switch-controller security-policy 802-1X
Use this command to create 802.1X security policies.
History
The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.
Command | Description |
---|---|
set open-auth {enable | disable} |
Enable or disable (by default) FortiLink open authentication for this policy. |
The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.
Command | Description |
---|---|
set user-group <name> |
This entry is now mandatory for an 802.1x security policy to work correctly. |
config switch-controller security-policy 802-1X edit {name} # Configure 802.1x MAC Authentication Bypass (MAB) policies. set name {string} Policy name. size[31] set security-mode {802.1X | 802.1X-mac-based} Port or MAC based 802.1X security mode. 802.1X 802.1X port based authentication. 802.1X-mac-based 802.1X MAC based authentication. config user-group edit {name} # Name of user-group to assign to this MAC Authentication Bypass (MAB) policy. set name {string} Group name. size[64] - datasource(s): user.group.name next set mac-auth-bypass {disable | enable} Enable/disable MAB for this policy. set open-auth {disable | enable} Enable/disable open authentication for this policy. set eap-passthru {disable | enable} Enable/disable EAP pass-through mode, allowing protocols (such as LLDP) to pass through ports for more flexible authentication. set guest-vlan {disable | enable} Enable the guest VLAN feature to allow limited access to non-802.1X-compliant clients. set guest-vlanid {integer} Guest VLAN ID. range[0-65535] set guest-vlan-id {string} Guest VLAN name. size[15] - datasource(s): system.interface.name set guest-auth-delay {integer} Guest authentication delay (1 - 900 sec, default = 30). range[1-900] set auth-fail-vlan {disable | enable} Enable to allow limited access to clients that cannot authenticate. set auth-fail-vlanid {integer} VLAN ID on which authentication failed. range[0-65535] set auth-fail-vlan-id {string} VLAN ID on which authentication failed. size[15] - datasource(s): system.interface.name set radius-timeout-overwrite {disable | enable} Enable to override the global RADIUS session timeout. set policy-type {802.1X} Policy type. 802.1X 802.1X security policy. next end
Additional information
The following section is for those options that require additional explanation.
set security-mode
You can restrict access with 802.1X port-based authentication or with 802.1X MAC-based authentication.
set user-group
You can set a specific group name, Guest-group, or SSO_Guest_Users to have access.
set mac-auth-bypass
You can enable or disable MAB on this interface.
set eap-passthrough
You can enable or disable EAP pass-through mode on this interface.
set guest-vlan
You can enable or disable guest VLANs on this interface to allow restricted access for some users.
set guest-vlan-id "guest- VLAN-name"
You can specify the name of the guest VLAN.
set guest-auth-delay
You can set the authentication delay for guest VLANs on this interface. The range is 60-900 seconds.
set auth-fail-vlan
You can enable or disable authentication fail VLAN on this interface to allow restricted access for users who fail to access the guest VLAN.
set auth-fail-vlan-id "auth-fail-VLAN-name"
You can specify the name of the authentication fail VLAN.
set radius-timeoutoverwrite
You can enable or disable whether the session timeout for the RADIUS server will overwrite the local timeout.
set policy-type 802.1X
You can set the policy type to the 802.1X security policy.