Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config switch-controller security-policy 802-1X

Configure 802.1x MAC Authentication Bypass (MAB) policies.

config switch-controller security-policy 802-1X

Description: Configure 802.1x MAC Authentication Bypass (MAB) policies.

edit <name>

set security-mode [802.1X|802.1X-mac-based]

set user-group <name1>, <name2>, ...

set mac-auth-bypass [disable|enable]

set open-auth [disable|enable]

set eap-passthru [disable|enable]

set guest-vlan [disable|enable]

set guest-vlan-id {string}

set guest-auth-delay {integer}

set auth-fail-vlan [disable|enable]

set auth-fail-vlan-id {string}

set framevid-apply [disable|enable]

set radius-timeout-overwrite [disable|enable]

set policy-type {option}

next

end

config switch-controller security-policy 802-1X

Parameter name

Description

Type

Size

security-mode

Port or MAC based 802.1X security mode.

option

-

 

Option

Description

802.1X

802.1X port based authentication.

802.1X-mac-based

802.1X MAC based authentication.

user-group <name>

Name of user-group to assign to this MAC Authentication Bypass (MAB) policy.

Group name.

string

Maximum length: 79

mac-auth-bypass

Enable/disable MAB for this policy.

option

-

 

Option

Description

disable

Disable MAB.

enable

Enable MAB.

open-auth

Enable/disable open authentication for this policy.

option

-

 

Option

Description

disable

Disable open authentication.

enable

Enable open authentication.

eap-passthru

Enable/disable EAP pass-through mode, allowing protocols (such as LLDP) to pass through ports for more flexible authentication.

option

-

 

Option

Description

disable

Disable EAP pass-through mode on this interface.

enable

Enable EAP pass-through mode on this interface.

guest-vlan

Enable the guest VLAN feature to allow limited access to non-802.1X-compliant clients.

option

-

 

Option

Description

disable

Disable guest VLAN on this interface.

enable

Enable guest VLAN on this interface.

guest-vlan-id

Guest VLAN name.

string

Maximum length: 15

guest-auth-delay

Guest authentication delay (1 - 900 sec, default = 30).

integer

Minimum value: 1 Maximum value: 900

auth-fail-vlan

Enable to allow limited access to clients that cannot authenticate.

option

-

 

Option

Description

disable

Disable authentication fail VLAN on this interface.

enable

Enable authentication fail VLAN on this interface.

auth-fail-vlan-id

VLAN ID on which authentication failed.

string

Maximum length: 15

framevid-apply

Enable/disable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

option

-

 

Option

Description

disable

Disable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

enable

Enable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

radius-timeout-overwrite

Enable to override the global RADIUS session timeout.

option

-

 

Option

Description

disable

Override the global RADIUS session timeout.

enable

Use the global RADIUS session timeout.

policy-type

Policy type.

option

-

 

Option

Description

802.1X

802.1X security policy.

config switch-controller security-policy 802-1X

Configure 802.1x MAC Authentication Bypass (MAB) policies.

config switch-controller security-policy 802-1X

Description: Configure 802.1x MAC Authentication Bypass (MAB) policies.

edit <name>

set security-mode [802.1X|802.1X-mac-based]

set user-group <name1>, <name2>, ...

set mac-auth-bypass [disable|enable]

set open-auth [disable|enable]

set eap-passthru [disable|enable]

set guest-vlan [disable|enable]

set guest-vlan-id {string}

set guest-auth-delay {integer}

set auth-fail-vlan [disable|enable]

set auth-fail-vlan-id {string}

set framevid-apply [disable|enable]

set radius-timeout-overwrite [disable|enable]

set policy-type {option}

next

end

config switch-controller security-policy 802-1X

Parameter name

Description

Type

Size

security-mode

Port or MAC based 802.1X security mode.

option

-

 

Option

Description

802.1X

802.1X port based authentication.

802.1X-mac-based

802.1X MAC based authentication.

user-group <name>

Name of user-group to assign to this MAC Authentication Bypass (MAB) policy.

Group name.

string

Maximum length: 79

mac-auth-bypass

Enable/disable MAB for this policy.

option

-

 

Option

Description

disable

Disable MAB.

enable

Enable MAB.

open-auth

Enable/disable open authentication for this policy.

option

-

 

Option

Description

disable

Disable open authentication.

enable

Enable open authentication.

eap-passthru

Enable/disable EAP pass-through mode, allowing protocols (such as LLDP) to pass through ports for more flexible authentication.

option

-

 

Option

Description

disable

Disable EAP pass-through mode on this interface.

enable

Enable EAP pass-through mode on this interface.

guest-vlan

Enable the guest VLAN feature to allow limited access to non-802.1X-compliant clients.

option

-

 

Option

Description

disable

Disable guest VLAN on this interface.

enable

Enable guest VLAN on this interface.

guest-vlan-id

Guest VLAN name.

string

Maximum length: 15

guest-auth-delay

Guest authentication delay (1 - 900 sec, default = 30).

integer

Minimum value: 1 Maximum value: 900

auth-fail-vlan

Enable to allow limited access to clients that cannot authenticate.

option

-

 

Option

Description

disable

Disable authentication fail VLAN on this interface.

enable

Enable authentication fail VLAN on this interface.

auth-fail-vlan-id

VLAN ID on which authentication failed.

string

Maximum length: 15

framevid-apply

Enable/disable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

option

-

 

Option

Description

disable

Disable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

enable

Enable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

radius-timeout-overwrite

Enable to override the global RADIUS session timeout.

option

-

 

Option

Description

disable

Override the global RADIUS session timeout.

enable

Use the global RADIUS session timeout.

policy-type

Policy type.

option

-

 

Option

Description

802.1X

802.1X security policy.