Dynamic VLAN assignment
You can configure the RADIUS server to return a VLAN in the authentication reply message:
- On the FortiSwitch unit, select port-based authentication or MAC-based authentication and a security group.
- On the RADIUS server, configure the attributes.
Using the GUI:
- Go to Switch > Interface > Physical.
- Select a port and then select Edit.
- Select 802.1X for port-based authentication or select 802.1X-MAC-based for MAC-based authentication.
- Select one or more security groups.
- Select OK.
Using the CLI:
To select port-based authentication and the security group on the FortiSwitch unit:
config switch interface
edit <interface_name>
config port-security
set port-security-mode 802.1X
end
set security-groups <security-group-name>
end
The FortiSwitch unit will change the native VLAN of the port to that of the VLAN from the server.
To select MAC-based authentication and the security group on the FortiSwitch unit:
config switch interface
edit <interface_name>
config port-security
set port-security-mode 802.1X-mac-based
end
set security-groups <security-group-name>
end
Here, the switch assigns the returned VLAN only to this userʼs MAC address. The native VLAN of the port remains unchanged.
Use the following configuration command to view the MAC-based VLAN assignments:
diagnose switch vlan assignment mac list [sorted-by-mac | sorted-by-vlan]
Configure the following attributes in the RADIUS server:
- Tunnel-Private-Group-Id—VLAN ID or name (10)
- Tunnel-Medium-Type—IEEE-802 (6)
- Tunnel-Type—VLAN (13)
NOTE: If the Tunnel-Private-Group-Id attribute is set to the VLAN name, the same string must be specified in the set description command under the config switch vlan command. For example:
config switch vlan
edit 100
set description "local_vlan"
next
end
Starting in FortiSwitchOS 7.0.0, you can use the following RADIUS attributes to configure dynamic non-native VLANs:
- Egress-VLANID—Provides the VLAN identifier and controls whether egress packets are tagged (56).
To set the VLAN ID value, use 0x31 for a tagged VLAN or 0x32 for an untagged VLAN. For example, to indicate that VLAN 16 is untagged, the Egress-VLANID is 0x32000010 or 838860816.
- Egress-VLAN-Name—Provides the VLAN name and controls whether egress packets are tagged (58).
To provide the VLAN name as the VLAN description string defined under the
config switch vlancommand, use ‘1’ for a tagged VLAN or ‘2’ for an untagged VLAN. For example:- To assign the description “VLAN_8” to VLAN 8, which is tagged, use the following string: “1VLAN_8”
- To assign the description “SALES_1772” to VLAN 1772, which is untagged, use the following string: “2SALES_1772”
- Ingress-Filters—Enables the use of ingress filters (57). The use of ingress filters cannot be disabled.
NOTE: The VLAN name in the Egress-VLAN-Name attribute must match the string specified in the set description command under the config switch vlan command. For example:
config switch vlan
edit 100
set description "local_vlan"
next
end
You can verify your configuration with the diagnose switch 802-1x status <port_name> command. In the following example, the lines in boldface show the dynamic non-native VLANs:
S448DF3X15000026 # diagnose switch 802-1x status port1 port1 : Mode: port-based (mac-by-pass enable) Link: Link up Port State: authorized: ( ) Dynamic Authorized Vlan : 101 Dynamic Allowed Vlan list: 30-31,40-41Dynamic Untagged Vlan list: 40-41 EAP pass-through : Enable EAP egress-frame-tagged : Enable EAP auto-untagged-vlans : Enable Allow MAC Move : Disable Quarantine VLAN (4093) detection : Enable Native Vlan : 101 Allowed Vlan list: 4-7,30-31,40-41,101 Untagged Vlan list: 40-41 Guest VLAN : Auth-Fail Vlan : AuthServer-Timeout Vlan : Sessions info: 00:00:00:01:01:02 Type=802.1x,PEAP,state=AUTHENTICATED,etime=0,eap_cnt=11 params:reAuth=3600