Exam FCSS_LED_AR-7.6 Topic 1 Question 100 Discussion
Actual exam question for Fortinet's FCSS_LED_AR-7.6 exam
Question #: 100
Topic #: 1
Question #: 100
Topic #: 1
Refer to the exhibits.


Examine the FortiGate RSSO configuration shown in the exhibit.
FortiGate is set up to use RSSO for user authentication. It is currently receiving RADIUS accounting messages through port3. The incoming RADIUS accounting messages contain the username in the User- Name attribute and group membership in the Class attribute. You must ensure that the users are authenticated through these RADIUS accounting messages and accurately mapped to their respective RSSO user groups.
Which three critical configurations must you implement on the FortiGate device? (Choose three.)


Examine the FortiGate RSSO configuration shown in the exhibit.
FortiGate is set up to use RSSO for user authentication. It is currently receiving RADIUS accounting messages through port3. The incoming RADIUS accounting messages contain the username in the User- Name attribute and group membership in the Class attribute. You must ensure that the users are authenticated through these RADIUS accounting messages and accurately mapped to their respective RSSO user groups.
Which three critical configurations must you implement on the FortiGate device? (Choose three.)
Suggested Answer: A,D,E Vote an answer
The problem states:
FortiGate receivesRADIUS accounting messagesonport3.
User-Nameattribute contains the username.
Classattribute contains the group membership.
Goal: authenticate users through RSSO and map them to the correct user groups.
To achieve this, three critical components must be configured:
#A. RADIUS Attribute Value in the RSSO group must match the Class attribute This is mandatory because:
RSSO user groups on FortiGate match users based onthe value inside the RADIUS attribute(usually Class).
For group assignment to work, FortiGate must compare:
RSSO User Group # RADIUS Class Attribute Value
This isexactly how FortiGate maps RSSO users to groups.
#D. RSSO agent's sso-attribute must be set to Class
Thesso-attributedefineswhich RADIUS attribute contains the group information.
Because group membership is carried in:
#Class attribute
You must configure:
config user radius
set sso-attribute Class
end
This tells FortiGate:
" Use the Class attribute to derive user group membership. "
#E. rsso-endpoint-attribute must be set to User-Name
This identifieswhich RADIUS attributecarries the actualusername.
In this scenario:
RADIUS accounting messages contain the username inUser-Name.
So the correct setting is:
config user radius
set rsso-endpoint-attribute User-Name
end
This ensures the RSSO user object uses the correct username.
#Incorrect Options Explained
B). Assign RSSO user groups to all firewall policies
Not required.
You only assign them to policies where RSSO authentication is used.
C). Device detection and Security Fabric Connection should be enabled on port3 Totally irrelevant to RSSO.
RSSO only needs RADIUS accounting, not device detection or Fabric services.
FortiGate receivesRADIUS accounting messagesonport3.
User-Nameattribute contains the username.
Classattribute contains the group membership.
Goal: authenticate users through RSSO and map them to the correct user groups.
To achieve this, three critical components must be configured:
#A. RADIUS Attribute Value in the RSSO group must match the Class attribute This is mandatory because:
RSSO user groups on FortiGate match users based onthe value inside the RADIUS attribute(usually Class).
For group assignment to work, FortiGate must compare:
RSSO User Group # RADIUS Class Attribute Value
This isexactly how FortiGate maps RSSO users to groups.
#D. RSSO agent's sso-attribute must be set to Class
Thesso-attributedefineswhich RADIUS attribute contains the group information.
Because group membership is carried in:
#Class attribute
You must configure:
config user radius
set sso-attribute Class
end
This tells FortiGate:
" Use the Class attribute to derive user group membership. "
#E. rsso-endpoint-attribute must be set to User-Name
This identifieswhich RADIUS attributecarries the actualusername.
In this scenario:
RADIUS accounting messages contain the username inUser-Name.
So the correct setting is:
config user radius
set rsso-endpoint-attribute User-Name
end
This ensures the RSSO user object uses the correct username.
#Incorrect Options Explained
B). Assign RSSO user groups to all firewall policies
Not required.
You only assign them to policies where RSSO authentication is used.
C). Device detection and Security Fabric Connection should be enabled on port3 Totally irrelevant to RSSO.
RSSO only needs RADIUS accounting, not device detection or Fabric services.
by Murphy at Jul 09, 2026, 01:12 AM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).