Configuring the FortiGate and FortiSwitch units

This section shows how to configure port-based 802.1x authentication with managed FortiSwitch ports when using FortiLink and how to troubleshoot the configuration.

1. Log on to your FortiGate unit.
2. Go to User & Device > RADIUS Servers and select Create New.
3. Make the following changes:
   • In the Name field, enter a name for your RADIUS server. The name can match the Windows server name to make it easier to identify.
   • Select Specify for the authentication method and select MS-CHAP-v2.
   • In the NAS IP field, enter the IP address of your RADIUS server.
   • In the Primary Server area, enter the IP address of your RADIUS server again.
   • In the Secret field, enter the secret password that you configured in the RADIUS client settings.
   
   

   

4. Select Test Connectivity.
   You should get a green response saying that the connectivity is successful.

   NOTE: The Test User Credentials button does not work with MS-CHAP-v2. The button is designed to function only with the insecure Password Authentication Protocol (PAP). With MS-CHAP-v2 configured, you will always receive a failure message if you select this button.

5. To complete a successful user test, run a command from the FortiOS command line:

   
   FortiGate# diagnose test authserver radius RADIUSSERVERNAME mschap2 username password
   
   

   The following is the successful output of this command:

   

6. Create a user group:
   1. Go to User & Device > User Groups and select Create New.
   2. In the Group field, enter a name for the user group.
   3. Select Firewall as the type.
   4. Select OK to create the user group.
   
   

   

7. Create the FortiSwitch/FortiLink VLAN interface.
   1. Go to WiFi & Switch Controller>FortiSwitch VLANs and select Create New.
      The following figure shows the configured FortiSwitch/FortiLink VLAN interface.
      
      

      

   2. Check the configuration in the FortiOS CLI:

      FWF60D4615010908 # show system interface LAGuest

      config system interface

      edit "LAGuest"

      set vdom "root"

      set ip 172.16.34.254 255.255.255.0

      set allowaccess ping

      set device-identification enable

      set device-identification-active-scan enable

      set role lan

      set snmp-index 12

      set switch-controller-dhcp-snooping enable

      set interface "internal7"

      set vlanid 34

      next

      end

      FWF60D4615010908 # show system interface LALanSecure

      config system interface

      edit "LALanSecure"

      set vdom "root"

      set ip 172.16.32.254 255.255.255.0

      set allowaccess ping https ssh http capwap

      set alias "--HQ Secure LAN"

      set device-identification enable

      set device-identification-active-scan enable

      set fortiheartbeat enable

      set role lan

      set snmp-index 14

      set switch-controller-dhcp-snooping enable

      set interface "internal7"

      set vlanid 32

      next

      end

8. Configure the 802.1x settings in the FortiOS CLI:

   config switch-controller 802-1X-settings

   set link-down-auth set-unauth

   set reauth-period 60

   set max-reauth-attempt 2

   end

9. Configure the 802.1x security policy in the FortiOS CLI:

   config switch-controller security-policy 802-1X

   edit "LASecure_802-1X-policy"

   set user-group "Radius-Group"

   set mac-auth-bypass disable

   set open-auth disable

   set eap-passthru enable

   set guest-vlan enable

   set guest-vlan-id "LAGuest" // same as auth-fail-vlan

   set guest-auth-delay 60

   set auth-fail-vlan enable // use a specific VLAN upon authentication failure

   set auth-fail-vlan-id "LAGuest"

   set radius-timeout-overwrite enable

   next

   end

   If you want to reduce the time delay in recovering from auth-fail-vlan when an 802.1X failure happens, reduce the max-reauth-attempt and guest-auth-delay settings.

10. Apply the port security policy to the FortiSwitch port in the FortiOS CLI:

    config switch-controller managed-switch

    edit "FS108D3W15000509"

    set fsw-wan1-peer "internal7"

    set fsw-wan1-admin enable

    set version 1

    set dynamic-capability 71836

    config ports

    edit "port2"

    set poe-capable 1

    set vlan "LALanSecure"

    set allowed-vlans "LAGuest"

    set port-security-policy "LASecure_802-1X-policy" // use “port-based” authentication

    set export-to "root"

    next

    end

    next

    end

11. Configure the firewall policy for the FortiSwitch connection to the RADIUS server, as shown in the following figure:
    
    

    

12. Configure the firewall policy for the VLAN interface to the Internet, as shown in the following figure:
    
    

    

To troubleshoot your configuration:

1. In the FortiOS CLI, verify that the connection from the FortiGate unit to the FortiSwitch unit is up:

   exec switch-controller get-conn-status

2. In the FortiSwitchOS CLI, you can check if the authentication. The following output shows a successful authentication:

   FS108D3W15000509 # diagnose switch 802-1x status port2

   port2 : Mode: port-based (mac-by-pass disable)

   Link: Link up

   Port State: authorized ( )

   Dynamic Authorized Vlan : 0

   EAP pass-through mode : Enable

   Native Vlan : 32

   Allowed Vlan list: 32

   Untagged Vlan list:

   Guest Vlan : 34 Guest Auth Delay :120

   Auth-Fail Vlan : 34

   Sessions info:

   54:e1:ad:4a:2d:6b Type=802.1x,PEAP,state=AUTHENTICATED,etime=0,eap_cnt=10 params:reAuth=600

   The following output shows a failed authentication:

   FS108D3W15000509 # diagnose switch 802-1x status port2

   port2 : Mode: port-based (mac-by-pass disable)

   Link: Link up

   Port State: unauthorized ( )

   Dynamic Authorized Vlan : 0

   EAP pass-through mode : Enable

   Native Vlan : 32

   Allowed Vlan list: 32

   Untagged Vlan list:

   Guest Vlan : 34 Guest Auth Delay :120

   Auth-Fail Vlan : 34

   Sessions info:

   54:e1:ad:4a:2d:6b Type=802.1x,IDENTITY,state=HELD,etime=0,eap_cnt=5 params:reAuth=600

   FS108D3W15000509 # diagnose switch vlan list 32

   VlanId Ports

   ______ ___________________________________________________

   32 port2 port10

   After a wrong password being entered, port2 is removed from VLAN 32 (LALanSecure) and is replaced by VLAN 34(LAGuest).

   FS108D3W15000509 # diagnose switch vlan list 32

   VlanId Ports

   ______ ___________________________________________________

   32 port10

   FS108D3W15000509 # diagnose switch vlan list 34

   VlanId Ports

   ______ ___________________________________________________

   34 port1 port2 port10

   After a successful authentication, port2 is moved to VLAN 32 (LALanSecure) and removed from VLAN 34 (LAGuest).

   FS108D3W15000509 # diagnose switch vlan list 32

   VlanId Ports

   ______ ___________________________________________________

   32 port2 port10

   FS108D3W15000509 # diagnose switch vlan list 34

   VlanId Ports

   ______ ___________________________________________________

   34 port1 port10

NOTE: When you replace an existing RADIUS server with a new one, the configuration is not updated in the FortiSwitch unit. Use the following procedure to update the RADIUS server configuration in the FortiSwitch unit:

1. Use the FortiGate unit to access the FortiSwitch using SSH.
2. Remove the configuration associated with the existing RADIUS server. Use the following commands to find the existing RADIUS server configuration:

   show user group

   show user radius

3. To synchronize the configuration with the FortiSwitch unit:

   exe switch-controller trigger-config-sync

4. Verify that the FortiGate unit and the FortiSwitch unit are synchronized:

   exe switch-controller get-sync-status all