0 Exam Dumps - 100% Marks In NSE7_LED-7.0 Exam!

The Fortinet NSE 7 - LAN Edge 7.0 certification exam covers a wide range of topics, including Fortinet security technologies, network security concepts, and best practices in LAN edge security. It tests the candidate's ability to configure, manage, and troubleshoot Fortinet security solutions, including FortiGate, FortiSwitch, and FortiAP devices. NSE7_LED-7.0 exam also evaluates the candidate's knowledge of network protocols, security policies, and advanced security features such as VPN, SSL, and IPSec. Passing the Fortinet NSE7_LED-7.0 exam is a prerequisite for achieving the Fortinet NSE 7 certification, which is recognized globally as a standard of excellence in network security expertise.

 

NEW QUESTION # 14
An administrator is testing the connectivity for a new VLAN The devices in the VLAN are connected to a FortiSwitch device that is managed by FortiGate Quarantine is disabled on FortiGate While testing the administrator noticed that devices can ping FortiGate and FortiGate can ping the devices The administrator also noticed that inter-VLAN communication works However intra-VLAN communication does not work Which scenario is likely to cause this issue?

• A. Access VLAN is enabled on the VLAN
• B. The native VLAN configured on the ports is incorrect
• C. The FortiGate ARP table is missing entries
• D. The FortiSwitch MAC address table is missing entries

Answer: D

Explanation:
Explanation
According to the scenario, the devices in the VLAN are connected to a FortiSwitch device that is managed by FortiGate. Quarantine is disabled on FortiGate, which means that the devices are not blocked by any security policy. The devices can ping FortiGate and FortiGate can ping the devices, which means that the IP connectivity is working. Inter-VLAN communication works, which means that the routing between VLANs is working. However, intra-VLAN communication does not work, which means that the switching within the VLAN is not working. Therefore, option C is true because the FortiSwitch MAC address table is missing entries, which means that the FortiSwitch does not know how to forward frames to the destination MAC addresses within the VLAN. Option A is false because access VLAN is enabled on the VLAN, which means that the VLAN ID is added to the frames on ingress and removed on egress. This does not affect intra-VLAN communication. Option B is false because the native VLAN configured on the ports is incorrect, which means that the frames on the native VLAN are not tagged with a VLAN ID. This does not affect intra-VLAN communication. Option D is false because the FortiGate ARP table is missing entries, which means that FortiGate does not know how to map IP addresses to MAC addresses. This does not affect intra-VLAN communication.

NEW QUESTION # 15
An administrator is testing the connectivity for a new VLAN The devices in the VLAN are connected to a FortiSwitch device that is managed by FortiGate Quarantine is disabled on FortiGate While testing the administrator noticed that devices can ping FortiGate and FortiGate can ping the devices The administrator also noticed that inter-VLAN communication works However intra-VLAN communication does not work Which scenario is likely to cause this issue?

• A. Access VLAN is enabled on the VLAN
• B. The native VLAN configured on the ports is incorrect
• C. The FortiGate ARP table is missing entries
• D. The FortiSwitch MAC address table is missing entries

Answer: D

Explanation:
Explanation
According to the scenario, the devices in the VLAN are connected to a FortiSwitch device that is managed by FortiGate. Quarantine is disabled on FortiGate, which means that the devices are not blocked by any security policy. The devices can ping FortiGate and FortiGate can ping the devices, which means that the IP connectivity is working. Inter-VLAN communication works, which means that the routing between VLANs is working. However, intra-VLAN communication does not work, which means that the switching within the VLAN is not working. Therefore, option C is true because the FortiSwitch MAC address table is missing entries, which means that the FortiSwitch does not know how to forward frames to the destination MAC addresses within the VLAN. Option A is false because access VLAN is enabled on the VLAN, which means that the VLAN ID is added to the frames on ingress and removed on egress. This does not affect intra-VLAN communication. Option B is false because the native VLAN configured on the ports is incorrect, which means that the frames on the native VLAN are not tagged with a VLAN ID. This does not affect intra-VLAN communication. Option D is false because the FortiGate ARP table is missing entries, which means that FortiGate does not know how to map IP addresses to MAC addresses. This does not affect intra-VLAN communication.

NEW QUESTION # 16
A wireless network in a school provides guest access using a captive portal to allow unregistered users to self-register and access the network. The administrator is requested to update the existing configuration to provide captive portal authentication through a secure connection (HTTPS).
Which two changes must the administrator make to enforce HTTPS authentication? (Choose two)

• A. Create a new SSID with the HTTPS captive portal URL
• B. Disable HTTP administrative access on the guest SSID to enforce HTTPS connection
• C. Enable HTTP redirect in the user authentication settings
• D. Update the captive portal URL to use HTTPS on FortiGate and FortiAuthenticator

Answer: C,D

Explanation:
To enable HTTPS authentication, you must enable HTTP redirect in the user authentication settings. This redirects HTTP requests to HTTPS. You must also update the captive portal URL to use HTTPS on both FortiGate and FortiAuthenticator.

NEW QUESTION # 17
Where can FortiGate learn the FortiManager IP address or FQDN for zero-touch provisioning'?

• A. From a TFTP server
• B. From a DNS server using A or AAAA records
• C. From a DHCP server using options 240 and 241
• D. From an LDAP server using a simple bind operation

Answer: C

Explanation:
FG retrieves the FortiManager IP address or FQDN through DHCP options 240 or 241 respectively.

NEW QUESTION # 18
Refer to the exhibits

The exhibits show the wireless network (VAP) SSID profiles defined on FortiManager and an AP profile assigned to a group of APs that are supported by FortiGate None of the APs are broadcasting the SSlDs defined by the AP profile Which changes do you need to make to enable the SSIDs to broadcast?

• A. Enable multiple channels in the Channels section and enable Radio Resource Provision
• B. In the SSIDs section enable Tunnel
• C. Enable one channel in the Channels section
• D. In the SSIDs section enable Manual and assign the networks manually

Answer: C

Explanation:
Explanation
According to the FortiManager Administration Guide1, "To enable the SSID, you must select at least one channel for the radio. If no channels are selected, the SSID will not be enabled." Therefore, enabling one channel in the Channels section will allow the SSIDs to broadcast.

NEW QUESTION # 19
Refer to the exhibit. In the wireless configuration shown in the exhibits, an AP is deployed in a remote site and has a wireless network (VAP) called Corporate deployed to it. The network is a tunneled network however clients connecting to a wireless network require access to a local printer. Clients are trying to print to a printer on the remote site but are unable to do so.
Which configuration change is required to allow clients connected to the Corporate SSID to print locally?

• A. Disable the Block Intra-SSID Traffic (intra-vap-privacy) setting on the SSID (VAP) profile
• B. Configure split-tunneling in the wtp-profile configuration
• C. Configure the printer as a wireless client on the Corporate wireless network
• D. Configure split-tunneling in the vap configuration

Answer: D

Explanation:
Split tunneling allows you to specify which traffic is tunneled to the FortiGate and which traffic is sent directly to the Internet. This can improve performance and reduce bandwidth usage.
Therefore, by configuring split-tunneling in the vap configuration, you can allow the clients connected to the Corporate SSID to access both the corporate network and the local printer.

NEW QUESTION # 20
Refer to the exhibit.

Examine the LDAP server configuration shown in the exhibit Note that the Username setting has been expanded to display Its full content On the Windows AD server 10.0.1.10, the administrator used dsquery. which returned the following output:

According to the output which FortiGate LDAP setting is configured incorrectly''

• A. Bind Type
• B. Distinguished Name
• C. Username
• D. Common Name Identifier

Answer: B

Explanation:
Explanation
According to the exhibits, the LDAP server configuration on FortiGate has the Distinguished Name set to
"dc=training,dc=lab". However, according to the output of the dsquery command on the Windows AD server, the Distinguished Name of the domain should be "dc=trainingAD,dc=training,dc=lab". Therefore, option C is true because the Distinguished Name on FortiGate is configured incorrectly and does not match the actual Distinguished Name of the domain. Option A is false because the Common Name Identifier on FortiGate is configured correctly as "cn". Option B is false because the Bind Type on FortiGate is configured correctly as
"Regular". Option D is false because the Username on FortiGate is configured correctly as
"cn=admin,cn=users,dc=trainingAD,dc=training,dc=lab".

NEW QUESTION # 21
Refer to the exhibit. A device connected to port2 on FortiSwitch cannot access the network. The port is assigned a security policy to enforce 802.1X authentication. While troubleshooting the issue, the administrator obtains the debug output shown in the exhibit.
Which two scenarios are likely to cause this issue? (Choose two.)

• A. The device is not configured for 802.1X authentication.
• B. The device has been quarantined for 3600 seconds.
• C. The device has been assigned the guest VLAN.
• D. The device does not support 802.1X authentication.

Answer: A,D

Explanation:
According to the exhibit, the debug output shows that the device connected to port2 on FortiSwitch is sending an EAPOL-Start message, which is the first step of the 802.1X authentication process. However, the output also shows that the device is not sending any EAP- Response messages, which are required to complete the authentication process. Therefore, option A is true because the device is not configured for 802.1X authentication, which means that it does not have the correct credentials or settings to authenticate with the RADIUS server.
Option D is also true because the device does not support 802.1X authentication, which means that it does not have the capability or software to perform 802.1X authentication.

NEW QUESTION # 22
What is the purpose of enabling Windows Active Directory Domain Authentication on FortiAuthenticator?

• A. It enables FortiAuthenticator to use Windows administrator credentials to perform an LDAP lookup for a user search
• B. It enables FortiAuthenticator to register itself as a Windows trusted device to proxy authentication using Kerberos
• C. It enables FortiAuthenticator to use a Windows CA certificate when authenticating RADIUS users
• D. It enables FortiAuthenticator to import users from Windows AD

Answer: B

Explanation:
Windows Active Directory domain authentication enables FortiAuthenticator to join a Windows Active Directory domain as a machine entity and proxy authentication requests using Kerberos.

NEW QUESTION # 23
Which two statements about MAC address quarantine by redirect mode are true? (Choose two)

• A. It is the default mode for MAC address quarantine
• B. The device MACaddress is added to the Quarantined Devices firewall address group
• C. The quarantined device is kept in the current VLAN
• D. The quarantined device is moved to the quarantine VLAN

Answer: B,C

Explanation:
Explanation
According to the FortiGate Administration Guide, "MAC address quarantine by redirect mode allows you to quarantine devices by adding their MAC addresses to a firewall address group called Quarantined Devices.
The quarantined devices are kept in their current VLANs, but their traffic is redirected to a quarantine portal." Therefore, options B and D are true because they describe the statements about MAC address quarantine by redirect mode. Option A is false because the quarantined device is not moved to the quarantine VLAN, but rather kept in the current VLAN. Option C is false because redirect mode is not the default mode for MAC address quarantine, but rather an alternative mode that can be enabled by setting mac-quarantine-mode to redirect.
https://docs.fortinet.com/document/fortiap/7.0.0/configuration-guide/734537/radius-authenticated-dynamic-vlan-: https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/734537/mac-address-quarantine

NEW QUESTION # 24
Refer to the exhibit. Examine the RADIUS server configuration shown in the exhibit.
An administrator has configured a RADIUS server on FortiGate that points to FortiAuthenticator.
FortiAuthenticator is acting as an authentication proxy and is configured to relay all authentication requests to a remote Windows AD server using LDAP.
While testing the configuration, the administrator noticed that the diagnose test authserver command worked with PAP; however, authentication requests failed when using MSCHAP2.
Which two solutions can the administrator implement to get MSCHAP2 authentication to work?
(Choose two.)

• A. On FortiGate configure the NAS IP setting on the RADIUS server
• B. On FortiGate update the Secret setting on the RADIUS server
• C. On FortiAuthenticator change the back-end authentication server from LDAP to RADIUS
• D. On FortiAuthenticator enable Windows Active Directory Domain Authentication to add FortiAuthenticator to the Windows domain

Answer: C,D

Explanation:
According to the exhibit, the RADIUS server configuration on FortiGate points to FortiAuthenticator, which is acting as an authentication proxy and is configured to relay all authentication requests to a remote Windows AD server using LDAP. However, LDAP does not support MSCHAP2 authentication, which is required for RADIUS. Therefore, option A is true because on FortiAuthenticator, enabling Windows Active Directory Domain Authentication will add FortiAuthenticator to the Windows domain and allow it to use MSCHAP2 authentication with the AD server. Option C is also true because on FortiAuthenticator, changing the back-end authentication server from LDAP to RADIUS will allow it to use MSCHAP2 authentication with the AD server.

NEW QUESTION # 25
Which two statements about FortiSwitch manager are true? (Choose two)

• A. Any switch discovered or authorized on FortiGate must be added manually on FortiSwitch manager
• B. If the administrator makes any changes on FortiSwitch manager they must also install those changes on FortiGate so that those changes are applied on the managed switches
• C. FortiManager obtains the FortiSwitch status information by querying the FortiGate REST API every three minutes
• D. Per-device management is the default management mode on FortiManager

Answer: B,C

Explanation:
According to the FortiManager Administration Guide, "FortiManager obtains the FortiSwitch status information by querying the FortiGate REST API every three minutes." Therefore, option B is true because it describes how FortiManager gets the information about the managed switches.
According to the same guide2, "If you make any changes in this module, you must install them on your managed device so that they are applied on your managed switches." Therefore, option C is true because it describes what the administrator must do after making any changes on FortiSwitch manager. Option A is false because central management is the default management mode on FortiManager, not per-device management. Option D is false because any switch discovered or authorized on FortiGate will be automatically added on FortiSwitch manager, not manually.

NEW QUESTION # 26
Refer to the exhibit.

Examine the FortiManager configuration and FortiGate CLI output shown in the exhibit An administrator is testing the NAC feature The test device is connected to a managed FortiSwitch device
{S224EPTF19"53C7)onpOrt2
After applying the NAC policy on port2 and generating traffic on the test device the test device is not matching the NAC policy therefore the test device remains m the onboarding VLAN Based on the information shown in the exhibit which two scenarios are likely to cause this issue? (Choose two.)

• A. The device operating system detected by FortiGate is not Linux
• B. The MAC address configured on the NAC policy is incorrect
• C. Management communication between FortiGate and FortiSwitch is down
• D. Device detection is not enabled on VLAN 4089

Answer: B,C

Explanation:
Explanation
According to the FortiManager configuration, the NAC policy is set to match devices with the MAC address of 00:0c:29:6a:2b:3c and the operating system of Linux.However, according to the FortiGate CLI output, the test device has a different MAC address of 00:0c:29:6a:2b:3d. Therefore, option B is true. Option A is also true because the FortiSwitch device status is shown as down, which means that the management communication between FortiGate and FortiSwitch is not working properly. This could prevent the NAC policy from being applied correctly. Option C is false because the device operating system detected by FortiGate is Linux, which matches the NAC policy. Option D is false because device detection is enabled on VLAN 4089, as shown by the command "config switch-controller vlan".

NEW QUESTION # 27
An administrator is testing the connectivity for a new VLAN. The devices in the VLAN are connected to a FortiSwitch device that is managed by FortiGate. Quarantine is disabled on FortiGate.
While testing, the administrator noticed that devices can ping FortiGate and FortiGate can ping the devices. The administrator also noticed that inter-VLAN communication works. However, intra-VLAN communication does not work.
Which scenario is likely to cause this issue?

• A. The FortiSwitch MAC address table is missing entries
• B. The native VLAN configured on the ports is incorrect
• C. Access VLAN is enabled on the VLAN
• D. The FortiGate ARP table is missing entries

Answer: C

NEW QUESTION # 28
Refer to the exhibit.

Examine the FortiSwitch security policy shown in the exhibit
If the security profile shown in the exhibit is assigned to all ports on a FortiSwitch device for 802 1X authentication which statement about the switch is correct?

• A. FortiSwitch will try to authenticate non-802 1X devices using the device MAC address as the username and password
• B. FortiSwitch cannot authenticate multiple devices connected to the same port
• C. All EAP messages will be terminated on FortiSwitch
• D. FortiSwitch will assign non-802 1X devices to the onboarding VLAN

Answer: D

Explanation:
Explanation
According to the FortiSwitch Administration Guide, "If a device does not support 802.1X authentication, you can configure the switch to assign the device to an onboarding VLAN. The onboarding VLAN is a separate VLAN that you can use to provide limited network access to non-802.1X devices." Therefore, option C is true because it describes the behavior of FortiSwitch when the security profile shown in the exhibit is assigned to all ports. Option A is false because FortiSwitch can authenticate multiple devices connected to the same port using MAC-based or MAB-EAP modes. Option B is false because FortiSwitch will not try to authenticate non-802.1X devices using the device MAC address as the username and password, but rather use MAC authentication bypass (MAB) or EAP pass-through modes. Option D is false because all EAP messages will be terminated on FortiGate, not FortiSwitch, when using 802.1X authentication.

NEW QUESTION # 29
You are setting up an SSID (VAP) to perform RADlUS-authenticated dynamic VLAN allocation Which three RADIUS attributes must be supplied by the RADIUS server to enable successful VLAN allocation'' (Choose three.)

• A. Tunnel-Preference
• B. Tunnel-Medium-Type
• C. Tunnel-Pvt-Group-ID
• D. Tunnel-Private-Group-ID
• E. Tunnel-Type

Answer: B,D,E

Explanation:
Explanation
According to the FortiAP Configuration Guide, "To perform RADIUS-authenticated dynamic VLAN allocation, the RADIUS server must supply the following RADIUS attributes: Tunnel-Private-Group-ID, which specifies the VLAN ID to assign to the user. Tunnel-Type, which specifies the tunneling protocol used for the VLAN. The value must be 13 (VLAN). Tunnel-Medium-Type, which specifies the transport medium used for the VLAN. The value must be 6 (802). Therefore, options A, D, and E are true because they describe the RADIUS attributes that must be supplied by the RADIUS server to enable successful VLAN allocation.
Option B is false because Tunnel-Pvt-Group-ID is not a valid RADIUS attribute name, but rather a typo for Tunnel-Private-Group-ID. Option C is false because Tunnel-Preference is not a required RADIUS attribute for dynamic VLAN allocation, but rather an optional attribute that specifies the priority of the VLAN.

NEW QUESTION # 30
Which CLI command should an administrator use to view the certificate verification process in real time?

• A. diagnose debug application authd -1
• B. diagnose debug application foauthd -1
• C. diagnose debug application radiusd -1
• D. diagnose debug application fnbamd -1

Answer: D

Explanation:

NEW QUESTION # 31
Exhibit.

Refer to the exhibit showing a network topology and SSID settings.
FortiGate is configured to use an external captive portal However wireless users are not able to see the captive portal login page Which configuration change should the administrator make to fix the problem?

• A. Remove the guest.portal user group in the firewall policy with the ID 12
• B. Enable NAT in the firewall policy with the ID 13.
• C. Enable the captive-portal-exempt option in the firewall policy with the ID 12
• D. Add the FortiAuthenticator and WindowsAD address objects as exempt destinations services

Answer: D

Explanation:
Explanation
According to the exhibit, the network topology and SSID settings show that FortiGate is configured to use an external captive portal hosted on FortiAuthenticator, which is connected to a Windows AD server for user authentication. However, wireless users are not able to see the captive portal login page, which means that they are not redirected to the external captive portal URL. Therefore, option B is true because adding the FortiAuthenticator and WindowsAD address objects as exempt destinations services will allow the wireless users to access the external captive portal URL without being blocked by the firewall policy. Option A is false because enabling NAT in the firewall policy with the ID 13 will not affect the redirection to the external captive portal URL, but rather the source IP address of the wireless traffic. Option C is false because enabling the captive-portal-exempt option in the firewall policy with the ID 12will bypass the captive portal authentication for the wireless users, which is not the desired outcome. Option D is false because removing the guest.portal user group in the firewall policy with the ID 12 will prevent the wireless users from being authenticated by FortiGate, which is required for accessing the external captive portal.

NEW QUESTION # 32
Refer to the exhibits.

Exhibit.

Examine the troubleshooting outputs shown in the exhibits
Users have been reporting issues with the speed of their wireless connection in a particular part of the wireless network The interface that is having issues is the 2 4 GHz interface that is currently configured on channel 6 The administrator of the wireless network has investigated and surveyed the local RF environment using the tools available at the AP and FortiGate Which configuration would improve the wireless connection?

• A. Change the AP 2 4 GHz channel to 13.
• B. Change the AP 2 4 GHz channel to 9.
• C. Change the AP 2 4 GHz channel to 11
• D. Change the AP 2 4 GHz channel to 1.

Answer: D

Explanation:
Explanation
According to the exhibits, the AP 2.4 GHz interface is currently configured on channel 6, which is overlapping with other nearby APs on channels 4 and 8. This can cause interference and reduce the wireless performance.
Therefore, changing the AP 2.4 GHz channel to 1 would improve the wireless connection, as it would avoid the overlapping channels and use a non-overlapping channel instead. Option A is false because changing the AP 2.4 GHz channel to 11 would still overlap with other nearby APs on channels 9 and 13. Option C is false because changing the AP 2.4 GHz channel to 9 would still overlap with other nearby APs on channels 6, 8, and 11. Option D is false because changing the AP 2.4 GHz channel to 13 would still overlap with other nearby APs on channels 9 and 11.

NEW QUESTION # 33
Refer to the exhibit

Examine the FortiGate RSSO configuration shown in the exhibit
FortiGate is configured to receive RADIUS accounting messages on port3 to authenticate RSSO users The users are located behind port3 and the internet link is connected to port1 FortiGate is processing incoming RADIUS accounting messages successfully and RSSO users are getting associated with the RSSO Group user group However all the users are able to access the internet, and the administrator wants to restrict internet access to RSSO users only Which configuration change should the administrator make to fix the problem?

• A. Change the RADIUS Attribute Value selling to match the name of the RADIUS attribute containing the group membership information of the RSSO users
• B. Enable Security Fabric Connection on port3
• C. Create a second firewall policy from port3 lo port1 and select the target destination subnets
• D. Add RSSO Group to the firewall policy

Answer: D

Explanation:
Explanation
According to the exhibit, the firewall policy from port3 to port1 has no user group specified, which means that it allows all users to access the internet. Therefore, option B is true because adding RSSO Group to the firewall policy will restrict internet access to RSSO users only. Option A is false because changing the RADIUS Attribute Value setting will not affect the firewall policy, but rather the RSSO user group membership. Option C is false because enabling Security Fabric Connection on port3 will not affect the firewall policy, but rather the communication between FortiGate and other Security Fabric devices. Option D is false because creating a second firewall policy from port3 to port1 will not affect the existing firewall policy, but rather create a redundant or conflicting policy.

NEW QUESTION # 34
Refer to the exhibit. Examine the FortiManager configuration and FortiGate CLI output shown in the exhibit.
An administrator is testing the NAC feature. The test device is connected to a managed FortiSwitch device (S224EPTF19005867) on port2.
After applying the NAC policy on port2 and generating traffic on the test device, the test device is not matching the NAC policy; therefore, the test device remains in the onboarding VLAN.
Based on the information shown in the exhibit, which two scenarios are likely to cause this issue?
(Choose two.)

• A. The device operating system detected by FortiGate is not Linux
• B. The MAC address configured on the NAC policy is incorrect
• C. Management communication between FortiGate and FortiSwitch is down
• D. Device detection is not enabled on VLAN 4089

Answer: A,B

Explanation:
https://docs.fortinet.com/document/fortiswitch/7.4.2/fortilink-guide/173271/fortiswitch-network- access-control

NEW QUESTION # 35

Wireless guest users are unable to authenticate because they are getting a certificate error while loading the captive portal login page.This URL string is the HTTPS POST URL guest wireless users see when attempting to access the network using the web browser

Which two settings are the likely causes of the issue? (Choose two.)

• A. The external server FQDN is incorrect
• B. The user address is not in DDNS form
• C. The FortiGate authentication interface address is using HTTPS
• D. The wireless user's browser is missing a CA certificate

Answer: A,D

Explanation:
Explanation
According to the exhibit, the wireless guest users are getting a certificate error while loading the captive portal login page. This means that the browser cannot verify the identity of the server that is hosting the login page.
Therefore, option A is true because the external server FQDN is incorrect, which means that it does not match the common name or subject alternative name of the server certificate. Option B is also true because the wireless user's browser is missing a CA certificate, which means that it does not have the root or intermediate certificate that issued the server certificate. Option C is false because the FortiGate authentication interface address is using HTTPS, which is a secure protocol that encrypts the communication between the browser and the server. Option D is false because the user address is not in DDNS form, which is not related to the certificate error.

NEW QUESTION # 36
Refer to the exhibit. Examine the network diagram and packet capture shown in the exhibit.
The packet capture was taken between FortiGate and FortiAuthenticator, and shows a RADIUS Access-Request packet sent by FortiSwitch to FortiAuthenticator through FortiGate.
Why does the User-Name attribute in the RADIUS Access-Request packet contain the client MAC address?

• A. FortiSwitch is sending a RADIUS accounting message to FortiAuthenticator
• B. The client is performing AD machine authentication
• C. FortiSwitch is authenticating the client using MAC authentication bypass
• D. The client is performing user authentication

Answer: C

Explanation:
According to the exhibit, the User-Name attribute in the RADIUS Access-Request packet contains the client MAC address of 00:0c:29:6a:2b:3d. This indicates that FortiSwitch is authenticating the client using MAC authentication bypass (MAB), which is a method of authenticating devices that do not support 802.1X by using their MAC address as the username and password.

NEW QUESTION # 37
......

Pass Your NSE7_LED-7.0 Exam Easily With 100% Exam Passing Guarantee: https://vcecollection.trainingdumps.com/NSE7_LED-7.0-valid-vce-dumps.html