An OT supervisor has configured LDAP and FSSO for the authentication. The goal is that all the users be authenticated against passive authentication first and, if passive authentication is not successful, then users should be challenged with active authentication.
What should the OT supervisor do to achieve this on FortiGate?
To achieve the goal of using passive authentication (FSSO) first and then falling back to active authentication (LDAP) if the passive authentication is not successful, the OT supervisor needs to configure the FortiGate to attempt authentication on demand. This can be done by setting the 'auth-on-demand' option to 'implicit' under the user settings configuration. This setting ensures that FortiGate will try to use passive authentication first and only prompt for active authentication if the passive method fails.
C Explanation/Reference: studyguide_page88
Explanation/Reference: studyguide_page88
C, auth-on-demand implicit is default
Ans: C
C. When you enable authentication, all the systems will have to authenticated before traffic is placed on egress interface. Alternatively, on the CLI only, you can change the auth-on-demand option to always.
C for sure
D. Under config user settings configure set auth-on-demand implicit.
C. Configure a firewall policy with FSSO users and place it on the top of list of firewall policies.
only with the command in D option permit to have passive and active auth. with FSSO no user prompt regardless order of any firewall policy.