The correct answer is C.
The LAN Edge 7.6 Architect study guide states: “If you are using an external captive portal server, you must configure a firewall policy and exempt web traffic to the external captive portal IP address.”
It also states: “Just selecting and applying the address object and selecting the services is not enough to allow the traffic to pass through FortiGate. You must also have a corresponding firewall policy in place that allows the pinhole traffic to pass through FortiGate.”
The guide further explains: “An alternative method to exempt captive portal traffic is to create a firewall policy and enable the Exempt from Captive Portal option.”
In this case, the external captive portal URL is correct, but users still cannot reach the login page. That means the traffic needed to reach the external captive portal is not being exempted properly through the firewall policy. Therefore, the missing correction is to use the firewall policy with the captive-portal-exempt option.
Why the other options are incorrect:
A. Incorrect. The study guide refers to exempting traffic to the external captive portal destination, not adding FortiAuthenticator and WindowsAD as exempt sources
B. Incorrect. External captive portal authentication does not require WPA2 Enterprise. The SSID can remain open and use captive portal authentication instead
D. Incorrect. The guest user group is used on the policy that allows authenticated users onward access after login, not on the exempt policy that lets unauthenticated users reach the portal first
