Fortinet black logo

Administration Guide

Use cases

Copy Link
Copy Doc ID 962fb21b-9bd3-11eb-b70b-00505692583a:110311
Download PDF

Use cases

Here are three use cases for 802.1x authentication.

Use case 1

In this use case, a Cisco phone uses MAB and uses LLDP-MED to assign the voice VLAN. A PC behind the Cisco phone uses 802.1x authentication with or without dynamic VLAN assignment.

The following is an example configuration:

config switch lldp profile

edit "lldp-cisco-104"

set 802.1-tlvs port-vlan-id

set 802.3-tlvs power-negotiation

config med-network-policy

edit "voice"

set assign-vlan enable

set status enable

set vlan 104

next

set med-tlvs inventory-management network-policy

next

end

config switch physical-port

edit "port1"

set lldp-profile "lldp-cisco-104"

next

end

config switch interface

edit "port1"

set native-vlan 20

set security-groups "CISEGRP"

set snmp-index 1

config port-security

set mac-auth-bypass enable // Required. You need to enable MAB.

set port-security-mode 802.1X-mac-based // Required

end

next

end

Use case 2

In this use case, the Cisco phone uses 802.1x authentication and uses LLDP-MED to assign the voice VLAN. A PC behind the Cisco phone uses 802.1x authentication without dynamic VLAN assignment.

RADIUS dynamic VLAN assignment for the voice VLAN must match the voice VLAN configured in the LLDP-MED profile for Cisco phone 802.1x authentication.

The following is an example configuration:

config switch lldp profile

edit "lldp-cisco-104"

set 802.1-tlvs port-vlan-id

set 802.3-tlvs power-negotiation

config med-network-policy

edit "voice"

set assign-vlan enable

set status enable

set vlan 104

next

set med-tlvs inventory-management network-policy

next

end

config switch physical-port

edit "port1"

set lldp-profile "lldp-cisco-104"

next

end

config switch interface

edit "port1"

set native-vlan 20

set security-groups "CISEGRP"

set snmp-index 1

config port-security

set mac-auth-bypass disable // Optional

set eap-auto-untagged-vlans disable // Required. Needed to allow voice traffic with voice VLAN tag at egress

set port-security-mode 802.1X-mac-based // Required

end

next

end

Use case 3

In this use case, the Cisco phone uses 802.1x authentication and uses LLDP-MED to assign the voice VLAN. The PC behind the Cisco phone uses 802.1x authentication with dynamic VLAN assignment.

RADIUS dynamic VLAN assignment for the voice VLAN has to match the voice VLAN configured in the LLDP-MED profile for Cisco phone 802.1x authentication.

The VLAN ID from the RADIUS dynamic VLAN assignment for the PC has to be added in the untagged VLAN list on the port.

The following is an example configuration:

config switch lldp profile

edit "lldp-cisco-104"

set 802.1-tlvs port-vlan-id

set 802.3-tlvs power-negotiation

config med-network-policy

edit "voice"

set assign-vlan enable

set status enable

set vlan 104

next

set med-tlvs inventory-management network-policy

next

end

config switch physical-port

edit "port1"

set lldp-profile "lldp-cisco-104"

next

end

config switch interface

edit "port1"

set native-vlan 20

set allowed-vlans 50 60 70 // Assume that VLANs 50, 60, and 70 are a part of the dynamic VLANs configured on RADIUS for PCs in different groups.

set untagged-vlans 50 60 70

set security-groups "CISEGRP"

set snmp-index 1

config port-security

set mac-auth-bypass disable // Optional

set eap-auto-untagged-vlans disable // Required. Needed to allow voice traffic with voice VLAN tag at egress

set port-security-mode 802.1X-mac-based // Required

end

next

end

Use cases

Here are three use cases for 802.1x authentication.

Use case 1

In this use case, a Cisco phone uses MAB and uses LLDP-MED to assign the voice VLAN. A PC behind the Cisco phone uses 802.1x authentication with or without dynamic VLAN assignment.

The following is an example configuration:

config switch lldp profile

edit "lldp-cisco-104"

set 802.1-tlvs port-vlan-id

set 802.3-tlvs power-negotiation

config med-network-policy

edit "voice"

set assign-vlan enable

set status enable

set vlan 104

next

set med-tlvs inventory-management network-policy

next

end

config switch physical-port

edit "port1"

set lldp-profile "lldp-cisco-104"

next

end

config switch interface

edit "port1"

set native-vlan 20

set security-groups "CISEGRP"

set snmp-index 1

config port-security

set mac-auth-bypass enable // Required. You need to enable MAB.

set port-security-mode 802.1X-mac-based // Required

end

next

end

Use case 2

In this use case, the Cisco phone uses 802.1x authentication and uses LLDP-MED to assign the voice VLAN. A PC behind the Cisco phone uses 802.1x authentication without dynamic VLAN assignment.

RADIUS dynamic VLAN assignment for the voice VLAN must match the voice VLAN configured in the LLDP-MED profile for Cisco phone 802.1x authentication.

The following is an example configuration:

config switch lldp profile

edit "lldp-cisco-104"

set 802.1-tlvs port-vlan-id

set 802.3-tlvs power-negotiation

config med-network-policy

edit "voice"

set assign-vlan enable

set status enable

set vlan 104

next

set med-tlvs inventory-management network-policy

next

end

config switch physical-port

edit "port1"

set lldp-profile "lldp-cisco-104"

next

end

config switch interface

edit "port1"

set native-vlan 20

set security-groups "CISEGRP"

set snmp-index 1

config port-security

set mac-auth-bypass disable // Optional

set eap-auto-untagged-vlans disable // Required. Needed to allow voice traffic with voice VLAN tag at egress

set port-security-mode 802.1X-mac-based // Required

end

next

end

Use case 3

In this use case, the Cisco phone uses 802.1x authentication and uses LLDP-MED to assign the voice VLAN. The PC behind the Cisco phone uses 802.1x authentication with dynamic VLAN assignment.

RADIUS dynamic VLAN assignment for the voice VLAN has to match the voice VLAN configured in the LLDP-MED profile for Cisco phone 802.1x authentication.

The VLAN ID from the RADIUS dynamic VLAN assignment for the PC has to be added in the untagged VLAN list on the port.

The following is an example configuration:

config switch lldp profile

edit "lldp-cisco-104"

set 802.1-tlvs port-vlan-id

set 802.3-tlvs power-negotiation

config med-network-policy

edit "voice"

set assign-vlan enable

set status enable

set vlan 104

next

set med-tlvs inventory-management network-policy

next

end

config switch physical-port

edit "port1"

set lldp-profile "lldp-cisco-104"

next

end

config switch interface

edit "port1"

set native-vlan 20

set allowed-vlans 50 60 70 // Assume that VLANs 50, 60, and 70 are a part of the dynamic VLANs configured on RADIUS for PCs in different groups.

set untagged-vlans 50 60 70

set security-groups "CISEGRP"

set snmp-index 1

config port-security

set mac-auth-bypass disable // Optional

set eap-auto-untagged-vlans disable // Required. Needed to allow voice traffic with voice VLAN tag at egress

set port-security-mode 802.1X-mac-based // Required

end

next

end