Which two EAP methods can use MSCHAPV2 for client authentication? (Choose two.)

A. PEAP

B. EAP-TTLS

C. EAP-TLS

D. EAP-GTC

What does DHCP snooping MAC verification do?

A. Drops DHCP release packets on untrusted ports

B. Drops DHCP packets with no relay agent information (option 82) on untrusted ports

C. Drops DHCP offer packets on untrusted ports

D. Drops DHCP packets on untrusted ports when the client hardware address does not match the source MAC address

Refer to the exhibit.

Examine the configuration of the FortiSwitch security policy profile.

If the security profile shown in the exhibit is assigned on the FortiSwitch port for 802.1X.port authentication, which statement is correct?

A. Host machines that do support 802.1X authentication, but have failed authentication, will be assigned the guest VLAN.

B. All unauthenticated users will be assigned the auth-fail VLAN.

C. Authenticated users that are part of the wired-users group will be assigned the guest VLAN.

D. Host machines that do not support 802.1X authentication will be assigned the guest VLAN.

Refer to the exhibit.

Examine the network topology shown in the exhibit.

Which port should have root guard enabled?

A. FortiSwitch A, port2

B. FortiSwitch A, port1

C. FortiSwitch B, port1

D. FortiSwitch B, port2

Refer to the exhibits.

Examine the VAP configuration and the WiFi zones table shown in the exhibits.

Which two statements describe FortiGate behavior regarding assignment of VLANs to wireless clients? (Choose two.)

A. FortiGate will load balance clients using VLAN 101 and VLAN 102 and assign them an IP address from the 10.0.3.0/24 subnet.

B. Clients connecting to APs in the Floor 1 group will not be able to receive an IP address.

C. All clients connecting to the Corp SSID will receive an IP address from the 10.0.3.1/24 subnet.

D. Clients connecting to APs in the Office group will be assigned an IP address from the 10.0.20.1/24 subnet.

What is the purpose of configuring the Windows Active Directory Domain Authentication feature?

A. Allows FortiAuthenticator to register itself as a Windows trusted device to proxy CHAP authentication using Kerberos.

B. Allows FortiAuthenticator to use Windows administrator credentials to perform an LDAP lookup for a user search.

C. Allows FortiAuthenticator to use a Windows CA certificate when authenticating RADIUS users.

D. Allows FortiAuthenticator to authenticate users listed on Windows AD. Enables single sign-on services for VPN and wireless users.

Refer to the exhibit.

The exhibit shows a network topology and SSID settings.

FortiGate is configured to use an external captive portal. However, wireless users are not able to see the captive portal login page.

Which configuration change should the administrator make to fix the problem?

A. Create a firewall policy to allow traffic from the Guest SSID to FortiAuthenticator and Windows AD devices.

B. Enable the captive-portal-exemptoption in the firewall policy with the ID 10.

C. Remove guest.portal user group in the firewall policy.

D. FortiAuthenticator and WindowsAD address objects should be added as exempt sources.

Refer to the exhibit.

The exhibit shows two FortiGate devices in active-passive HA mode, including four FortiSwitch devices

connected to a ring.

Which two configurations are required to deploy this network topology? (Choose two.)

A. Configure link aggregation interfaces on the FortiLink interfaces.

B. Configure the trunk interfaces on the FortiSwitch devices as MCLAG-ISL.

C. Enable fortilink-split-interfaceon the FortiLink interfaces.

D. Enable STP on the FortiGate interfaces.

Refer to the exhibit showing certificate values.

Wireless guest users are unable to authenticate because they are getting a certificate error while loading the captive portal login page. This URL string is the HTTPS POST URL guest wireless users see when attempting to access the network using the web browser:

https://fac.trainingad.training.com/guests/login/?loginandpost=https://auth.trainingad.training.1ab:1003/fgtauthandmagic=000a038293d1f411andusermac=b8:27:eb:d8:50:02andapmac=70:4c:a5:9d:0d:28andapip=10.10.100.2anduserip=10.0.3.1andssid=Guest03andapname=PS221ETF18000148andbssid=70:4c:a5:9d:0d:30

Which two settings are the likely causes of the issue? (Choose two.)

A. The external server FQDN is incorrect.

B. The FortiGate authentication interface address is using HTTPS.

C. The wireless user's browser is missing a CA certificate.

D. The user address is not in DDNS form.

Examine the following output from the FortiLink real-time debug.

Based on the output, what is the status of the communication between FortiGate and FortiSwitch?

A. FortiGate is unable to authorize the FortiSwitch.

B. FortiGate is unable to establish FortiLink tunnel to manage the FortiSwitch.

C. FortiGate is unable to located a previously managed FortiSwitch.

D. The FortiLink heartbeat is up.