Fortinet black logo

Administration Guide

Detailed deployment notes

Copy Link
Copy Doc ID 0f66c6af-cee6-11eb-97f7-00505692583a:110308
Download PDF

Detailed deployment notes

  • Using more than one security group (with the set security-groups command) per security profile is not supported.
  • CoA and single sign-on are supported only by the CLI in this release.
  • RADIUS CoA is supported in standalone mode and in non-NAT FortiLink mode.
  • The FortiSwitch unit supports using FortiAuthenticator, FortiConnect, Microsoft Network Policy Server (NPS), Aruba ClearPass, and Cisco Identity Services Engine (ISE) as the RADIUS server for CoA and RSSO.
  • Each RADIUS CoA server can support only one accounting manager in this release.
  • RADIUS accounting/CoA/VLAN-by-name features are supported only with eap-passthru enable.
  • Fortinet recommends a unique secret key for each accounting server.
  • For CoA to correctly function with FortiAuthenticator or FortiConnect, you must include the User-Name attribute (you can optionally include the Framed-IP-Address attribute) or the User-Name and Calling-Station-ID attributes in the CoA request.
  • To obtain a valid Framed-IP-Address attribute value, you need to manually configure DHCP snooping in the 802.1x-authenticated ports of your VLAN network for both port and MAC modes.
  • Port-based basic statistics for RADIUS accounting messages are supported in the Accounting Stop request.
  • By default, the accounting server is disabled. You must enable the accounting server with the set status enable command.
  • The default port for FortiAuthenticator single sign-on is 1813 for the FortiSwitch unit.
  • In MAC-based authentication, the maximum number of client MAC addresses is 20. Each model has its own maximum limit.
  • Static MAC addresses and sticky MAC addresses are mechanisms for manual/local authorization; 802.1x is a mechanism for protocol-based authorization. Do not mix them.
  • Fortinet recommends an 802.1x setup rate of 5 to 10 sessions per second.
  • Starting in FortiSwitch 6.2.0, when 802.1x authentication is configured, the EAP pass-through mode (set eap-passthru) is enabled by default.
  • For information about RADIUS attributes supported by FortiSwitchOS, refer to the “Supported attributes for RADIUS CoA and RSSO” appendix.
  • The authentication and accounting server configuration must be in the same address mode within the same member. The address mode is either IPv4 or IPv6, no matter what the address mode is in the FQDN or raw IP address. The address mode cannot be mixed.
  • When a client is authorized with the RADIUS timeout VLAN enabled, the client is placed in the authorization VLAN. If the RADIUS server becomes unavailable afterward and the reauthentication timer expires for the session, the device keeps the client in the authorization VLAN but the state changes from AUTHENTICATED to SERVER_TIMEOUT.
  • In general for 802.1x deployment, Fortinet suggests disabling STP in the 802.1x security ports. If STP is enabled on the ports, the ports must be assigned to STP instances that belong to a dynamic VLAN, guest VLAN, or auth-fail VLAN; otherwise, the network connectivity fails after the ports are authorized and assigned to a dynamic VLAN, guest VLAN, or auth-fail VLAN.

Detailed deployment notes

  • Using more than one security group (with the set security-groups command) per security profile is not supported.
  • CoA and single sign-on are supported only by the CLI in this release.
  • RADIUS CoA is supported in standalone mode and in non-NAT FortiLink mode.
  • The FortiSwitch unit supports using FortiAuthenticator, FortiConnect, Microsoft Network Policy Server (NPS), Aruba ClearPass, and Cisco Identity Services Engine (ISE) as the RADIUS server for CoA and RSSO.
  • Each RADIUS CoA server can support only one accounting manager in this release.
  • RADIUS accounting/CoA/VLAN-by-name features are supported only with eap-passthru enable.
  • Fortinet recommends a unique secret key for each accounting server.
  • For CoA to correctly function with FortiAuthenticator or FortiConnect, you must include the User-Name attribute (you can optionally include the Framed-IP-Address attribute) or the User-Name and Calling-Station-ID attributes in the CoA request.
  • To obtain a valid Framed-IP-Address attribute value, you need to manually configure DHCP snooping in the 802.1x-authenticated ports of your VLAN network for both port and MAC modes.
  • Port-based basic statistics for RADIUS accounting messages are supported in the Accounting Stop request.
  • By default, the accounting server is disabled. You must enable the accounting server with the set status enable command.
  • The default port for FortiAuthenticator single sign-on is 1813 for the FortiSwitch unit.
  • In MAC-based authentication, the maximum number of client MAC addresses is 20. Each model has its own maximum limit.
  • Static MAC addresses and sticky MAC addresses are mechanisms for manual/local authorization; 802.1x is a mechanism for protocol-based authorization. Do not mix them.
  • Fortinet recommends an 802.1x setup rate of 5 to 10 sessions per second.
  • Starting in FortiSwitch 6.2.0, when 802.1x authentication is configured, the EAP pass-through mode (set eap-passthru) is enabled by default.
  • For information about RADIUS attributes supported by FortiSwitchOS, refer to the “Supported attributes for RADIUS CoA and RSSO” appendix.
  • The authentication and accounting server configuration must be in the same address mode within the same member. The address mode is either IPv4 or IPv6, no matter what the address mode is in the FQDN or raw IP address. The address mode cannot be mixed.
  • When a client is authorized with the RADIUS timeout VLAN enabled, the client is placed in the authorization VLAN. If the RADIUS server becomes unavailable afterward and the reauthentication timer expires for the session, the device keeps the client in the authorization VLAN but the state changes from AUTHENTICATED to SERVER_TIMEOUT.
  • In general for 802.1x deployment, Fortinet suggests disabling STP in the 802.1x security ports. If STP is enabled on the ports, the ports must be assigned to STP instances that belong to a dynamic VLAN, guest VLAN, or auth-fail VLAN; otherwise, the network connectivity fails after the ports are authorized and assigned to a dynamic VLAN, guest VLAN, or auth-fail VLAN.