Fortinet black logo

New Features

Dynamic VLAN 'Name' Assignment from RADIUS Attribute

Dynamic VLAN 'Name' Assignment from RADIUS Attribute

Starting in 6.2, when FortiSwitch receives a VLAN assignment from RADIUS, it determines if the data is an integer or string representation. If the representation is an integer, FortiSwitch assigns the VLAN. If the representation is a string, the 802.1x agent will search each VLAN's description field for all VLANs (names defined by FortiOS VLAN description). If found, the 802.1x agent will make the assignment.

Example

On the FortiGate, all VLANs are specified as a system interface. Each system interface has a well-defined and unique name. When running FortiLink, the switch has no knowledge of the name association. The switch communicates directly with the RADIUS server and needs to know the mapping to make the proper selection.

As a result, this information must be provided to the switch. In order to make the feature generic and applicable to the switch in standalone mode as well, the system interface description field is leveraged. The switch-controller synchronizes this field to the switch for information purposes, and the description-to-description synchronization has been removed. All descriptions on the FortiGate remain on the FortiGate. The switch-controller synchronizes the FortiGate system interface name to the switch VLAN description.

When FortiSwitch receives a VLAN assignment from RADIUS, it determines if the data is an integer or string representation. If the representation is an integer, FortiSwitch assigns the VLAN. If the representation is a string, the 802.1x agent will search each VLAN's description field for all VLANs (names defined by FortiOS VLAN description). If found, the 802.1x agent will make the assignment.

To configure dynamic VLAN name assignment:
  1. Configure a RADIUS server:
    • Set Tunnel-Type to "VLAN".
    • Set Tunnel-Medium-Type to "IEEE-802".
    • Set Tunnel-Private-Group-Id to "my.vlan.10". In this option, you designate the VLAN name instead of VLAN ID.
  2. Configure FortiGate:

    ​​​​​​​edit "my.vlan.10"

    set vdom "root"

    set ip 1.1.1.254 255.255.255.0

    set allowaccess ping

    set interface "my.fortlink"

    set vlanid 10

    next

    end

  3. Configure FortiSwitch:

    # show switch vlan

    config switch vlan

    edit 10

    set description "my.vlan.10" --------> VLAN name will be stored into the "description", which is not new CLI but just new API mapping to be implemented in backend.

    next

    end

Dynamic VLAN 'Name' Assignment from RADIUS Attribute

Dynamic VLAN 'Name' Assignment from RADIUS Attribute

Starting in 6.2, when FortiSwitch receives a VLAN assignment from RADIUS, it determines if the data is an integer or string representation. If the representation is an integer, FortiSwitch assigns the VLAN. If the representation is a string, the 802.1x agent will search each VLAN's description field for all VLANs (names defined by FortiOS VLAN description). If found, the 802.1x agent will make the assignment.

Example

On the FortiGate, all VLANs are specified as a system interface. Each system interface has a well-defined and unique name. When running FortiLink, the switch has no knowledge of the name association. The switch communicates directly with the RADIUS server and needs to know the mapping to make the proper selection.

As a result, this information must be provided to the switch. In order to make the feature generic and applicable to the switch in standalone mode as well, the system interface description field is leveraged. The switch-controller synchronizes this field to the switch for information purposes, and the description-to-description synchronization has been removed. All descriptions on the FortiGate remain on the FortiGate. The switch-controller synchronizes the FortiGate system interface name to the switch VLAN description.

When FortiSwitch receives a VLAN assignment from RADIUS, it determines if the data is an integer or string representation. If the representation is an integer, FortiSwitch assigns the VLAN. If the representation is a string, the 802.1x agent will search each VLAN's description field for all VLANs (names defined by FortiOS VLAN description). If found, the 802.1x agent will make the assignment.

To configure dynamic VLAN name assignment:
  1. Configure a RADIUS server:
    • Set Tunnel-Type to "VLAN".
    • Set Tunnel-Medium-Type to "IEEE-802".
    • Set Tunnel-Private-Group-Id to "my.vlan.10". In this option, you designate the VLAN name instead of VLAN ID.
  2. Configure FortiGate:

    ​​​​​​​edit "my.vlan.10"

    set vdom "root"

    set ip 1.1.1.254 255.255.255.0

    set allowaccess ping

    set interface "my.fortlink"

    set vlanid 10

    next

    end

  3. Configure FortiSwitch:

    # show switch vlan

    config switch vlan

    edit 10

    set description "my.vlan.10" --------> VLAN name will be stored into the "description", which is not new CLI but just new API mapping to be implemented in backend.

    next

    end