Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiWiFi and FortiAP Configuration Guide

    Home FortiAP / FortiWiFi 7.4.2 FortiWiFi and FortiAP Configuration Guide
    7.4.2
    7.6.0
    7.4.5
    7.4.4
    7.4.2
    7.4.1
    7.4.0
    7.2.5
    7.2.4
    7.2.1
    7.2.0
    7.0.4
    7.0.2
    7.0.1
    7.0.0
    6.4.6
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.2
    6.2.0
    6.0.5
    6.0.4
    6.0.3
    5.6.4
    5.4.3

    Configuring 802.1X supplicant on LAN

    Configuring 802.1X supplicant on LAN

    When the FortiAP is connected to a switch port with 802.1x authentication enabled, the FortiAP can be configured to act as a 802.1x supplicant to authenticate against the server using EAP-FAST, EAP-TLS or EAP-PEAP.

    When the port is configured for 802.1x authentication, the switch does not allow any traffic other than 802.1x traffic to pass through the port until the device connected to the port authenticates successfully. Once the authentication is successful, FortiAP packets can pass through the switch port and join the FortiGate.

    To enable 802.1X authentication - GUI:
    1. Go to WiFi & Switch Controller > FortiAP Profiles and select the profile you want to enable 802.1X authentication on.
    2. Enable 802.1X authentication and select the authentication method:
      • All
      • EAP-FAST
      • EAP-TLS
      • EAP-PEAP

    3. Enter a Username and Password for authentication.

    4. Click OK to save.

    To enable 802.1X authentication on a FortiGate managed FortiAP - CLI:
    config wireless-controller wtp-profile
  edit "431F"
    config platform
      set type 431F
      set ddscan enable
    end
    set handoff-sta-thresh 55
    set ap-country CA
    config radio-1
      set band 802.11ax,n,g-only
    end
    config radio-2
      set band 802.11ax-5G
    end
    config radio-3
      set mode monitor
    end
    set wan-port-auth 802.1x
    set wan-port-auth-usrname "tester"
    set wan-port-auth-password ENC ***********
    set wan-port-auth-methods EAP-PEAP
  next
end
    Note

    The default setting for wan-port-auth is "none" and the default setting for wan-port-auth-methods is "all"
    To enable 802.1X authentication on a FortiAP not managed by FortiGate - CLI:
    FortiAP-431F # cfg -a WAN_1X_ENABLE=1
cfg -a WAN_1X_USERID=tester
cfg -a WAN_1X_PASSWD=12345678
cfg -a WAN_1X_METHOD=3

    WAN_1X_ENABLE

    Enable or Disable WAN port 802.1x supplicant:

    • 0: Disabled
    • 1: Enabled

    The default setting is 0.

    WAN_1X_USERID

    WAN port 802.1x supplicant user.

    WAN_1X_PASSWD

    WAN port 802.1x supplicant password.

    WAN_1X_METHOD

    Select an EAP method for the WAN port 802.1x supplicant:

    • 0: EAP-ALL
    • 1: EAP-FAST
    • 2: EAP-TLS
    • 3: EAP-PEAP

    The default setting is 0.
    To upload certificates via the FortiAP CLI: 
    cw_diag -c wan1x [<get-ca-cert|get-client-cert|get-private-key> <tftp server IP> <file name>]
FortiAP-431F # cw_diag -c wan1x get-ca-cert 172.16.200.100 ca.cert.pem
Get "ca.cert.pem" from tftp server OK.
    To verify a FortiAP is successfully authenticated from 802.1x radius:
    FortiAP-431F # cw_diag -c wan1x
WAN port 802.1x supplicant:
EAP methods : EAP-PEAP
Username : tester
PasswordENC : ************
CA CERT : users
Client CERT : default
Private Key : default
Port Status : Authorized
    Previous
    Next

    Configuring 802.1X supplicant on LAN

    Configuring 802.1X supplicant on LAN

    When the FortiAP is connected to a switch port with 802.1x authentication enabled, the FortiAP can be configured to act as a 802.1x supplicant to authenticate against the server using EAP-FAST, EAP-TLS or EAP-PEAP.

    When the port is configured for 802.1x authentication, the switch does not allow any traffic other than 802.1x traffic to pass through the port until the device connected to the port authenticates successfully. Once the authentication is successful, FortiAP packets can pass through the switch port and join the FortiGate.

    To enable 802.1X authentication - GUI:
    1. Go to WiFi & Switch Controller > FortiAP Profiles and select the profile you want to enable 802.1X authentication on.
    2. Enable 802.1X authentication and select the authentication method:
      • All
      • EAP-FAST
      • EAP-TLS
      • EAP-PEAP

    3. Enter a Username and Password for authentication.

    4. Click OK to save.

    To enable 802.1X authentication on a FortiGate managed FortiAP - CLI:
    config wireless-controller wtp-profile
  edit "431F"
    config platform
      set type 431F
      set ddscan enable
    end
    set handoff-sta-thresh 55
    set ap-country CA
    config radio-1
      set band 802.11ax,n,g-only
    end
    config radio-2
      set band 802.11ax-5G
    end
    config radio-3
      set mode monitor
    end
    set wan-port-auth 802.1x
    set wan-port-auth-usrname "tester"
    set wan-port-auth-password ENC ***********
    set wan-port-auth-methods EAP-PEAP
  next
end
    Note

    The default setting for wan-port-auth is "none" and the default setting for wan-port-auth-methods is "all"
    To enable 802.1X authentication on a FortiAP not managed by FortiGate - CLI:
    FortiAP-431F # cfg -a WAN_1X_ENABLE=1
cfg -a WAN_1X_USERID=tester
cfg -a WAN_1X_PASSWD=12345678
cfg -a WAN_1X_METHOD=3

    WAN_1X_ENABLE

    Enable or Disable WAN port 802.1x supplicant:

    • 0: Disabled
    • 1: Enabled

    The default setting is 0.

    WAN_1X_USERID

    WAN port 802.1x supplicant user.

    WAN_1X_PASSWD

    WAN port 802.1x supplicant password.

    WAN_1X_METHOD

    Select an EAP method for the WAN port 802.1x supplicant:

    • 0: EAP-ALL
    • 1: EAP-FAST
    • 2: EAP-TLS
    • 3: EAP-PEAP

    The default setting is 0.
    To upload certificates via the FortiAP CLI: 
    cw_diag -c wan1x [<get-ca-cert|get-client-cert|get-private-key> <tftp server IP> <file name>]
FortiAP-431F # cw_diag -c wan1x get-ca-cert 172.16.200.100 ca.cert.pem
Get "ca.cert.pem" from tftp server OK.
    To verify a FortiAP is successfully authenticated from 802.1x radius:
    FortiAP-431F # cw_diag -c wan1x
WAN port 802.1x supplicant:
EAP methods : EAP-PEAP
Username : tester
PasswordENC : ************
CA CERT : users
Client CERT : default
Private Key : default
Port Status : Authorized
    Previous
    Next