Fortinet black logo

FortiWiFi and FortiAP Configuration Guide

Configuring 802.1X supplicant on LAN

Copy Link
Copy Doc ID f39c7021-8ec7-11ec-9fd1-fa163e15d75b:85193
Download PDF

Configuring 802.1X supplicant on LAN

When the FortiAP is connected to a switch port with 802.1x authentication enabled, the FortiAP can be configured to act as a 802.1x supplicant to authenticate against the server using EAP-FAST, EAP-TLS or EAP-PEAP.

When the port is configured for 802.1x authentication, the switch does not allow any traffic other than 802.1x traffic to pass through the port until the device connected to the port authenticates successfully. Once the authentication is successful, FortiAP packets can pass through the switch port and join the FortiGate.

To enable 802.1X authentication - GUI
  1. Go to WiFi & Switch Controller > FortiAP Profiles and select the profile you want to enable 802.1X authentication on.
  2. Enable 802.1X authentication and select the authentication method:
    • All
    • EAP-FAST
    • EAP-TLS
    • EAP-PEAP

  3. Enter a Username and Password for authentication.
  4. Click OK to save.

To enable 802.1X authentication on a FortiGate managed FortiAP - CLI
config wireless-controller wtp-profile
  edit "431F"
    config platform
      set type 431F
      set ddscan enable
    end
    set handoff-sta-thresh 55
    set ap-country CA
    config radio-1
      set band 802.11ax,n,g-only
    end
    config radio-2
      set band 802.11ax-5G
    end
    config radio-3
      set mode monitor
    end
    set wan-port-auth 802.1x
    set wan-port-auth-usrname "tester"
    set wan-port-auth-password ENC ***********
    set wan-port-auth-methods EAP-PEAP
  next
end
Note

The default setting for wan-port-auth is "none" and the default setting for wan-port-auth-methods is "all"

To enable 802.1X authentication on a FortiAP not managed by FortiGate - CLI
FortiAP-431F # cfg -a WAN_1X_ENABLE=1
cfg -a WAN_1X_USERID=tester
cfg -a WAN_1X_PASSWD=12345678
cfg -a WAN_1X_METHOD=3

WAN_1X_ENABLE

Enable or Disable WAN port 802.1x supplicant:

  • 0: Disabled
  • 1: Enabled

The default setting is 0.

WAN_1X_USERID

WAN port 802.1x supplicant user.

WAN_1X_PASSWD

WAN port 802.1x supplicant password.

WAN_1X_METHOD

Select an EAP method for the WAN port 802.1x supplicant:

  • 0: EAP-ALL
  • 1: EAP-FAST
  • 2: EAP-TLS
  • 3: EAP-PEAP

The default setting is 0.

To upload certificates via the FortiAP CLI:
cw_diag -c wan1x [<get-ca-cert|get-client-cert|get-private-key> <tftp server IP> <file name>]
FortiAP-431F # cw_diag -c wan1x get-ca-cert 172.16.200.100 ca.cert.pem
Get "ca.cert.pem" from tftp server OK.
To verify a FortiAP is successfully authenticated from 802.1x radius
FortiAP-431F # cw_diag -c wan1x
WAN port 802.1x supplicant:
EAP methods : EAP-PEAP
Username : tester
PasswordENC : ************
CA CERT : users
Client CERT : default
Private Key : default
Port Status : Authorized

Configuring 802.1X supplicant on LAN

When the FortiAP is connected to a switch port with 802.1x authentication enabled, the FortiAP can be configured to act as a 802.1x supplicant to authenticate against the server using EAP-FAST, EAP-TLS or EAP-PEAP.

When the port is configured for 802.1x authentication, the switch does not allow any traffic other than 802.1x traffic to pass through the port until the device connected to the port authenticates successfully. Once the authentication is successful, FortiAP packets can pass through the switch port and join the FortiGate.

To enable 802.1X authentication - GUI
  1. Go to WiFi & Switch Controller > FortiAP Profiles and select the profile you want to enable 802.1X authentication on.
  2. Enable 802.1X authentication and select the authentication method:
    • All
    • EAP-FAST
    • EAP-TLS
    • EAP-PEAP

  3. Enter a Username and Password for authentication.
  4. Click OK to save.

To enable 802.1X authentication on a FortiGate managed FortiAP - CLI
config wireless-controller wtp-profile
  edit "431F"
    config platform
      set type 431F
      set ddscan enable
    end
    set handoff-sta-thresh 55
    set ap-country CA
    config radio-1
      set band 802.11ax,n,g-only
    end
    config radio-2
      set band 802.11ax-5G
    end
    config radio-3
      set mode monitor
    end
    set wan-port-auth 802.1x
    set wan-port-auth-usrname "tester"
    set wan-port-auth-password ENC ***********
    set wan-port-auth-methods EAP-PEAP
  next
end
Note

The default setting for wan-port-auth is "none" and the default setting for wan-port-auth-methods is "all"

To enable 802.1X authentication on a FortiAP not managed by FortiGate - CLI
FortiAP-431F # cfg -a WAN_1X_ENABLE=1
cfg -a WAN_1X_USERID=tester
cfg -a WAN_1X_PASSWD=12345678
cfg -a WAN_1X_METHOD=3

WAN_1X_ENABLE

Enable or Disable WAN port 802.1x supplicant:

  • 0: Disabled
  • 1: Enabled

The default setting is 0.

WAN_1X_USERID

WAN port 802.1x supplicant user.

WAN_1X_PASSWD

WAN port 802.1x supplicant password.

WAN_1X_METHOD

Select an EAP method for the WAN port 802.1x supplicant:

  • 0: EAP-ALL
  • 1: EAP-FAST
  • 2: EAP-TLS
  • 3: EAP-PEAP

The default setting is 0.

To upload certificates via the FortiAP CLI:
cw_diag -c wan1x [<get-ca-cert|get-client-cert|get-private-key> <tftp server IP> <file name>]
FortiAP-431F # cw_diag -c wan1x get-ca-cert 172.16.200.100 ca.cert.pem
Get "ca.cert.pem" from tftp server OK.
To verify a FortiAP is successfully authenticated from 802.1x radius
FortiAP-431F # cw_diag -c wan1x
WAN port 802.1x supplicant:
EAP methods : EAP-PEAP
Username : tester
PasswordENC : ************
CA CERT : users
Client CERT : default
Private Key : default
Port Status : Authorized