Fortinet’s official documentation, including the FortiOS Handbook and NSE 7 training materials, provides detailed guidance on troubleshooting RADIUS authentication issues. The three tools listed below are explicitly supported for diagnosing RADIUS-related problems in FortiOS:

B. You can use the diagnose test authserver radius command to verify RADIUS server configuration, user credentials, and user group membership.This command is a well-documented troubleshooting tool in the FortiOS CLI Reference and Technical Documentation. It allows administrators to manually test RADIUS authentication by specifying the RADIUS server, username, and password. The output provides details on whether the authentication succeeds or fails, along with information about group membership and server reachability. For example:

bash

CollapseWrapCopy

diagnose test authserver radius

This is a critical tool for verifying the RADIUS server's configuration and user authentication flow.

D. You can enable debug for the fnbamd process to view RADIUS authentication details.The fnbamd process (FortiNet Authentication Daemon) handles non-local authentication protocols like RADIUS and LDAP in FortiOS. Enabling debug for this process provides real-time logs of the authentication exchange between the FortiGate and the RADIUS server. This is officially recommended in Fortinet’s troubleshooting guides for advanced diagnostics. The command sequence is:

bash

CollapseWrapCopy

diagnose debug application fnbamd -1

diagnose debug enable

After testing, you can disable debugging with diagnose debug disable. This tool is invaluable for identifying issues such as misconfigured shared secrets, timeouts, or attribute mismatches.

E. You can use the diagnose test application radiusd command to verify the RADIUS server configuration, user credentials, and user group membership.The radiusd process relates to the RADIUS daemon on the FortiGate, and this diagnostic command tests the RADIUS server’s operational status and authentication functionality. While less commonly highlighted than diagnose test authserver radius, it is referenced in Fortinet’s CLI documentation for deeper troubleshooting of the RADIUS service itself. It provides detailed output about the server’s response and can help isolate issues specific to the RADIUS protocol implementation.

Why not A and C?

A. You can enable debug for the fssod process to view RADIUS authentication details.The fssod process relates to FortiSSO (Single Sign-On) and is primarily used for FSSO-based authentication, not direct RADIUS troubleshooting. While it may log some authentication-related events in specific SSO scenarios, it is not a standard tool for RADIUS diagnostics according to Fortinet’s official documentation. Thus, it is not a correct choice here.

C. You can check the Firewall Users widget to view the list of active RADIUS users.While the Firewall Users widget (available in the FortiOS GUI underUser & Authentication > Firewall Users) shows a list of authenticated users, it is a monitoring tool, not a troubleshooting tool. It does not provide diagnostic details about RADIUS authentication failures or server issues, making it insufficient for this purpose per Fortinet’s troubleshooting methodology.

Source Verification

The answers are derived from official Fortinet resources, including:

FortiOS 7.0 CLI Reference(diagnose commands section)

FortiOS Handbook: Authentication(RADIUS troubleshooting section)

NSE 7 - LAN Edge 7.0 training materials (authentication diagnostics module)

These tools (B, D, E) align with Fortinet’s recommended practices for diagnosing RADIUS authentication issues effectively.

According to the FortiGate Administration Guide, “To enable HTTPS authentication, you must enable HTTP redirect in the user authentication settings. This redirects HTTP requests to HTTPS. You must also update the captive portal URL to use HTTPS on both FortiGate and FortiAuthenticator.” Therefore, options B and D are true because they describe the changes that the administrator must make to enforce HTTPS authentication for the captive portal. Option A is false because creating a new SSID with the HTTPS captive portal URL is not required, as the existing SSID can be updated with the new URL. Option C is false because disabling HTTP administrative access on the guest SSID will not enforce HTTPS connection, but rather block HTTP connection.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-secure-authentication-HTTPS-on-a-FortiGate/ta-p/192486

According to the exhibit, the debug output shows that the device connected to port2 on FortiSwitch is sending an EAPOL-Start message, which is the first step of the 802.1X authentication process. However, the output also shows that the device is not sending any EAP-Response messages, which are required to complete the authentication process. Therefore, option A is true because the device is not configured for 802.1X authentication, which means that it does not have the correct credentials or settings to authenticate with the RADIUS server. Option D is also true because the device does not support 802.1X authentication, which means that it does not have the capability or software to perform 802.1X authentication. Option B is false because the device has not been quarantined for 3600 seconds, but rather has a session timeout of 3600 seconds, which is the default value for 802.1X sessions. Option C is false because the device has not been assigned the guest VLAN, but rather has been assigned the default VLAN, which is VLAN 1.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-and-disable-broadcast-of-SSID/ta-p/191840

According to the exhibits, the administrator has configured an automation stitch to automatically quarantine compromised devices based on FortiAnalyzer’s threat detection services. However, according to the FortiAnalyzer logs, the test device is not detected as compromised by FortiAnalyzer, even though it tried to access a malicious website. Therefore, option B is true because FortiAnalyzer does not have a valid threat detection services license, which is required to enable the threat detection services feature. Option D is also true because FortiAnalyzer does not consider the malicious website an indicator of compromise (IOC), which is a criterion for identifying compromised devices. Option A is false because the web filtering rating service is working, as shown by the log entry that indicates that the test device accessed a URL with a category of “Malicious Websites”. Option C is false because the device does not need to have FortiClient installed to be quarantined by FortiGate, as long as it is connected to a managed FortiSwitch device.

According to the FortiManager configuration, the NAC policy is set to match devices with the MAC address of 00:0c:29:6a:2b:3c and the operating system of Linux. However, according to the FortiGate CLI output, the test device has a different MAC address of 00:0c:29:6a:2b:3d. Therefore, option B is true. Option A is also true because the FortiSwitch device status is shown as down, which means that the management communication betweenFortiGate and FortiSwitch is not working properly. This could prevent the NAC policy from being applied correctly. Option C is false because the device operating system detected by FortiGate is Linux, which matches the NAC policy. Option D is false because device detection is enabled on VLAN 4089, as shown by the command “config switch-controller vlan”.