Exam FCSS_LED_AR-7.6 Topic 3 Question 1 Discussion
Actual exam question for Fortinet's FCSS_LED_AR-7.6 exam
Question #: 1
Topic #: 3
Question #: 1
Topic #: 3
Refer to the exhibits.
Examine the FortiManager configuration and FortiGate CLI output shown in the exhibit.
The NAC feature is being tested with a device connected to port2 on managed FortiSwitch S224SPTF19005867. The NAC policy has been applied to port2, and traffic was generated from the test device. However, the traffic from the test device does not match the NAC policy and remains in the onboarding VLAN.
What are two possible reasons why the test device is not being correctly classified by the NAC policy?
(Choose two.)
Examine the FortiManager configuration and FortiGate CLI output shown in the exhibit.
The NAC feature is being tested with a device connected to port2 on managed FortiSwitch S224SPTF19005867. The NAC policy has been applied to port2, and traffic was generated from the test device. However, the traffic from the test device does not match the NAC policy and remains in the onboarding VLAN.
What are two possible reasons why the test device is not being correctly classified by the NAC policy?
(Choose two.)
Suggested Answer: A,B Vote an answer
From the FortiManager NAC policy:
* Category =Device
* Match criteria includeMAC addressandOperating System = Linux
* Action =Assign VLAN "Students"
From the FortiGate CLI:
diagnose switch-controller switch-info mac-table ...
MAC: 70:88:6b:8c:4a:ce VLAN: 4089 Port: port2
diagnose switch-controller mac-device mac onboarding
VLAN 4089 MAC 70:88:6b:8c:4a:ce
So the device is stuck inVLAN 4089, which is theonboarding VLAN. No NAC policy is matched.
For a NAC policy to match, FortiGate needsdevice-identity information, which comes fromdevice detection on the VLAN / FortiLink interfaceplus theattributes that the policy expects(OS, MAC, etc.).
* A. Device detection is not enabled on VLAN 4089.
* If device detection is disabled on the interface/VLAN where the endpoint lives, FortiGate cannot learn OS / device info.
* Without this, the NAC engine cannot compare against the NAC policy (which relies on OS and other attributes), so the device remains in the onboarding VLAN.#This is a valid root cause.
* B. The device operating system detected by FortiGate is not Linux.
* The NAC policy explicitly requiresOperating System = Linux.
* If the endpoint is actually Windows/macOS, or the OS fingerprint is still "Unknown", the policy will never match, and the device stays in onboarding.#Also a valid reason.
* C. Management communication between FortiGate and FortiSwitch is down.
* CLI output (switch-info mac-table and mac-device) proves FortiGate is talking to the switch and sees MAC/VLAN/port information.#Not a valid reason.
* D. The MAC address configured on the NAC policy is incorrect.
* The exhibits show the MAC in the NAC policy matches the MAC appearing in the MAC table.
#Not the cause here.
* Category =Device
* Match criteria includeMAC addressandOperating System = Linux
* Action =Assign VLAN "Students"
From the FortiGate CLI:
diagnose switch-controller switch-info mac-table ...
MAC: 70:88:6b:8c:4a:ce VLAN: 4089 Port: port2
diagnose switch-controller mac-device mac onboarding
VLAN 4089 MAC 70:88:6b:8c:4a:ce
So the device is stuck inVLAN 4089, which is theonboarding VLAN. No NAC policy is matched.
For a NAC policy to match, FortiGate needsdevice-identity information, which comes fromdevice detection on the VLAN / FortiLink interfaceplus theattributes that the policy expects(OS, MAC, etc.).
* A. Device detection is not enabled on VLAN 4089.
* If device detection is disabled on the interface/VLAN where the endpoint lives, FortiGate cannot learn OS / device info.
* Without this, the NAC engine cannot compare against the NAC policy (which relies on OS and other attributes), so the device remains in the onboarding VLAN.#This is a valid root cause.
* B. The device operating system detected by FortiGate is not Linux.
* The NAC policy explicitly requiresOperating System = Linux.
* If the endpoint is actually Windows/macOS, or the OS fingerprint is still "Unknown", the policy will never match, and the device stays in onboarding.#Also a valid reason.
* C. Management communication between FortiGate and FortiSwitch is down.
* CLI output (switch-info mac-table and mac-device) proves FortiGate is talking to the switch and sees MAC/VLAN/port information.#Not a valid reason.
* D. The MAC address configured on the NAC policy is incorrect.
* The exhibits show the MAC in the NAC policy matches the MAC appearing in the MAC table.
#Not the cause here.
by Winni at Mar 24, 2026, 12:41 AM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).