Fortinet white logo
Fortinet white logo

Administration Guide

Configuring a FortiGate interface to act as an 802.1X supplicant

Configuring a FortiGate interface to act as an 802.1X supplicant

A FortiGate interface can be configured to act as a 802.1X supplicant. The settings can be enabled on the network interface in the CLI. The EAP authentication method can be either PEAP or TLS using a user certificate.

config system interface
    edit <interface>
        set eap-supplicant {enable | disable}
        set eap-method {peap | tls}
        set eap-identity <identity>
        set eap-password <password>
        set eap-ca-cert <CA_cert>
        set eap-user-cert <user_cert>
    next
end

Example

In this example, the FortiGate connects to an L3 switch that is not physically secured. All devices that connect to the internet through the L3 switch must be authenticated with 802.1X on the switch port by either a username and password (PEAP), or a user certificate (TLS). Configuration examples for both EAP authentication methods on port33 are shown.

To configure EAP authentication with PEAP:
  1. Configure the interface:

    config system interface
        edit "port33"
            set vdom "vdom1"
            set ip 7.7.7.2 255.255.255.0
            set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response fabric
            set stpforward enable
            set type physical
            set snmp-index 42
            set eap-supplicant enable
            set eap-method peap
            set eap-identity "test1"
            set eap-password **********
        next
    end
  2. Verify the interface's PEAP authentication details:

    # diagnose test app eap_supp 2
    Interface: port33
    status:Authorized
    method: PEAP
    identity: test1
    ca_cert:
    client_cert:
    private_key:
    last_eapol_src =70:4c:a5:3b:0b:c6

    Traffic is able to pass because the status is authorized.

To configure EAP authentication with TLS:
  1. Configure the interface:

    config system interface
        edit "port33"
            set vdom "vdom1"
            set ip 7.7.7.2 255.255.255.0
            set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response fabric
            set stpforward enable
            set type physical
            set snmp-index 42
            set eap-supplicant enable
            set eap-method tls
            set eap-identity "test2@fortiqa.net"
            set eap-ca-cert "root_G_CA_Cert_1.cer"
            set eap-user-cert "root_eap_client_global.cer"
        next
    end
  2. Verify the interface's TLS authentication details:

    # diagnose test application eap_supp 2
    Interface: port33
    status:Authorized
    method: TLS
    identity: test2@fortiqa.net
    ca_cert: /etc/cert/ca/root_G_CA_Cert_1.cer
    client_cert: /etc/cert/local/root_eap_client_global.cer
    private_key: /etc/cert/local/root_eap_client_global.key
    last_eapol_src =70:4c:a5:3b:0b:c6 

    Traffic is able to pass because the status is authorized.

Configuring a FortiGate interface to act as an 802.1X supplicant

Configuring a FortiGate interface to act as an 802.1X supplicant

A FortiGate interface can be configured to act as a 802.1X supplicant. The settings can be enabled on the network interface in the CLI. The EAP authentication method can be either PEAP or TLS using a user certificate.

config system interface
    edit <interface>
        set eap-supplicant {enable | disable}
        set eap-method {peap | tls}
        set eap-identity <identity>
        set eap-password <password>
        set eap-ca-cert <CA_cert>
        set eap-user-cert <user_cert>
    next
end

Example

In this example, the FortiGate connects to an L3 switch that is not physically secured. All devices that connect to the internet through the L3 switch must be authenticated with 802.1X on the switch port by either a username and password (PEAP), or a user certificate (TLS). Configuration examples for both EAP authentication methods on port33 are shown.

To configure EAP authentication with PEAP:
  1. Configure the interface:

    config system interface
        edit "port33"
            set vdom "vdom1"
            set ip 7.7.7.2 255.255.255.0
            set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response fabric
            set stpforward enable
            set type physical
            set snmp-index 42
            set eap-supplicant enable
            set eap-method peap
            set eap-identity "test1"
            set eap-password **********
        next
    end
  2. Verify the interface's PEAP authentication details:

    # diagnose test app eap_supp 2
    Interface: port33
    status:Authorized
    method: PEAP
    identity: test1
    ca_cert:
    client_cert:
    private_key:
    last_eapol_src =70:4c:a5:3b:0b:c6

    Traffic is able to pass because the status is authorized.

To configure EAP authentication with TLS:
  1. Configure the interface:

    config system interface
        edit "port33"
            set vdom "vdom1"
            set ip 7.7.7.2 255.255.255.0
            set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response fabric
            set stpforward enable
            set type physical
            set snmp-index 42
            set eap-supplicant enable
            set eap-method tls
            set eap-identity "test2@fortiqa.net"
            set eap-ca-cert "root_G_CA_Cert_1.cer"
            set eap-user-cert "root_eap_client_global.cer"
        next
    end
  2. Verify the interface's TLS authentication details:

    # diagnose test application eap_supp 2
    Interface: port33
    status:Authorized
    method: TLS
    identity: test2@fortiqa.net
    ca_cert: /etc/cert/ca/root_G_CA_Cert_1.cer
    client_cert: /etc/cert/local/root_eap_client_global.cer
    private_key: /etc/cert/local/root_eap_client_global.key
    last_eapol_src =70:4c:a5:3b:0b:c6 

    Traffic is able to pass because the status is authorized.