Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiSwitch 7.0.9 Administration Guide
    7.0.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.9
    7.0.8
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.11
    6.4.6
    6.4.5
    6.4.3
    6.4.2
    6.4.0
    6.2.5
    6.2.2
    6.2.1
    6.2.0

    Use cases

    Use cases

    Here are three use cases for 802.1x authentication.

    Use case 1

    In this use case, a Cisco phone uses MAB and uses LLDP-MED to assign the voice VLAN. A PC behind the Cisco phone uses 802.1x authentication with or without dynamic VLAN assignment.

    The following is an example configuration:

    config switch lldp profile

    edit "lldp-cisco-104"

    set 802.1-tlvs port-vlan-id

    set 802.3-tlvs power-negotiation

    config med-network-policy

    edit "voice"

    set assign-vlan enable

    set status enable

    set vlan 104

    next

    set med-tlvs inventory-management network-policy

    next

    end

    config switch physical-port

    edit "port1"

    set lldp-profile "lldp-cisco-104"

    next

    end

    config switch interface

    edit "port1"

    set native-vlan 20

    set security-groups "CISEGRP"

    set snmp-index 1

    config port-security

    set mac-auth-bypass enable // Required. You need to enable MAB.

    set port-security-mode 802.1X-mac-based // Required

    end

    next

    end

    Use case 2

    In this use case, the Cisco phone uses 802.1x authentication and uses LLDP-MED to assign the voice VLAN. A PC behind the Cisco phone uses 802.1x authentication without dynamic VLAN assignment.

    RADIUS dynamic VLAN assignment for the voice VLAN must match the voice VLAN configured in the LLDP-MED profile for Cisco phone 802.1x authentication.

    The following is an example configuration:

    config switch lldp profile

    edit "lldp-cisco-104"

    set 802.1-tlvs port-vlan-id

    set 802.3-tlvs power-negotiation

    config med-network-policy

    edit "voice"

    set assign-vlan enable

    set status enable

    set vlan 104

    next

    set med-tlvs inventory-management network-policy

    next

    end

    config switch physical-port

    edit "port1"

    set lldp-profile "lldp-cisco-104"

    next

    end

    config switch interface

    edit "port1"

    set native-vlan 20

    set security-groups "CISEGRP"

    set snmp-index 1

    config port-security

    set mac-auth-bypass disable // Optional

    set eap-auto-untagged-vlans disable // Required. Needed to allow voice traffic with voice VLAN tag at egress

    set port-security-mode 802.1X-mac-based // Required

    end

    next

    end

    Use case 3

    In this use case, the Cisco phone uses 802.1x authentication and uses LLDP-MED to assign the voice VLAN. The PC behind the Cisco phone uses 802.1x authentication with dynamic VLAN assignment.

    RADIUS dynamic VLAN assignment for the voice VLAN has to match the voice VLAN configured in the LLDP-MED profile for Cisco phone 802.1x authentication.

    The VLAN ID from the RADIUS dynamic VLAN assignment for the PC has to be added in the untagged VLAN list on the port.

    The following is an example configuration:

    config switch lldp profile

    edit "lldp-cisco-104"

    set 802.1-tlvs port-vlan-id

    set 802.3-tlvs power-negotiation

    config med-network-policy

    edit "voice"

    set assign-vlan enable

    set status enable

    set vlan 104

    next

    set med-tlvs inventory-management network-policy

    next

    end

    config switch physical-port

    edit "port1"

    set lldp-profile "lldp-cisco-104"

    next

    end

    config switch interface

    edit "port1"

    set native-vlan 20

    set allowed-vlans 50 60 70 // Assume that VLANs 50, 60, and 70 are a part of the dynamic VLANs configured on RADIUS for PCs in different groups.

    set untagged-vlans 50 60 70

    set security-groups "CISEGRP"

    set snmp-index 1

    config port-security

    set mac-auth-bypass disable // Optional

    set eap-auto-untagged-vlans disable // Required. Needed to allow voice traffic with voice VLAN tag at egress

    set port-security-mode 802.1X-mac-based // Required

    end

    next

    end

    Previous
    Next

    Use cases

    Use cases

    Here are three use cases for 802.1x authentication.

    Use case 1

    In this use case, a Cisco phone uses MAB and uses LLDP-MED to assign the voice VLAN. A PC behind the Cisco phone uses 802.1x authentication with or without dynamic VLAN assignment.

    The following is an example configuration:

    config switch lldp profile

    edit "lldp-cisco-104"

    set 802.1-tlvs port-vlan-id

    set 802.3-tlvs power-negotiation

    config med-network-policy

    edit "voice"

    set assign-vlan enable

    set status enable

    set vlan 104

    next

    set med-tlvs inventory-management network-policy

    next

    end

    config switch physical-port

    edit "port1"

    set lldp-profile "lldp-cisco-104"

    next

    end

    config switch interface

    edit "port1"

    set native-vlan 20

    set security-groups "CISEGRP"

    set snmp-index 1

    config port-security

    set mac-auth-bypass enable // Required. You need to enable MAB.

    set port-security-mode 802.1X-mac-based // Required

    end

    next

    end

    Use case 2

    In this use case, the Cisco phone uses 802.1x authentication and uses LLDP-MED to assign the voice VLAN. A PC behind the Cisco phone uses 802.1x authentication without dynamic VLAN assignment.

    RADIUS dynamic VLAN assignment for the voice VLAN must match the voice VLAN configured in the LLDP-MED profile for Cisco phone 802.1x authentication.

    The following is an example configuration:

    config switch lldp profile

    edit "lldp-cisco-104"

    set 802.1-tlvs port-vlan-id

    set 802.3-tlvs power-negotiation

    config med-network-policy

    edit "voice"

    set assign-vlan enable

    set status enable

    set vlan 104

    next

    set med-tlvs inventory-management network-policy

    next

    end

    config switch physical-port

    edit "port1"

    set lldp-profile "lldp-cisco-104"

    next

    end

    config switch interface

    edit "port1"

    set native-vlan 20

    set security-groups "CISEGRP"

    set snmp-index 1

    config port-security

    set mac-auth-bypass disable // Optional

    set eap-auto-untagged-vlans disable // Required. Needed to allow voice traffic with voice VLAN tag at egress

    set port-security-mode 802.1X-mac-based // Required

    end

    next

    end

    Use case 3

    In this use case, the Cisco phone uses 802.1x authentication and uses LLDP-MED to assign the voice VLAN. The PC behind the Cisco phone uses 802.1x authentication with dynamic VLAN assignment.

    RADIUS dynamic VLAN assignment for the voice VLAN has to match the voice VLAN configured in the LLDP-MED profile for Cisco phone 802.1x authentication.

    The VLAN ID from the RADIUS dynamic VLAN assignment for the PC has to be added in the untagged VLAN list on the port.

    The following is an example configuration:

    config switch lldp profile

    edit "lldp-cisco-104"

    set 802.1-tlvs port-vlan-id

    set 802.3-tlvs power-negotiation

    config med-network-policy

    edit "voice"

    set assign-vlan enable

    set status enable

    set vlan 104

    next

    set med-tlvs inventory-management network-policy

    next

    end

    config switch physical-port

    edit "port1"

    set lldp-profile "lldp-cisco-104"

    next

    end

    config switch interface

    edit "port1"

    set native-vlan 20

    set allowed-vlans 50 60 70 // Assume that VLANs 50, 60, and 70 are a part of the dynamic VLANs configured on RADIUS for PCs in different groups.

    set untagged-vlans 50 60 70

    set security-groups "CISEGRP"

    set snmp-index 1

    config port-security

    set mac-auth-bypass disable // Optional

    set eap-auto-untagged-vlans disable // Required. Needed to allow voice traffic with voice VLAN tag at egress

    set port-security-mode 802.1X-mac-based // Required

    end

    next

    end

    Previous
    Next