Fortinet NSE6_FAC-6.4 Practice Test - Questions Answers

FortiAuthenticator can help facilitate the process of replacing an existing RADIUS server by enabling learning mode in the RADIUS server configuration. This allows FortiAuthenticator to learn user credentials from the existing RADIUS server and store them locally for future authentication requests2. This way, FortiAuthenticator can gradually take over the role of the RADIUS server without disrupting the user experience.

Reference: 2 https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administrationguide/ 906179/radius-service#learning-mode

Guest accounts are associated with the sponsor that creates the guest account. A sponsor is a user who has permission to create and manage guest accounts on behalf of other users3. A sponsor can create guest accounts using the sponsor portal or the REST API3. The sponsor's username is recorded as a field in the guest account's profile3.

Reference: 3 https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administrationguide/ 906179/guest-management#sponsors

Realms are a way to delegate user accounts, user groups and permissions per domain when they are authenticating on a single FortiAuthenticator device. A realm is a logical grouping of users and groups based on a common attribute, such as a domain name or an IP address range. Realms allow administrators to apply different authentication policies and settings to different groups of users based on their realm membership.

Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administrationguide/ 906179/user-management#realms

Adaptive Authentication is a feature that allows administrators to bypass the need for two-factor authentication for users accessing from specific secured networks. Adaptive Authentication uses geolocation information from IP addresses to determine whether a user is accessing from a trusted network or not. If the user is accessing from a trusted network, FortiAuthenticator can skip the second factor of authentication and grant access based on the first factor only.

Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administrationguide/ 906179/authentication-policies#adaptive-authentication

When deploying FortiAuthenticator for portal services, such as guest portal, sponsor portal, user portal or FortiToken activation portal, the network configuration must allow specific ports to be open between FortiAuthenticator and the authentication clients. These ports are:

TCP 80 for HTTP access TCP 443 for HTTPS access TCP 389 for LDAP access TCP 636 for LDAPS access UDP 1812 for RADIUS authentication UDP 1813 for RADIUS accounting Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administrationguide/ 906179/portal-services#network-configuration

One possible cause of the issue is time drift between FortiAuthenticator and hardware tokens. Time drift occurs when the internal clocks of FortiAuthenticator and hardware tokens are not synchronized. This can result in mismatched one-time passwords (OTPs) generated by the hardware tokens and expected by FortiAuthenticator. To prevent this issue, FortiAuthenticator provides a time drift tolerance option that allows a certain number of seconds of difference between the clocks.

Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administrationguide/ 906179/two-factor-authentication#time-drift-tolerance

An OCSP responder URL in an end-entity certificate is used to designate a server for certificate status checking. OCSP stands for Online Certificate Status Protocol, which is a method of verifying whether a certificate is valid or revoked in real time. An OCSP responder is a server that responds to OCSP requests from clients with the status of the certificate in question. The OCSP responder URL in an end-entity certificate points to the location of the OCSP responder that can provide the status of that certificate.

Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administrationguide/ 906179/certificate-management#ocsp-responder

Network HSM is a feature that allows FortiAuthenticator to keep local CA cryptographic keys stored in a central location. HSM stands for Hardware Security Module, which is a physical device that provides secure storage and generation of cryptographic keys. Network HSM allows FortiAuthenticator to use an external HSM device to store and manage the private keys of its local CAs, instead of storing them locally on the FortiAuthenticator device.

Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administrationguide/ 906179/certificate-management#network-hsm

SP-initiated SSO SAML packet flow for a host without a SAML assertion is as follows:

Principal contacts service provider, requesting access to a protected resource.

Service provider redirects principal to identity provider, sending a SAML authentication request.

Principal authenticates with identity provider using their credentials.

After successful authentication, identity provider redirects principal back to service provider, sending a SAML response with a SAML assertion containing the principal's attributes.

Service provider validates the SAML response and assertion, and grants access to the principal.

Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administrationguide/ 906179/saml-service-provider#sp-initiated-sso