Fortinet FCSS_LED_AR-7.6 - Fortinet NSE 6 - LAN Edge 7.6 Architect

From theWTP profile:

set handoff-rssi 30

set handoff-sta-thresh 30

config radio-1

set band 802.11n-2G

set vaps "Student01"

config radio-2

set band 802.11ac-5G

set darrp enable

set arrp-profile "arrp-default"

set vaps "Student01"

Key points:

Same SSID (Student01)is broadcast onboth APsand onboth bands(2.4 and 5 GHz).

handoff-sta-thresh 30 enablesclient load-balancingbetween APs:

When an AP radio hasmore than 30 associated clients, it starts rejecting new associations so that clients connect to a neighboring AP instead (as long as RSSI is still acceptable).

Current client counts:

AP1:32 clients on 5 GHz, 22 on 2.4 GHz

AP2:12 clients on 5 GHz, 20 on 2.4 GHz

So on 5 GHz:

AP1’s 5-GHz radioexceedsthe 30-client threshold (32 > 30) → it will try topush new clients away.

AP2’s 5-GHz radio iswell belowthe threshold (12 clients) and will happily accept new clients.

The new dual-band client is seen at:

–33 dBmby AP1

–43 dBmby AP2

Even though AP1 has the stronger signal, its 5-GHz radio is already overloaded according to the configured threshold, so AP1 will refuse association attempts from that client. The client will then associate toAP2’s 5-GHz radio, which:

Hasfewer clients(better airtime per device), and

Still has an acceptable signal (–43 dBm is easily usable on 5 GHz).

That matches optionCexactly.

Other options are incorrect because they ignore the configuredclient-load-balancing thresholdsand assume association based purely on RSSI or prefer 2.4 GHz, which is not what this profile is tuned to do.

In this design, FortiAuthenticator receivesRADIUS accounting (RSSO) messages, looks up the user in LDAP to get group information, theninjects FSSO logon eventstoward all FortiGate devices.

From the exhibits we know:

FortiAuthenticatoris receiving RADIUS accountingfrom the RADIUS server.

LDAP queries are successful and return group membership.

But FortiGatedoes not receive FSSO logons, so identity-based policies are not applied.

For FortiAuthenticator to create an FSSO logon, the RADIUS accounting record must be correctlyparsed into at least:

Username

Client IP address

These are mapped from the RADIUS attributes in theRADIUS Accounting SSO clientconfiguration (for example, User-Name and Framed-IP-Address). If these are not defined or mapped incorrectly, FortiAuthenticator can see the accounting packet butcannot build a valid FSSO session, so no update is sent to FortiGate.

Thus the most likely root cause is:

✔The RADIUS Username and Client IPv4 attributes are not correctly definedfor that RADIUS Accounting SSO client (optionA).

Other options conflict with the scenario:

B– LDAP is already successfully returning groups.

C– FSSO user group attribute is separate; even without it, FSSO logons would still be created (just without group mapping).

D– The interfaceisreceiving RADIUS accounting, so it is clearly enabled.