Configuring a FortiGate interface to act as an 802.1X supplicant
A FortiGate interface can be configured to act as a 802.1X supplicant. The settings can be enabled on the network interface in the CLI. The EAP authentication method can be either PEAP or TLS using a user certificate.
config system interface edit <interface> set eap-supplicant {enable | disable} set eap-method {peap | tls} set eap-identity <identity> set eap-password <password> set eap-ca-cert <CA_cert> set eap-user-cert <user_cert> next end
Example
In this example, the FortiGate connects to an L3 switch that is not physically secured. All devices that connect to the internet through the L3 switch must be authenticated with 802.1X on the switch port by either a username and password (PEAP), or a user certificate (TLS). Configuration examples for both EAP authentication methods on port33 are shown.
To configure EAP authentication with PEAP:
-
Configure the interface:
config system interface edit "port33" set vdom "vdom1" set ip 7.7.7.2 255.255.255.0 set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response fabric set stpforward enable set type physical set snmp-index 42 set eap-supplicant enable set eap-method peap set eap-identity "test1" set eap-password ********** next end
-
Verify the interface's PEAP authentication details:
# diagnose test app eap_supp 2 Interface: port33 status:Authorized method: PEAP identity: test1 ca_cert: client_cert: private_key: last_eapol_src =70:4c:a5:3b:0b:c6
Traffic is able to pass because the status is authorized.
To configure EAP authentication with TLS:
-
Configure the interface:
config system interface edit "port33" set vdom "vdom1" set ip 7.7.7.2 255.255.255.0 set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response fabric set stpforward enable set type physical set snmp-index 42 set eap-supplicant enable set eap-method tls set eap-identity "test2@fortiqa.net" set eap-ca-cert "root_G_CA_Cert_1.cer" set eap-user-cert "root_eap_client_global.cer" next end
-
Verify the interface's TLS authentication details:
# diagnose test application eap_supp 2 Interface: port33 status:Authorized method: TLS identity: test2@fortiqa.net ca_cert: /etc/cert/ca/root_G_CA_Cert_1.cer client_cert: /etc/cert/local/root_eap_client_global.cer private_key: /etc/cert/local/root_eap_client_global.key last_eapol_src =70:4c:a5:3b:0b:c6
Traffic is able to pass because the status is authorized.