NSE 7 – OT Security 7.2 — Question 27

An ОТ supervisor has configured LDAP and FSSO for authentication. The goal is that all users be authenticated against passive authentication first and. if passive authentication is not successful, then users should be challenged with active authentication.

What should the ОТ supervisor do to achieve this on FortiGate?

Answer options

• A. Under config user settings, configure set auth-on-demand implicit.
• B. Enable two-factor authentication with FSSO.
• C. Configure a firewall policy with LDAP users and place it at the top of the list of firewall policies.
• D. Configure a firewall policy with FSSO users and place it at the top of the list of firewall policies.

Correct answer: A

Explanation

The correct answer is A because configuring 'set auth-on-demand implicit' allows for passive authentication to be attempted first. Options B, C, and D do not directly implement the required authentication sequence, as they either enable two-factor authentication without addressing the passive/active order or create policies that do not influence the authentication method hierarchy.