The correct answer is D.
The LAN Edge 7.6 Architect study guide explains that when using an external captive portal, configuring the portal URL and exempt destinations on the SSID is not enough by itself. FortiGate must also have a matching firewall policy that allows the unauthenticated client traffic path to the external portal.
The guide states: “If you are using an external captive portal server, you must configure a firewall policy and exempt web traffic to the external captive portal IP address.”
It also states: “Just selecting and applying the address object and selecting the services is not enough to allow the traffic to pass through FortiGate. You must also have a corresponding firewall policy in place that allows the pinhole traffic to pass through FortiGate.”
In the exhibit, the SSID already includes FortiAuthenticator and WindowsAD as exempt destinations/services, so option C is already configured. However, the wireless clients are connecting through the AP on port4, and the visible firewall policy shown is from the guest SSID interface to port1 for internet access. There is no policy shown that permits the required pre-authentication traffic path from the wireless side toward the external portal resources through the relevant source path. Therefore, the missing fix is the firewall policy using port4 as source.
Why the other options are incorrect:
A. Incorrect. External captive portal authentication is designed to work with an open SSID plus captive portal. WPA2-Enterprise is a different authentication model and is not required here
B. Incorrect. The study guide does not identify NAT on that policy as the reason users cannot reach the external captive portal login page. The key requirement is the exempt/pinhole firewall policy, not NAT behavior
C. Incorrect. Those address objects are already present in the SSID configuration under exempt destinations/services, so this is not the missing change.
Final verified conclusion:
Because the exempt destinations are already configured, the missing requirement is the corresponding firewall policy permitting the captive portal pinhole traffic from the wireless source path.
So the correct answer is D.