Fortinet black logo

Administration Guide

802.1x authentication

Copy Link
Copy Doc ID 962fb21b-9bd3-11eb-b70b-00505692583a:110300
Download PDF

802.1x authentication

To control network access, the FortiSwitch unit supports IEEE 802.1x authentication. A supplicant connected to a port on the switch must be authenticated by a RADIUS server to gain access to the network. The supplicant and the authentication server communicate using the switch using EAP. The FortiSwitch unit supports EAP-PEAP, EAP-TTLS, EAP-TLS, and EAP-MD5.

To use the RADIUS server for authentication, you must configure the server before configuring the users or user groups on the FortiSwitch unit.

The FortiSwitch unit implements MAC-based authentication. The switch saves the MAC address of each supplicantʼs device. The switch provides network access only to devices that have successfully been authenticated.

The FortiSwitch unit supports up to 20 devices per port for 802.1x MAC-based authentication. System-wide, the FortiSwitch unit now supports a total of 10 times the number of interfaces for 802.1x MAC-based authentication:

Model

Total number of devices supported per switch

108

80

112

120

124/224/424/524/1024

240

148/248/448/548/1048

480

3032

320

You can enable the MAC Authentication Bypass (MAB) option for devices (such as network printers) that cannot respond to the 802.1x authentication request. With MAB enabled on the port, the system will use the device MAC address as the user name and password for authentication.

Optionally, you can configure a guest VLAN for unauthorized users, a VLAN for users whose authentication was unsuccessful, and a VLAN for users when the authentication server is unavailable.

When the authentication server is unavailable after the server timeout period expires:

  • You can control how many seconds the authentication server tries to authenticate users for before assigning them to the specified VLAN:

    config switch interface

    edit <interface_name>

    config port-security

    set port-security-mode {802.1X | 802.1X-mac-based}

    set authserver-timeout-period <3-15 seconds>

    set authserver-timeout-vlan {enable | disable}

    set authserver-timeout-vlanid <1-4094>

    end

    set security-groups <security-group-name>

    next

    end

  • You can control how often the server checks if the RADIUS server is available:

    config user radius

    edit <RADIUS_user_name>

    set link-monitor {enable | disable}

    set link-monitor-interval <5-120 seconds>

    next

    end

When you are testing your system configuration for 802.1x authentication, you can use the monitor mode to allow network traffic to flow, even if there are configuration problems or authentication failures.

This section covers the following topics:

802.1x authentication

To control network access, the FortiSwitch unit supports IEEE 802.1x authentication. A supplicant connected to a port on the switch must be authenticated by a RADIUS server to gain access to the network. The supplicant and the authentication server communicate using the switch using EAP. The FortiSwitch unit supports EAP-PEAP, EAP-TTLS, EAP-TLS, and EAP-MD5.

To use the RADIUS server for authentication, you must configure the server before configuring the users or user groups on the FortiSwitch unit.

The FortiSwitch unit implements MAC-based authentication. The switch saves the MAC address of each supplicantʼs device. The switch provides network access only to devices that have successfully been authenticated.

The FortiSwitch unit supports up to 20 devices per port for 802.1x MAC-based authentication. System-wide, the FortiSwitch unit now supports a total of 10 times the number of interfaces for 802.1x MAC-based authentication:

Model

Total number of devices supported per switch

108

80

112

120

124/224/424/524/1024

240

148/248/448/548/1048

480

3032

320

You can enable the MAC Authentication Bypass (MAB) option for devices (such as network printers) that cannot respond to the 802.1x authentication request. With MAB enabled on the port, the system will use the device MAC address as the user name and password for authentication.

Optionally, you can configure a guest VLAN for unauthorized users, a VLAN for users whose authentication was unsuccessful, and a VLAN for users when the authentication server is unavailable.

When the authentication server is unavailable after the server timeout period expires:

  • You can control how many seconds the authentication server tries to authenticate users for before assigning them to the specified VLAN:

    config switch interface

    edit <interface_name>

    config port-security

    set port-security-mode {802.1X | 802.1X-mac-based}

    set authserver-timeout-period <3-15 seconds>

    set authserver-timeout-vlan {enable | disable}

    set authserver-timeout-vlanid <1-4094>

    end

    set security-groups <security-group-name>

    next

    end

  • You can control how often the server checks if the RADIUS server is available:

    config user radius

    edit <RADIUS_user_name>

    set link-monitor {enable | disable}

    set link-monitor-interval <5-120 seconds>

    next

    end

When you are testing your system configuration for 802.1x authentication, you can use the monitor mode to allow network traffic to flow, even if there are configuration problems or authentication failures.

This section covers the following topics: