Configuring the 802.1x settings on an interface
Starting in FortiSwitchOS 7.0.0, you can use the CLI to allow an 802.1x client to move between ports that are not directly connected to the FortiSwitch unit without having to delete the 802.1x session. For example, you can move an 802.1x client PC that connects through an IP phone to port1 of the FortiSwitch unit to a port of a third-party switch that connects to port2 of the FortiSwitch unit.
This feature is available for 802.1x port-based authentication, 802.1x MAC-based authentication, MAB enabled or disabled, and EAP pass-through mode enabled or disabled. To see which models support this feature, refer to the FortiSwitch feature matrix.
NOTE: MAC-move tagged EAP is not supported.
To use this feature, enable allow-mac-move
on the destination port (port2 in the example). If you enable both eap-egress-tagged
allow-mac-move
, egress EAPOL packets are tagged without needing additional checking, which makes the process more efficient.
Using the GUI:
- Go to Switch > Interface > Physical.
- Select a port and then select Edit.
- Select 802.1X for port-based authentication or select 802.1X-MAC-based for MAC-based authentication.
The Port Security section displays additional options. - Select MAC Auth Bypass.
- Select EAP Pass-Through Mode.
NOTE: EAP Pass-Through Mode is enabled by default, which is the recommended setting. If the RADIUS authentication server does not support EAP-TLS, the EAP Pass-Through Mode needs to be disabled. - Select Frame VLAN Apply to apply the EAP/MAB frame VLAN to the port native VLAN.
NOTE: For phone and PC configuration only, clear the checkbox to preserve the native VLAN when the data traffic is expected to be untagged. - Select Open Authentication to enable open authentication (monitor mode) on this interface. Use the monitor mode to test your system configuration for 802.1x authentication. You can use monitor mode to test port-based authentication, MAC-based authentication, EAP pass-through mode, and MAC authentication bypass. After you enable monitor mode, the network traffic will continue to flow, even if the users fail authentication.
- Select Guest VLAN if you want to assign a VLAN to unauthorized users. If you select Guest VLAN, enter the guest VLAN identifier in the Guest VLAN ID field and enter the number of seconds for an unauthorized user to have access as a guest before authorization fails in the Guest Auth Delay field.
- Select Auth Fail VLAN if you want to assign a VLAN to users who attempted to authenticate but failed to provide valid credentials. If you select Auth Fail VLAN, enter the VLAN identifier in the Auth Fail VLAN ID field.
- If you want to use the RADIUS-provided reauthentication time, select RADUS Session Timeout.
- If you are using port-based authentication or MAC-based authentication, select one or more security groups.
- Select OK.
Using the CLI:
config switch interface
edit <port>
config port-security
set allow-mac-move {disable | enable}
set eap-egress-tagged {disable | enable}
set port-security-mode {none | 802.1X | 802.1X-mac-based}
set framevid-apply {disable | enable}
set auth-fail-vlan {enable | disable}
set auth-fail-vlanid <vlanid>
set authserver-timeout-period <3-15>
set authserver-timeout-vlan {enable | disable}
set authserver-timeout-vlanid <1-4094>
set eap-passthru {enable | disable}
set guest-auth-delay <integer>
set guest-vlan {enable | disable}
set guest-vlanid <vlanid>
set mac-auth-bypass {enable | disable}
set open-auth {enable | disable}
set radius-timeout-overwrite {enable | disable}
end
set security-groups <security-group-name>
end