Refer to the exhibits to analyze a network topology and SSID settings. FortiGate is configured to use an external captive portal for authentication to grant access to a wireless network. Testing detected that users attempting to access the SSID are not able to access the captive portal login page. Which configuration change should fix this issue? (Choose one answer)

A. Change the SSID security mode to WPA2-Enterprise for authentication.
B. Firewall policy with the ID 13 must have NAT disabled.
C. Address objects FortiAuthenticator and WindowsAD must be included as exempt destinations/services.
D. A firewall policy with port4 as source is missing.

Correct Answer: D

Brave-Dump Clients Votes

C 66.67%

D 33.33%

Comments

Mohamed Shaban 2026-02-22 13:27:02

Selected Answers: C

The missing configuration is a firewall policy that allows users’ unauthenticated traffic to reach the captive portal, as described on page p267.
In other words, you must have a policy from the user-facing interface that permits HTTP/HTTPS (and usually DNS) so the FortiGate can intercept the request and present the captive portal login page
so I think there is missing option for this question

Anonymous User 2026-03-27 17:40:13

Selected Answers: D

Either this question is rubbish, or if not, then only D remains as only possible answer. C is wrong, because adress objects have been added as exempt already. But setting exempt alone is not enough, we need an addition policy allowing traffic from WLAN Client to DNS and Authenticatior. I would assume to use the wireless interface as source, but as we only have the option of port 4 as source, I would choose this.

Anonymous User 2026-04-13 19:58:05

Selected Answers: C

I had this question in my exam. In this version the screenshot is not correct. In my exam, the FAC & AD were selected as source exempt. So C is the correct answer, because both objects has to be the exempt destination / service.