Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.0
Download PDF
Copy Link

switch-controller security-policy 802-1X

Use this command to create 802.1X security policies.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.

Command Description

set open-auth {enable | disable}

Enable or disable (by default) FortiLink open authentication for this policy.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set user-group <name>

This entry is now mandatory for an 802.1x security policy to work correctly.

config switch-controller security-policy 802-1X
    edit {name}
    # Configure 802.1x MAC Authentication Bypass (MAB) policies.
        set name {string}   Policy name. size[31]
        set security-mode {802.1X | 802.1X-mac-based}   Port or MAC based 802.1X security mode.
                802.1X            802.1X port based authentication.
                802.1X-mac-based  802.1X MAC based authentication.
        config user-group
            edit {name}
            # Name of user-group to assign to this MAC Authentication Bypass (MAB) policy.
                set name {string}   Group name. size[64] - datasource(s): user.group.name
            next
        set mac-auth-bypass {disable | enable}   Enable/disable MAB for this policy.
        set open-auth {disable | enable}   Enable/disable open authentication for this policy.
        set eap-passthru {disable | enable}   Enable/disable EAP pass-through mode, allowing protocols (such as LLDP) to pass through ports for more flexible authentication.
        set guest-vlan {disable | enable}   Enable the guest VLAN feature to allow limited access to non-802.1X-compliant clients.
        set guest-vlanid {integer}   Guest VLAN ID. range[0-65535]
        set guest-vlan-id {string}   Guest VLAN name. size[15] - datasource(s): system.interface.name
        set guest-auth-delay {integer}   Guest authentication delay (1 - 900  sec, default = 30). range[1-900]
        set auth-fail-vlan {disable | enable}   Enable to allow limited access to clients that cannot authenticate.
        set auth-fail-vlanid {integer}   VLAN ID on which authentication failed. range[0-65535]
        set auth-fail-vlan-id {string}   VLAN ID on which authentication failed. size[15] - datasource(s): system.interface.name
        set radius-timeout-overwrite {disable | enable}   Enable to override the global RADIUS session timeout.
        set policy-type {802.1X}   Policy type.
                802.1X  802.1X security policy.
    next
end

Additional information

The following section is for those options that require additional explanation.

set security-mode

You can restrict access with 802.1X port-based authentication or with 802.1X MAC-based authentication.

set user-group

You can set a specific group name, Guest-group, or SSO_Guest_Users to have access.

set mac-auth-bypass

You can enable or disable MAB on this interface.

set eap-passthrough

You can enable or disable EAP pass-through mode on this interface.

set guest-vlan

You can enable or disable guest VLANs on this interface to allow restricted access for some users.

set guest-vlan-id "guest- VLAN-name"

You can specify the name of the guest VLAN.

set guest-auth-delay

You can set the authentication delay for guest VLANs on this interface. The range is 60-900 seconds.

set auth-fail-vlan

You can enable or disable authentication fail VLAN on this interface to allow restricted access for users who fail to access the guest VLAN.

set auth-fail-vlan-id "auth-fail-VLAN-name"

You can specify the name of the authentication fail VLAN.

set radius-timeoutoverwrite

You can enable or disable whether the session timeout for the RADIUS server will overwrite the local timeout.

set policy-type 802.1X

You can set the policy type to the 802.1X security policy.

switch-controller security-policy 802-1X

Use this command to create 802.1X security policies.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.

Command Description

set open-auth {enable | disable}

Enable or disable (by default) FortiLink open authentication for this policy.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set user-group <name>

This entry is now mandatory for an 802.1x security policy to work correctly.

config switch-controller security-policy 802-1X
    edit {name}
    # Configure 802.1x MAC Authentication Bypass (MAB) policies.
        set name {string}   Policy name. size[31]
        set security-mode {802.1X | 802.1X-mac-based}   Port or MAC based 802.1X security mode.
                802.1X            802.1X port based authentication.
                802.1X-mac-based  802.1X MAC based authentication.
        config user-group
            edit {name}
            # Name of user-group to assign to this MAC Authentication Bypass (MAB) policy.
                set name {string}   Group name. size[64] - datasource(s): user.group.name
            next
        set mac-auth-bypass {disable | enable}   Enable/disable MAB for this policy.
        set open-auth {disable | enable}   Enable/disable open authentication for this policy.
        set eap-passthru {disable | enable}   Enable/disable EAP pass-through mode, allowing protocols (such as LLDP) to pass through ports for more flexible authentication.
        set guest-vlan {disable | enable}   Enable the guest VLAN feature to allow limited access to non-802.1X-compliant clients.
        set guest-vlanid {integer}   Guest VLAN ID. range[0-65535]
        set guest-vlan-id {string}   Guest VLAN name. size[15] - datasource(s): system.interface.name
        set guest-auth-delay {integer}   Guest authentication delay (1 - 900  sec, default = 30). range[1-900]
        set auth-fail-vlan {disable | enable}   Enable to allow limited access to clients that cannot authenticate.
        set auth-fail-vlanid {integer}   VLAN ID on which authentication failed. range[0-65535]
        set auth-fail-vlan-id {string}   VLAN ID on which authentication failed. size[15] - datasource(s): system.interface.name
        set radius-timeout-overwrite {disable | enable}   Enable to override the global RADIUS session timeout.
        set policy-type {802.1X}   Policy type.
                802.1X  802.1X security policy.
    next
end

Additional information

The following section is for those options that require additional explanation.

set security-mode

You can restrict access with 802.1X port-based authentication or with 802.1X MAC-based authentication.

set user-group

You can set a specific group name, Guest-group, or SSO_Guest_Users to have access.

set mac-auth-bypass

You can enable or disable MAB on this interface.

set eap-passthrough

You can enable or disable EAP pass-through mode on this interface.

set guest-vlan

You can enable or disable guest VLANs on this interface to allow restricted access for some users.

set guest-vlan-id "guest- VLAN-name"

You can specify the name of the guest VLAN.

set guest-auth-delay

You can set the authentication delay for guest VLANs on this interface. The range is 60-900 seconds.

set auth-fail-vlan

You can enable or disable authentication fail VLAN on this interface to allow restricted access for users who fail to access the guest VLAN.

set auth-fail-vlan-id "auth-fail-VLAN-name"

You can specify the name of the authentication fail VLAN.

set radius-timeoutoverwrite

You can enable or disable whether the session timeout for the RADIUS server will overwrite the local timeout.

set policy-type 802.1X

You can set the policy type to the 802.1X security policy.