Configuring 802.1X supplicant on LAN
When the FortiAP is connected to a switch port with 802.1x authentication enabled, the FortiAP can be configured to act as a 802.1x supplicant to authenticate against the server using EAP-FAST, EAP-TLS or EAP-PEAP.
When the port is configured for 802.1x authentication, the switch does not allow any traffic other than 802.1x traffic to pass through the port until the device connected to the port authenticates successfully. Once the authentication is successful, FortiAP packets can pass through the switch port and join the FortiGate.
To enable 802.1X authentication - GUI:
- Go to WiFi & Switch Controller > FortiAP Profiles and select the profile you want to enable 802.1X authentication on.
- Enable 802.1X authentication and select the authentication method:
- All
- EAP-FAST
- EAP-TLS
- EAP-PEAP
- Enter a Username and Password for authentication.
-
Click OK to save.
To enable 802.1X authentication on a FortiGate managed FortiAP - CLI:
config wireless-controller wtp-profile
edit "431F"
config platform
set type 431F
set ddscan enable
end
set handoff-sta-thresh 55
set ap-country CA
config radio-1
set band 802.11ax,n,g-only
end
config radio-2
set band 802.11ax-5G
end
config radio-3
set mode monitor
end
set wan-port-auth 802.1x
set wan-port-auth-usrname "tester"
set wan-port-auth-password ENC ***********
set wan-port-auth-methods EAP-PEAP
next
end
|
The default setting for |
To enable 802.1X authentication on a FortiAP not managed by FortiGate - CLI:
FortiAP-431F # cfg -a WAN_1X_ENABLE=1 cfg -a WAN_1X_USERID=tester cfg -a WAN_1X_PASSWD=12345678 cfg -a WAN_1X_METHOD=3
|
|
Enable or Disable WAN port 802.1x supplicant:
The default setting is 0. |
|
|
WAN port 802.1x supplicant user. |
|
|
WAN port 802.1x supplicant password. |
|
|
Select an EAP method for the WAN port 802.1x supplicant:
The default setting is 0. |
To upload certificates via the FortiAP CLI:
cw_diag -c wan1x [<get-ca-cert|get-client-cert|get-private-key> <tftp server IP> <file name>] FortiAP-431F # cw_diag -c wan1x get-ca-cert 172.16.200.100 ca.cert.pem Get "ca.cert.pem" from tftp server OK.
To verify a FortiAP is successfully authenticated from 802.1x radius:
FortiAP-431F # cw_diag -c wan1x WAN port 802.1x supplicant: EAP methods : EAP-PEAP Username : tester PasswordENC : ************ CA CERT : users Client CERT : default Private Key : default Port Status : Authorized
Media Access Control Security
Media Access Control Security (MACsec) is a network protocol that provides authenticity and integrity for the entire Ethernet frame as well as encryption of the Layer 2 data payload. Enabling MACsec on a FortiAP improves communication security of Layer 2 frames passing through wired networks.
Since MACsec is an extension to 802.1X, which provides secure key exchange and mutual authentication for MACsec nodes, FortiAPs must first be configured to pass 802.1X authentication as a supplicant. MACsec can be enabled from the FortiGate or locally on a FortiAP.
|
|
Enabling MACsec on FortiAP
In deployments where all FortiAPs are managed by a FortiGate, you can configure 802.1x and MACsec on the FortiAP profile and the configurations will be pushed to assigned FortiAPs. Then, depending on the switch used in your deployment, configure and apply 802.1x and MACsec on the switch ports to which the FortiAPs connect. The FortiAPs continue to communicate with their managing FortiGate and function as usual.
In deployments where you need to connect a new FortiAP to your network before it is managed by FortiGate, you can pre-configure the FortiAP profiles while also configuring MACsec locally on the FortiAP device. Then, ensure that the switch ports to which the FortiAPs will connect have 802.1x and MACsec configured before connecting the FortiAPs.
|
|
If MACsec is enabled on a FortiAP, but the switch port that the FortiAP connects to does not have 802.1x and MACsec enabled, then authentication will fail and the FortiAP will lose network connection. |
To enable MACsec from a FortiAP profile - CLI:
config wireless-controller wtp-profile
edit <name>
set wan-port-auth 802.1x
set wan-port-auth-usrname "tester"
set wan-port-auth-password ENC *
set wan-port-auth-methods EAP-PEAP
set wan-port-auth-macsec enable
next
end
To enable MACsec locally from a FortiAP - CLI:
FortiAP-233G # cfg -a WAN_1X_ENABLE:=1 cfg -a WAN_1X_USERID:=tester cfg -a WAN_1X_PASSWD:=* cfg -a WAN_1X_METHOD:=3 cfg -a WAN_1X_MACSEC_POLICY:=1
To verify a FortiAP successfully passes MACsec authentication:
FP233G # cw_diag -c wan1x macsec
participant_idx=0
ckn=972149b46b1ff31c11d3c1d864b0bad9
mi=94a9763a40b2905ba3ec2be9
mn=78974
active=Yes
participant=No
retain=No
live_peers=1
potential_peers=0
is_key_server=No
is_elected=Yes
TX SCI : 74:78:a6:98:dc:28@1
RX SCI : 70:35:09:21:cb:84@2
Cipher : GCM-AES-256
Tx Next PN: 298329
Distributed SAK Received : 1
Distributed_an : 0
AN : 0
tx : InUse
rx : InUse
Confidentiality_offset : 30
replay_protect : 0
replay_window : 0
To verify a FortiAP is registered in FortiGate with 802.1X and MACsec authentication:
FortiGate-301E (vdom1) # diagnose wireless-controller wlac -c wtp
WTP vd : vdom1, 3-FP233GTF23000132 MP00
uuid : 0d96e930-1aaf-51ef-0a3a-315f022a18d7
mgmt_vlanid : 0
region code : E invalid
refcnt : 3 own(1) wtpprof(1) ws(1) deleted(no)
apcfg status : N/A,N/A cfg_ac=0.0.0.0:0 val_ac=0.0.0.0:0 cmds T 0 P 0 U 0 I 0 M 0
apcfg cmd details:
plain_ctl : disabled
image-dl(wtp,rst): yes,no
admin : enable
wtp-profile : cfg(233G) override(disabled) oper(233G)
……….
SNMP : disabled
WAN port authentication: 802.1X
WAN port 802.1x EAP method: EAP-PEAP
WAN port 802.1x Macsec: enabled