Fortinet white logo
Fortinet white logo

Administration Guide

802.1x authentication

802.1x authentication

To control network access, the FortiSwitch unit supports IEEE 802.1x authentication. A supplicant connected to a port on the switch must be authenticated by a RADIUS server to gain access to the network. The supplicant and the authentication server communicate using the switch using EAP. The FortiSwitch unit supports EAP-PEAP, EAP-TTLS, and EAP-TLS.

To use the RADIUS server for authentication, you must configure the server before configuring the users or user groups on the FortiSwitch unit.

The FortiSwitch unit implements MAC-based authentication. The switch saves the MAC address of each supplicantʼs device. The switch provides network access only to devices that have successfully been authenticated.

The maximum number of MAC sessions per port is 20 for all FortiSwitch models. The following table lists the maximum number of MAC sessions per switch for each FortiSwitch model.

Model

Maximum number of MAC sessions per switch

108

80

112

60

124/224/424/524/1024

240

148/248/448/548/1048

480

3032

320

You can enable the MAC Authentication Bypass (MAB) option for devices (such as network printers) that cannot respond to the 802.1x authentication request. With MAB enabled on the port, the system will use the device MAC address as the user name and password for authentication.

Optionally, you can configure a guest VLAN for unauthorized users, a VLAN for users whose authentication was unsuccessful, and a VLAN for users when the authentication server is unavailable.

When the authentication server is unavailable after the server timeout period expires:

  • You can control how many seconds the authentication server tries to authenticate users for before assigning them to the specified VLAN:

    config switch interface

    edit <interface_name>

    config port-security

    set port-security-mode {802.1X | 802.1X-mac-based}

    set authserver-timeout-period <3-15 seconds>

    set authserver-timeout-vlan {enable | disable}

    set authserver-timeout-vlanid <1-4094>

    end

    set security-groups <security-group-name>

    next

    end

  • You can control how often the server checks if the RADIUS server is available:

    config user radius

    edit <RADIUS_user_name>

    set link-monitor {enable | disable}

    set link-monitor-interval <5-120 seconds>

    next

    end

When you are testing your system configuration for 802.1x authentication, you can use the monitor mode to allow network traffic to flow, even if there are configuration problems or authentication failures.

This section covers the following topics:

802.1x authentication

802.1x authentication

To control network access, the FortiSwitch unit supports IEEE 802.1x authentication. A supplicant connected to a port on the switch must be authenticated by a RADIUS server to gain access to the network. The supplicant and the authentication server communicate using the switch using EAP. The FortiSwitch unit supports EAP-PEAP, EAP-TTLS, and EAP-TLS.

To use the RADIUS server for authentication, you must configure the server before configuring the users or user groups on the FortiSwitch unit.

The FortiSwitch unit implements MAC-based authentication. The switch saves the MAC address of each supplicantʼs device. The switch provides network access only to devices that have successfully been authenticated.

The maximum number of MAC sessions per port is 20 for all FortiSwitch models. The following table lists the maximum number of MAC sessions per switch for each FortiSwitch model.

Model

Maximum number of MAC sessions per switch

108

80

112

60

124/224/424/524/1024

240

148/248/448/548/1048

480

3032

320

You can enable the MAC Authentication Bypass (MAB) option for devices (such as network printers) that cannot respond to the 802.1x authentication request. With MAB enabled on the port, the system will use the device MAC address as the user name and password for authentication.

Optionally, you can configure a guest VLAN for unauthorized users, a VLAN for users whose authentication was unsuccessful, and a VLAN for users when the authentication server is unavailable.

When the authentication server is unavailable after the server timeout period expires:

  • You can control how many seconds the authentication server tries to authenticate users for before assigning them to the specified VLAN:

    config switch interface

    edit <interface_name>

    config port-security

    set port-security-mode {802.1X | 802.1X-mac-based}

    set authserver-timeout-period <3-15 seconds>

    set authserver-timeout-vlan {enable | disable}

    set authserver-timeout-vlanid <1-4094>

    end

    set security-groups <security-group-name>

    next

    end

  • You can control how often the server checks if the RADIUS server is available:

    config user radius

    edit <RADIUS_user_name>

    set link-monitor {enable | disable}

    set link-monitor-interval <5-120 seconds>

    next

    end

When you are testing your system configuration for 802.1x authentication, you can use the monitor mode to allow network traffic to flow, even if there are configuration problems or authentication failures.

This section covers the following topics: