Fortinet black logo

Administration Guide

Wired devices and 802.1X

Copy Link
Copy Doc ID dc02a854-ab11-11ea-8b7d-00505692583a:28084
Download PDF

Wired devices and 802.1X

802.1X authentication, which provides FortiNAC with another means of port-level access control, is currently supported for a number of devices including:

• Ubiquiti

• Nokia

• Meraki

• Aerohive wired

• Alcatel/Lucent

• Apresia

• Foundry/Brocade/Ruckus

• Cisco

• Fortinet/Fortigate

• HP/Aruba ProCurve

• Juniper

• Nortel/Avaya/Extreme

Support for additional devices will be provided based on the number of customer requests and the availability of similar equipment.

Host configuration

Host supplicants should be configured to authenticate using user credentials, not host information, such as hostname. This will give FortiNAC the user information to associate with the host/device allowing for automatic authentication.

HP switches must have a time-window of 0 for the most consistent results.

FortiNAC configuration

  • In FortiNAC set up one or more RADIUS servers for authentication. See RADIUS for additional information.
  • Make sure that the RADIUS secret is the same everywhere, including: the RADIUS server itself, RADIUS server settings configured in FortiNAC, RADIUS settings configured on model configuration and in the configuration for your device. If the RADIUS secret does not match in all locations, authentication requests will fail.
  • Add the Device to FortiNAC using the Discovery process or by adding the device manually. See Discovery or Add or modify a device.
  • After the device is added to FortiNAC you must complete the model for the network device in the database. See Model configuration.
  • If VLAN switching is not enabled, no VLAN will be assigned to an authentication response. Verify that VLAN Switching is enabled under Device Properties.
  • Ports on the device that will manage connected hosts should be placed in the appropriate access control groups, such as: forced registration, forced authentication, or forced remediation. If ports are not added to these groups, the isolation VLANs associated with those states will not be provided in an authentication response for those ports. See Groups view.

Device configuration

Define the FortiNAC Server or Control Server as the RADIUS server for the devices you want to manage with FortiNAC as follows:

  • Use the management IP address of your FortiNAC Server as the IP of the RADIUS server.
  • Use port 1812 for authentication.
  • If you are setting up FortiNAC as the RADIUS server for a device in a high availability environment, you must use the actual IP address of the primary control server, not the Shared IP address. Set up the secondary control server as a secondary RADIUS server using its actual IP address. Regardless of the environment, you may also want to set up your actual RADIUS server to be used in the event that none of your FortiNAC appliances can be reached. This would allow users to access the network, but they would not be controlled by FortiNAC.

Cisco device configuration

Cisco switches include numerous features with their 802.1x support, many of which are not affected by this integration. Administrators should be familiar with configuring 802.1x port-based authentication on the relevant switches. Many options can be configured that affect the authentication behavior on the device, such as host mode (ie. single-host and multi-host modes) and IP phone support. It is recommended that you have a thorough understanding of these features before deploying 802.1x.

Cisco features that are affected by the integration with FortiNAC include the following:

  • Configuring VLANs for the guest, auth and critical values is not supported. FortiNAC does not currently detect how a port has been assigned a VLAN. FortiNAC always assumes it is in control over the VLAN to which a port is assigned. Therefore, if these VLANs are configured, FortiNAC may still attempt to affect a VLAN change on the port based on the connected host state.
  • Ensure that RADIUS requests sent by the Cisco router contain the Cisco-NAS-Port vendor specific attribute. FortiNAC uses this attribute to identify the port involved in the authentication.
  • MAC-authentication bypass is supported, but administrators should be careful to set a reasonable delay. The switch waits for the delay period for the EAPOL message prior to using MAC-authentication. Connecting hosts will be delayed by at least that amount when no supplicant is present or enabled.

IOS configuration statements relating to 802.1x

The statements listed below represent a minimal configuration to enable 802.1x on a Cisco switch/router running IOS. The commands may vary based on switch model and IOS version. These are taken from a Cisco 3750 -24TS running IOS 12.2(25)SEE3.

aaa new-model

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa nas port extended

(required to enable Cisco-NAS-Port)

!

interface FastEthernet1/0/18

switchport access vlan 163

(Port will only be assigned this VLAN if none is assigned or exception condition occurs.)

switchport trunk encapsulation dot1q

switchport mode access

dot1x mac-auth-bypass (optional)

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-host

dot1x timeout quiet-period 3

dot1x timeout server-timeout 10

dot1x timeout reauth-period 180

dot1x timeout tx-period 5

dot1x timeout supp-timeout 6

dot1x reauthentication

!

radius-server host 192.168.34.31 auth-port 1812 acct-port 1813 key abc123

radius-server source-ports 1645-1646

radius-server vsa send authentication

Wired devices and 802.1X

802.1X authentication, which provides FortiNAC with another means of port-level access control, is currently supported for a number of devices including:

• Ubiquiti

• Nokia

• Meraki

• Aerohive wired

• Alcatel/Lucent

• Apresia

• Foundry/Brocade/Ruckus

• Cisco

• Fortinet/Fortigate

• HP/Aruba ProCurve

• Juniper

• Nortel/Avaya/Extreme

Support for additional devices will be provided based on the number of customer requests and the availability of similar equipment.

Host configuration

Host supplicants should be configured to authenticate using user credentials, not host information, such as hostname. This will give FortiNAC the user information to associate with the host/device allowing for automatic authentication.

HP switches must have a time-window of 0 for the most consistent results.

FortiNAC configuration

  • In FortiNAC set up one or more RADIUS servers for authentication. See RADIUS for additional information.
  • Make sure that the RADIUS secret is the same everywhere, including: the RADIUS server itself, RADIUS server settings configured in FortiNAC, RADIUS settings configured on model configuration and in the configuration for your device. If the RADIUS secret does not match in all locations, authentication requests will fail.
  • Add the Device to FortiNAC using the Discovery process or by adding the device manually. See Discovery or Add or modify a device.
  • After the device is added to FortiNAC you must complete the model for the network device in the database. See Model configuration.
  • If VLAN switching is not enabled, no VLAN will be assigned to an authentication response. Verify that VLAN Switching is enabled under Device Properties.
  • Ports on the device that will manage connected hosts should be placed in the appropriate access control groups, such as: forced registration, forced authentication, or forced remediation. If ports are not added to these groups, the isolation VLANs associated with those states will not be provided in an authentication response for those ports. See Groups view.

Device configuration

Define the FortiNAC Server or Control Server as the RADIUS server for the devices you want to manage with FortiNAC as follows:

  • Use the management IP address of your FortiNAC Server as the IP of the RADIUS server.
  • Use port 1812 for authentication.
  • If you are setting up FortiNAC as the RADIUS server for a device in a high availability environment, you must use the actual IP address of the primary control server, not the Shared IP address. Set up the secondary control server as a secondary RADIUS server using its actual IP address. Regardless of the environment, you may also want to set up your actual RADIUS server to be used in the event that none of your FortiNAC appliances can be reached. This would allow users to access the network, but they would not be controlled by FortiNAC.

Cisco device configuration

Cisco switches include numerous features with their 802.1x support, many of which are not affected by this integration. Administrators should be familiar with configuring 802.1x port-based authentication on the relevant switches. Many options can be configured that affect the authentication behavior on the device, such as host mode (ie. single-host and multi-host modes) and IP phone support. It is recommended that you have a thorough understanding of these features before deploying 802.1x.

Cisco features that are affected by the integration with FortiNAC include the following:

  • Configuring VLANs for the guest, auth and critical values is not supported. FortiNAC does not currently detect how a port has been assigned a VLAN. FortiNAC always assumes it is in control over the VLAN to which a port is assigned. Therefore, if these VLANs are configured, FortiNAC may still attempt to affect a VLAN change on the port based on the connected host state.
  • Ensure that RADIUS requests sent by the Cisco router contain the Cisco-NAS-Port vendor specific attribute. FortiNAC uses this attribute to identify the port involved in the authentication.
  • MAC-authentication bypass is supported, but administrators should be careful to set a reasonable delay. The switch waits for the delay period for the EAPOL message prior to using MAC-authentication. Connecting hosts will be delayed by at least that amount when no supplicant is present or enabled.

IOS configuration statements relating to 802.1x

The statements listed below represent a minimal configuration to enable 802.1x on a Cisco switch/router running IOS. The commands may vary based on switch model and IOS version. These are taken from a Cisco 3750 -24TS running IOS 12.2(25)SEE3.

aaa new-model

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa nas port extended

(required to enable Cisco-NAS-Port)

!

interface FastEthernet1/0/18

switchport access vlan 163

(Port will only be assigned this VLAN if none is assigned or exception condition occurs.)

switchport trunk encapsulation dot1q

switchport mode access

dot1x mac-auth-bypass (optional)

dot1x pae authenticator

dot1x port-control auto

dot1x host-mode multi-host

dot1x timeout quiet-period 3

dot1x timeout server-timeout 10

dot1x timeout reauth-period 180

dot1x timeout tx-period 5

dot1x timeout supp-timeout 6

dot1x reauthentication

!

radius-server host 192.168.34.31 auth-port 1812 acct-port 1813 key abc123

radius-server source-ports 1645-1646

radius-server vsa send authentication