Change the priority of MAB and EAP 802.1X authentication

802.1X authentication and MAB authentication must be enabled before you can change the priority of MAB and EAP 802.1X authentication. This feature requires FortiSwitchOS 7.2.1 or later. This feature is supported by both 802.1X port-based authentication and 802.1X MAC-based authentication.

You can now use the CLI to change the priority of MAC authentication bypass (MAB) authentication and Extensible Authentication Protocol (EAP) 802.1X authentication to fit your specific network security requirements.

• Before FortiOS 7.6.0, the managed switch tried EAP 802.1X authentication and MAB authentication in the order that they were received with EAP 802.1X authentication having absolute priority. If authentication failed, users were assigned to the auth-fail-vlanid VLAN if it had been configured. There was no time delay. Starting inFortiOS 7.6.0, use the set auth-priority legacy command to keep this priority. After an upgrade, auth-priority is set to legacy by default.

• Starting in FortiOS 7.6.0, if you want the managed switch to try EAP 802.1X authentication first and then MAB authentication if EAP 802.1X fails, use the set auth-priority dot1x-mab command. If MAB authentication also fails, users are assigned to the auth-fail-vlanid VLAN if it is configured.

• Starting in FortiOS 7.6.0, if you want the managed switch to try MAB authentication first and then EAP 802.1X authentication if MAB authentication fails, use the set auth-priority mab-dot1x command. If EAP 802.1X authentication also fails, users are assigned to the auth-fail-vlanid VLAN if it is configured.

• Starting in FortiOS 7.6.0 with FortiSwitchOS 7.2.3, MAB-only authentication is supported. In this mode, the managed FortiSwitch unit performs MAB authentication without performing EAP authentication. EAP packets are not sent. To enable MAB-only authentication, set the auth-order command to mab.

The following flowchart shows the FortiSwitch 802.1X port-based authentication with MAB enabled and with an authentication priority of auth-priority legacy:

The following flowchart shows the FortiSwitch 802.1X MAC-based authentication with MAB enabled and with an authentication priority of auth-priority legacy:

In the following flowchart, the authentication priority is dot1x-mab. If both EAP 802.1X authentication and MAB authentication fail, the user is assigned to the auth-fail-vlanid VLAN. If an EAPoL-Start packet is received after MAB authentication, the switch changes to EAP 802.1X authentication.

In the following flowchart, the authentication priority is mab-dot1x. If MAB authentication fails, the switch attempts EAP 802.1X authentication. If an EAPoL-Start packet is received after MAB authentication, the switch attempts EAP 802.1X authentication without any time delay or processing impact.

To configure the priority of MAB and EAP 802.1X authentication for managed switches:

1. Enable 802.1X authentication and MAB authentication.

   config switch-controller security-policy 802-1X

   edit <policy_name>

   set security-mode {802.1X | 802.1X-mac-based}

   set mac-auth-bypass enable

   Variable	Description	Default
   security-mode 802.1X | 802.1X-mac-based}	Set the security mode for the port. 802.1X—Use this setting for port-based authentication. 802.1X-mac-based—Use this setting for MAC-based authentication. If you change the security mode to 802.1X or 802.1X-mac-based, you must set the user group with the set user-group command.	802.1X

2. Specify the authentication order and priority.

   set auth-order mab

   set auth-priority {legacy | dot1x-mab | mab-dot1x}

   Variable	Description
   auth-order mab	This command is available only when the set mac-auth-bypass command is enabled. Use this command if you want to use the MAB-only authentication mode, where the FortiSwitch unit performs MAB authentication without performing EAP authentication. EAP packets are not sent.
   auth-priority {legacy | dot1x-mab | mab-dot1x}	Select the priority of MAB authentication and EAP 802.1X authentication. legacy—The switch tries EAP 802.1X authentication and MAB authentication in the order that they are received with EAP 802.1X authentication having absolute priority. If authentication fails, users are assigned to a guest VLAN if it has been configured. There is no time delay involved. This is the default value. dot1x-mab—The switch tries EAP 802.1X authentication first and then MAB authentication if EAP 802.1X fails. If MAB authentication also fails, users are assigned to the auth-fail-vlanid VLAN if it is configured. mab-dot1x—The switch tries MAB authentication first and then EAP 802.1X authentication if MAB authentication fails. If EAP 802.1X authentication also fails, users are assigned to the auth-fail-vlanid VLAN if it is configured. This command is available only when the set mac-auth-bypass command is enabled.

For example:

config switch-controller security-policy 802-1X

edit "8021Xmabpolicy"

set security-mode 802.1X

set user-group "1X_RADIUS_GROUP"

set mac-auth-bypass enable

set auth-order mab-dot1x

set auth-priority mab-dot1x

next

end