Fortinet black logo

Administration Guide

Dynamic VLAN assignment

Copy Link
Copy Doc ID 1019dadb-9991-11ec-9fd1-fa163e15d75b:110505
Download PDF

Dynamic VLAN assignment

You can configure the RADIUS server to return a VLAN in the authentication reply message:

  1. On the FortiSwitch unit, select port-based authentication or MAC-based authentication and a security group.
  2. On the RADIUS server, configure the attributes.
Using the GUI:
  1. Go to Switch > Interface > Physical.
  2. Select a port and then select Edit.
  3. Select 802.1X for port-based authentication or select 802.1X-MAC-based for MAC-based authentication.


  4. Select one or more security groups.
  5. Select OK.
Using the CLI:

To select port-based authentication and the security group on the FortiSwitch unit:

config switch interface

edit <interface_name>

config port-security

set port-security-mode 802.1X

end

set security-groups <security-group-name>

end

The FortiSwitch unit will change the native VLAN of the port to that of the VLAN from the server.

To select MAC-based authentication and the security group on the FortiSwitch unit:

config switch interface

edit <interface_name>

config port-security

set port-security-mode 802.1X-mac-based

end

set security-groups <security-group-name>

end

Here, the switch assigns the returned VLAN only to this userʼs MAC address. The native VLAN of the port remains unchanged.

Use the following configuration command to view the MAC-based VLAN assignments:

diagnose switch vlan assignment mac list [sorted-by-mac | sorted-by-vlan]

Configure the following attributes in the RADIUS server:

  • Tunnel-Private-Group-Id—VLAN ID or name (10)
  • Tunnel-Medium-Type—IEEE-802 (6)
  • Tunnel-Type—VLAN (13)

NOTE: If the Tunnel-Private-Group-Id attribute is set to the VLAN name, the same string must be specified in the set description command under the config switch vlan command. For example:

config switch vlan

edit 100

set description "local_vlan"

next

end

Starting in FortiSwitchOS 7.0.0, you can use the following RADIUS attributes to configure dynamic non-native VLANs:

  • Egress-VLANID—Provides the VLAN identifier and controls whether egress packets are tagged (56).

    To set the VLAN ID value, use 0x31 for a tagged VLAN or 0x32 for an untagged VLAN. For example, to indicate that VLAN 16 is untagged, the Egress-VLANID is 0x32000010 or 838860816.

  • Egress-VLAN-Name—Provides the VLAN name and controls whether egress packets are tagged (58).

    To provide the VLAN name as the VLAN description string defined under the config switch vlan command, use ‘1’ for a tagged VLAN or ‘2’ for an untagged VLAN. For example:

    • To assign the description “VLAN_8” to VLAN 8, which is tagged, use the following string: “1VLAN_8”
    • To assign the description “SALES_1772” to VLAN 1772, which is untagged, use the following string: “2SALES_1772”
  • Ingress-Filters—Enables the use of ingress filters (57). The use of ingress filters cannot be disabled.

NOTE: The VLAN name in the Egress-VLAN-Name attribute must match the string specified in the set description command under the config switch vlan command. For example:

config switch vlan

edit 100

set description "local_vlan"

next

end

You can verify your configuration with the diagnose switch 802-1x status <port_name> command. In the following example, the lines in boldface show the dynamic non-native VLANs:

S448DF3X15000026 # diagnose switch 802-1x status port1

port1 : Mode: port-based (mac-by-pass enable) 
	Link: Link up
	Port State: authorized: (  ) 
	Dynamic Authorized Vlan : 101
	Dynamic Allowed Vlan list: 30-31,40-41Dynamic Untagged Vlan list: 40-41
	EAP pass-through : Enable
	EAP egress-frame-tagged : Enable
	EAP auto-untagged-vlans : Enable
	Allow MAC Move : Disable
	Quarantine VLAN (4093) detection : Enable
	Native Vlan : 101
	Allowed Vlan list: 4-7,30-31,40-41,101
	Untagged Vlan list: 40-41
	Guest VLAN :
	Auth-Fail Vlan :
	AuthServer-Timeout Vlan :

	Sessions info:
	00:00:00:01:01:02     Type=802.1x,PEAP,state=AUTHENTICATED,etime=0,eap_cnt=11 params:reAuth=3600

Dynamic VLAN assignment

You can configure the RADIUS server to return a VLAN in the authentication reply message:

  1. On the FortiSwitch unit, select port-based authentication or MAC-based authentication and a security group.
  2. On the RADIUS server, configure the attributes.
Using the GUI:
  1. Go to Switch > Interface > Physical.
  2. Select a port and then select Edit.
  3. Select 802.1X for port-based authentication or select 802.1X-MAC-based for MAC-based authentication.


  4. Select one or more security groups.
  5. Select OK.
Using the CLI:

To select port-based authentication and the security group on the FortiSwitch unit:

config switch interface

edit <interface_name>

config port-security

set port-security-mode 802.1X

end

set security-groups <security-group-name>

end

The FortiSwitch unit will change the native VLAN of the port to that of the VLAN from the server.

To select MAC-based authentication and the security group on the FortiSwitch unit:

config switch interface

edit <interface_name>

config port-security

set port-security-mode 802.1X-mac-based

end

set security-groups <security-group-name>

end

Here, the switch assigns the returned VLAN only to this userʼs MAC address. The native VLAN of the port remains unchanged.

Use the following configuration command to view the MAC-based VLAN assignments:

diagnose switch vlan assignment mac list [sorted-by-mac | sorted-by-vlan]

Configure the following attributes in the RADIUS server:

  • Tunnel-Private-Group-Id—VLAN ID or name (10)
  • Tunnel-Medium-Type—IEEE-802 (6)
  • Tunnel-Type—VLAN (13)

NOTE: If the Tunnel-Private-Group-Id attribute is set to the VLAN name, the same string must be specified in the set description command under the config switch vlan command. For example:

config switch vlan

edit 100

set description "local_vlan"

next

end

Starting in FortiSwitchOS 7.0.0, you can use the following RADIUS attributes to configure dynamic non-native VLANs:

  • Egress-VLANID—Provides the VLAN identifier and controls whether egress packets are tagged (56).

    To set the VLAN ID value, use 0x31 for a tagged VLAN or 0x32 for an untagged VLAN. For example, to indicate that VLAN 16 is untagged, the Egress-VLANID is 0x32000010 or 838860816.

  • Egress-VLAN-Name—Provides the VLAN name and controls whether egress packets are tagged (58).

    To provide the VLAN name as the VLAN description string defined under the config switch vlan command, use ‘1’ for a tagged VLAN or ‘2’ for an untagged VLAN. For example:

    • To assign the description “VLAN_8” to VLAN 8, which is tagged, use the following string: “1VLAN_8”
    • To assign the description “SALES_1772” to VLAN 1772, which is untagged, use the following string: “2SALES_1772”
  • Ingress-Filters—Enables the use of ingress filters (57). The use of ingress filters cannot be disabled.

NOTE: The VLAN name in the Egress-VLAN-Name attribute must match the string specified in the set description command under the config switch vlan command. For example:

config switch vlan

edit 100

set description "local_vlan"

next

end

You can verify your configuration with the diagnose switch 802-1x status <port_name> command. In the following example, the lines in boldface show the dynamic non-native VLANs:

S448DF3X15000026 # diagnose switch 802-1x status port1

port1 : Mode: port-based (mac-by-pass enable) 
	Link: Link up
	Port State: authorized: (  ) 
	Dynamic Authorized Vlan : 101
	Dynamic Allowed Vlan list: 30-31,40-41Dynamic Untagged Vlan list: 40-41
	EAP pass-through : Enable
	EAP egress-frame-tagged : Enable
	EAP auto-untagged-vlans : Enable
	Allow MAC Move : Disable
	Quarantine VLAN (4093) detection : Enable
	Native Vlan : 101
	Allowed Vlan list: 4-7,30-31,40-41,101
	Untagged Vlan list: 40-41
	Guest VLAN :
	Auth-Fail Vlan :
	AuthServer-Timeout Vlan :

	Sessions info:
	00:00:00:01:01:02     Type=802.1x,PEAP,state=AUTHENTICATED,etime=0,eap_cnt=11 params:reAuth=3600