Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiSwitch 7.0.3 Administration Guide
    7.0.3
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.9
    7.0.8
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.11
    6.4.6
    6.4.5
    6.4.3
    6.4.2
    6.4.0
    6.2.5
    6.2.2
    6.2.1
    6.2.0

    802.1x authentication

    802.1x authentication

    To control network access, the FortiSwitch unit supports IEEE 802.1x authentication. A supplicant connected to a port on the switch must be authenticated by a RADIUS server to gain access to the network. The supplicant and the authentication server communicate using the switch using EAP. The FortiSwitch unit supports EAP-PEAP, EAP-TTLS, EAP-TLS, and EAP-MD5.

    To use the RADIUS server for authentication, you must configure the server before configuring the users or user groups on the FortiSwitch unit.

    The FortiSwitch unit implements MAC-based authentication. The switch saves the MAC address of each supplicantʼs device. The switch provides network access only to devices that have successfully been authenticated.

    The maximum number of MAC sessions per port is 20 for all FortiSwitch models. The following table lists the maximum number of MAC sessions per switch for each FortiSwitch model.

    Model

    Maximum number of MAC sessions per switch

    108

    80

    112

    60

    124/224/424/524/1024

    240

    148/248/448/548/1048

    480

    3032

    320

    You can enable the MAC Authentication Bypass (MAB) option for devices (such as network printers) that cannot respond to the 802.1x authentication request. With MAB enabled on the port, the system will use the device MAC address as the user name and password for authentication.

    Optionally, you can configure a guest VLAN for unauthorized users, a VLAN for users whose authentication was unsuccessful, and a VLAN for users when the authentication server is unavailable.

    When the authentication server is unavailable after the server timeout period expires:

    • You can control how many seconds the authentication server tries to authenticate users for before assigning them to the specified VLAN:

      config switch interface

      edit <interface_name>

      config port-security

      set port-security-mode {802.1X | 802.1X-mac-based}

      set authserver-timeout-period <3-15 seconds>

      set authserver-timeout-vlan {enable | disable}

      set authserver-timeout-vlanid <1-4094>

      end

      set security-groups <security-group-name>

      next

      end

    • You can control how often the server checks if the RADIUS server is available:

      config user radius

      edit <RADIUS_user_name>

      set link-monitor {enable | disable}

      set link-monitor-interval <5-120 seconds>

      next

      end

    When you are testing your system configuration for 802.1x authentication, you can use the monitor mode to allow network traffic to flow, even if there are configuration problems or authentication failures.

    This section covers the following topics:

    Previous
    Next

    802.1x authentication

    802.1x authentication

    To control network access, the FortiSwitch unit supports IEEE 802.1x authentication. A supplicant connected to a port on the switch must be authenticated by a RADIUS server to gain access to the network. The supplicant and the authentication server communicate using the switch using EAP. The FortiSwitch unit supports EAP-PEAP, EAP-TTLS, EAP-TLS, and EAP-MD5.

    To use the RADIUS server for authentication, you must configure the server before configuring the users or user groups on the FortiSwitch unit.

    The FortiSwitch unit implements MAC-based authentication. The switch saves the MAC address of each supplicantʼs device. The switch provides network access only to devices that have successfully been authenticated.

    The maximum number of MAC sessions per port is 20 for all FortiSwitch models. The following table lists the maximum number of MAC sessions per switch for each FortiSwitch model.

    Model

    Maximum number of MAC sessions per switch

    108

    80

    112

    60

    124/224/424/524/1024

    240

    148/248/448/548/1048

    480

    3032

    320

    You can enable the MAC Authentication Bypass (MAB) option for devices (such as network printers) that cannot respond to the 802.1x authentication request. With MAB enabled on the port, the system will use the device MAC address as the user name and password for authentication.

    Optionally, you can configure a guest VLAN for unauthorized users, a VLAN for users whose authentication was unsuccessful, and a VLAN for users when the authentication server is unavailable.

    When the authentication server is unavailable after the server timeout period expires:

    • You can control how many seconds the authentication server tries to authenticate users for before assigning them to the specified VLAN:

      config switch interface

      edit <interface_name>

      config port-security

      set port-security-mode {802.1X | 802.1X-mac-based}

      set authserver-timeout-period <3-15 seconds>

      set authserver-timeout-vlan {enable | disable}

      set authserver-timeout-vlanid <1-4094>

      end

      set security-groups <security-group-name>

      next

      end

    • You can control how often the server checks if the RADIUS server is available:

      config user radius

      edit <RADIUS_user_name>

      set link-monitor {enable | disable}

      set link-monitor-interval <5-120 seconds>

      next

      end

    When you are testing your system configuration for 802.1x authentication, you can use the monitor mode to allow network traffic to flow, even if there are configuration problems or authentication failures.

    This section covers the following topics:

    Previous
    Next