Fortinet Document Library

Version:


Table of Contents

Administration Guide

20.4.0
Download PDF
Copy Link

Editing the port security

You can add port security with 802.1x port-based or MAC-based authentication.

To change the port security:
  1. Go to Configuration > Interfaces.
  2. Select to the left of a FortiSwitch unit.
  3. Select an interface and then select .

  4. Select 802.1X for port-based authentication or select 802.1X MAC-Based for MAC-based authentication.
  5. Select MAC Auth Bypass to allow the system to use the device MAC address as the user name and password for authentication.
  6. If the RADIUS authentication server does not support EAP-TLS, clear the EAP Pass-Through Mode checkbox.
  7. For phone and PC configuration only, clear the Frame VLAN Apply checkbox to preserve the native VLAN when the data traffic is expected to be untagged.

  8. Select Open Authentication to enable open authentication (monitor mode) on this interface. Use the monitor mode to test your system configuration for 802.1x authentication. You can use monitor mode to test port-based authentication, MAC-based authentication, EAP pass-through mode, and MAC authentication bypass. After you enable monitor mode, the network traffic will continue to flow, even if the users fail authentication.

  9. Select Guest VLAN if you want to assign a VLAN to unauthorized users. If you select Guest VLAN, enter the guest VLAN identifier in the Guest VLAN ID field and enter the number of seconds for an unauthorized user to have access as a guest before authorization fails in the Guest Auth Delay field.

  10. Select Auth Fail VLAN if you want to assign a VLAN to users who attempted to authenticate but failed to provide valid credentials. If you select Auth Fail VLAN, enter the VLAN identifier in the Auth Fail VLAN ID field.

  11. If you want to use the RADIUS-provided reauthentication time, select RADUS Session Timeout.

  12. Click in the Security Groups field to select a security group. You can select multiple security groups.

  13. Select Save to apply your changes.

Editing the port security

You can add port security with 802.1x port-based or MAC-based authentication.

To change the port security:
  1. Go to Configuration > Interfaces.
  2. Select to the left of a FortiSwitch unit.
  3. Select an interface and then select .

  4. Select 802.1X for port-based authentication or select 802.1X MAC-Based for MAC-based authentication.
  5. Select MAC Auth Bypass to allow the system to use the device MAC address as the user name and password for authentication.
  6. If the RADIUS authentication server does not support EAP-TLS, clear the EAP Pass-Through Mode checkbox.
  7. For phone and PC configuration only, clear the Frame VLAN Apply checkbox to preserve the native VLAN when the data traffic is expected to be untagged.

  8. Select Open Authentication to enable open authentication (monitor mode) on this interface. Use the monitor mode to test your system configuration for 802.1x authentication. You can use monitor mode to test port-based authentication, MAC-based authentication, EAP pass-through mode, and MAC authentication bypass. After you enable monitor mode, the network traffic will continue to flow, even if the users fail authentication.

  9. Select Guest VLAN if you want to assign a VLAN to unauthorized users. If you select Guest VLAN, enter the guest VLAN identifier in the Guest VLAN ID field and enter the number of seconds for an unauthorized user to have access as a guest before authorization fails in the Guest Auth Delay field.

  10. Select Auth Fail VLAN if you want to assign a VLAN to users who attempted to authenticate but failed to provide valid credentials. If you select Auth Fail VLAN, enter the VLAN identifier in the Auth Fail VLAN ID field.

  11. If you want to use the RADIUS-provided reauthentication time, select RADUS Session Timeout.

  12. Click in the Security Groups field to select a security group. You can select multiple security groups.

  13. Select Save to apply your changes.