802.1X authentication, which provides FortiNAC with another means of port-level access control, is supported for a select list of Cisco, Extreme, Juniper and HP switches. Devices include the following:
- Cisco 4500, 3650 and 3750. See Wired devices and 802.1X.
- HP 2300, 2600, 3500, 5400, and 6400 series
- Juniper EX series switches. Refer to the Juniper EX Switch: 802.1x / MAC-Auth Configuration document in the customer portal.
- Extreme 450 XOS
Support for additional devices will be provided based on the number of customer requests and the availability of similar equipment.
Host supplicants should be configured to authenticate using user credentials, not host information, such as hostname. This will give FortiNAC the user information to associate with the host/device allowing for automatic authentication.
HP switches must have a time-window of 0 for the most consistent results.
- In FortiNAC set up one or more RADIUS servers for authentication. See RADIUS for additional information.
- Make sure that the RADIUS secret is the same everywhere, including: the RADIUS server itself, RADIUS server settings configured in FortiNAC, RADIUS settings configured on model configuration and in the configuration for your device. If the RADIUS secret does not match in all locations, authentication requests will fail.
- Add the Device to FortiNAC using the Discovery process or by adding the device manually. See Discovery or Add or modify a device.
- After the device is added to FortiNAC you must complete the model for the network device in the database. See Model configuration.
- If VLAN switching is not enabled, no VLAN will be assigned to an authentication response. Verify that VLAN Switching is enabled under Device Properties.
- Ports on the device that will manage connected hosts should be placed in the appropriate access control groups, such as: forced registration, forced authentication, or forced remediation. If ports are not added to these groups, the isolation VLANs associated with those states will not be provided in an authentication response for those ports. See Groups view.
Define the FortiNAC Server or Control Server as the RADIUS server for the devices you want to manage with FortiNAC as follows:
- Use the management IP address of your FortiNAC Server as the IP of the RADIUS server.
- Use port 1812 for authentication.
- If you are setting up FortiNAC as the RADIUS server for a device in a high availability environment, you must use the actual IP address of the primary control server, not the Shared IP address. Set up the secondary control server as a secondary RADIUS server using its actual IP address. Regardless of the environment, you may also want to set up your actual RADIUS server to be used in the event that none of your FortiNAC appliances can be reached. This would allow users to access the network, but they would not be controlled by FortiNAC.
Cisco switches include numerous features with their 802.1x support, many of which are not affected by this integration. Administrators should be familiar with configuring 802.1x port-based authentication on the relevant switches. Many options can be configured that affect the authentication behavior on the device, such as host mode (ie. single-host and multi-host modes) and IP phone support. It is recommended that you have a thorough understanding of these features before deploying 802.1x.
Cisco features that are affected by the integration with FortiNAC include the following:
- Configuring VLANs for the guest, auth and critical values is not supported. FortiNAC does not currently detect how a port has been assigned a VLAN. FortiNAC always assumes it is in control over the VLAN to which a port is assigned. Therefore, if these VLANs are configured, FortiNAC may still attempt to affect a VLAN change on the port based on the connected host state.
- Ensure that RADIUS requests sent by the Cisco router contain the Cisco-NAS-Port vendor specific attribute. FortiNAC uses this attribute to identify the port involved in the authentication.
- MAC-authentication bypass is supported, but administrators should be careful to set a reasonable delay. The switch waits for the delay period for the EAPOL message prior to using MAC-authentication. Connecting hosts will be delayed by at least that amount when no supplicant is present or enabled.
The statements listed below represent a minimal configuration to enable 802.1x on a Cisco switch/router running IOS. The commands may vary based on switch model and IOS version. These are taken from a Cisco 3750 -24TS running IOS 12.2(25)SEE3.
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa nas port extended
(required to enable Cisco-NAS-Port)
switchport access vlan 163
(Port will only be assigned this VLAN if none is assigned or exception condition occurs.)
switchport trunk encapsulation dot1q
switchport mode access
dot1x mac-auth-bypass (optional)
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-host
dot1x timeout quiet-period 3
dot1x timeout server-timeout 10
dot1x timeout reauth-period 180
dot1x timeout tx-period 5
dot1x timeout supp-timeout 6
radius-server host 192.168.34.31 auth-port 1812 acct-port 1813 key abc123
radius-server source-ports 1645-1646
radius-server vsa send authentication