Fortinet white logo
Fortinet white logo

Administration Guide

Dynamic access control lists

Dynamic access control lists

Starting in FortiSwitchOS 7.0.2, you can use RADIUS attributes to configure dynamic access control lists (DACLs) on 802.1X ports. DACLs are configured on a switch or saved on a RADIUS server. You can use DACLs to control traffic per user session, per port, or per MAC address for switch ports directly connected to user clients. DACLs apply to hardware only when 802.1X authentication is successful.

You can use DACLs with 802.1X port-based authentication and 802.1X MAC-based authentication. IPv4 is supported, but IPv6 is not supported. You can use DACLs with monitor mode (open-auth) and with static ACLs.

DACLs are disabled by default.

The maximum number of ACL entries per port is 45. The maximum number of entries includes both static ACL entries and DACL entries. Duplicate entries might cause an error.

FortiSwitch models

Maximum number of static ACL and DACL entries

124D

896

2xxD/2xxE

896

4xxD

896

424E/426E

1,792

448E/424E-Fiber

2,816

5xx

3,584

1024D/1048D

1,792

1024E

3,034

1048E

6,144

3032D

3,072

3032E

986

To use the maximum number of DACL entries, you must enable the density mode:

config switch acl settings

set density-mode enable

end

Two RADIUS attributes are supported:

  • Filter-Id —The Filter-Id attribute defines the name of a access control list (ACL) predefined in FortiSwitchOS. With 802.1X port-based authentication, the DACL applies to the physical interface. With 802.1X MAC-based authentication, the DACL applies to the source MAC address of the authenticated client. If the Filter-Id cannot be found, the entire DACL fails.
  • NAS-Filter-Rule—The NAS-Filter-Rule attribute defines the filter rules at the RADIUS server. After authentication, the DACL applies to the port.
    • The NAS-Filter-Rule supports a maximum of 80 characters, and you can specify a maximum of 45 entries per authentication session or a maximum of 45 entries per port.
    • Do not include blank spaces in the NAS-Filter-Rule. Commas and dashes are allowed.

    • A syntax error in one NAS-Filter-Rule causes the entire DACL to fail.

The following is the Filter-Id format:

Filter-Id += "<filter-name>"

For example:

Filter-Id += "filter-id-service1"

tooltip icon Changing the name of Filter-Id after authentication causes errors in the output of the diagnose switch 802-1x status-dacl command when the session is using Filter-Id.

The following is the NAS-Filter-Rule format:

NAS-Filter-Rule = " <deny|permit> in <ip|ip-protocol-value> from <any|<ip-addr>|ipv4-addr/mask> [<tcp/udp-port|tcp/udp min-max port>] to <any|<ip-addr>|ipv4-addr/mask> [<tcp/udp-port|tcp/udp min-max port>] [cnt] "

The following table explains the syntax of the NAS-Filter-Rule:

Option

Description

<deny|permit>

Select one of the following:

  • permit—Allow packets that match the rule.

  • deny—Drop packets that match the rule.

in

The in keyword specifies that the ACL applies only to the inbound traffic from the authenticated client.

<ip|ip-protocol-value>

Specify one of the following for the type of traffic to filter:

  • ip—Any protocol will match.

  • ip-protocol-value—IP traffic specified by either a protocol number or by tcp, udp, icmp, or (for IPv4 only) igmp. The range of protocol numbers is 0-255.

from <any|<ip-addr>|ipv4-addr/mask>

Required. Specify one of the following for the authenticated client source:

  • any—Specifies any IPv4 source address

  • <ip-addr>|ipv4-addr/mask>—Enter a series of contiguous source addresses or all source addresses in a subnet. The <mask> is the number of leftmost bits in a packetʼs source IPv4 address that must match the corresponding bits in the source IPv4 address. For example, 10.100.24.1/24 will match an inbound traffic from the authenticated client that has a source IPv4 address where the first three octets are 10.100.24.

[<tcp/udp-port|tcp/udp min-max port>] to

Specify the TCP or UDP port or range of ports. Used when the access control entry is intended to filter client TCP or UDP traffic with one or more specific TCP or UDP source port numbers.

You can specify a single port or a single port range, such as 10.105.0.1/24 80 or 10.105.0.1/24 80-100.

<any|<ip-addr>|ipv4-addr/mask>

Specify one of the following:

  • any—Specifies any IPv4 destination address

  • <ip-addr>|ipv4-addr/mask>—Enter a series of contiguous destination addresses or all destination addresses in a subnet. The <mask> is the number of leftmost bits in a packetʼs destination IPv4 address that must match the corresponding bits in the destination IPv4 address. For example, 10.100.24.1/24 will match an inbound traffic from the authenticated client that has a destination IPv4 address where the first three octets are 10.100.24.

[<tcp/udp-port|tcp/udp min-max port>]

Specify the TCP or UDP port or range of ports. Used when the access control entry is intended to filter client TCP or UDP traffic with one or more specific TCP or UDP destination port numbers.

You can specify a single port or a single port range, such as 10.105.0.1/24 80 or 10.105.0.1/24 80-100. For example, to deny any UDP traffic from an authenticated client that has a destination address of any address and a UDP destination port of 357-457:

deny in udp from any to any 357-457

[cnt]

Specify the counter for a RADIUS-assigned access control entry.

For example:

  • NAS-Filter-Rule += "permit in 20 from any to any cnt"

  • NAS-Filter-Rule += "deny in tcp from any to 10.10.10.1 23"

  • NAS-Filter-Rule += "permit in tcp from any to any 23"

tooltip icon

When you use the NAS-Filter-Rule attribute, follow these guidelines:

  • You can use 8 port ranges (source or destination ports) on the FS-148E, FS-148E-POE, and FS-148E-FPOE models.

  • You can use 16 port ranges (source or destination ports) on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148F, FS-148F-POE, and FS-148F-FPOE models.

  • You can use up to 32 port ranges (source or destination ports) on the FS-1024D, FS-1024E, FS-T1024E, FS-1048E, FS-3032E, FS-424E, FS-424E-POE, FS-424E-FPOE, FS-M426E-FPOE, FSR-124D, FS-224D-FPOE, FS-248D, FS-224E, FS-224E-POE, FS-248E-POE, FS-248E-FPOE, FS-424E-Fiber, FS-448E, FS-448E-POE, FS-448E-FPOE, FS-524D, FS-524D-FPOE, FS-548D, and FS-548D-FPOE models.

  • Port ranges must have the smaller port number as the first number in the range and the larger port number as the second number in the range. For example, you can specify a port range of 8-10 but not 10-8.

  • If you specify a layer-4 port or layer-4 port range (for example, permit in TCP from any to any 100-200 cnt) when defining the source or destination in a dynamic ACL entry, FortiSwitchOS discards any port configurations made after the layer-4 configuration.

To enable DACL on an interface:

config switch interface

edit <interface_name>

config port-security

set port-security-mode {802.1X | 802.1X-mac-based}

set dacl enable

end

next

end

For example:

config switch interface

edit port11

config port-security

set port-security-mode 802.1X

set dacl enable

end

next

end

To configure a value for NAS-Filter-Rule or Filter-Id:

config switch acl service custom

edit <ACL_service>

set comment <string>

set color <0-32>

set protocol {ICMP | IP | TCP/UDP/SCTP}

set protocol-number <IP protocol number>

set tcp-portrange <port_number>-<port_number>

set udp-portrange <port_number>-<port_number>

next

end

For example:

config switch acl service custom

edit filter-id-service1

set comment "filter ID for service 1"

set udp-portrange 10000-20000

next

end

To create a template for the Filter-Id RADIUS attribute:

config switch acl 802-1X

edit <policy_ID>

set description <string>

set filter-id <string>

config access-list-entry

edit <ingress_policy_ID>

set description <string>

set group <integer>

config action

set count {enable | disable}

set drop {enable | disable}

end

config classifier

set dst-ip-prefix <IP_address_and_netmask>

set dst-mac <MAC_address>

set ether-type <integer>

set service <service_name>

set src-ip-prefix <IP_address_and netmask>

set src-mac <MAC_address>

end

next

end

next

end

For example:

config switch acl 802-1X

edit 1

set description "Test Filter-Id"

set filter-id “Testing”

config access-list-entry

edit 1

set description "Test ACL entry”

config action

set count enable

set drop enable

end

config classifier

set dst-ip-prefix 192.168.0.0 255.255.255.0

set ether-type 0x0800

set service "filter-id-service1"

set src-ip-prefix 192.168.0.0 255.255.255.0

set src-mac 00:00:00:00:00:00

end

next

end

next

end

To display the status of DACLs on a specified 802.1X port or on all ports:

diagnose switch 802-1x status-dacl [<port_name>]

To clear the DACLs from a specified interface or from all interfaces:

execute 802-1x dacl-clr-stat [<interface_name>]

To reinstall the DACLs on a specified interface or on all interfaces:

execute 802-1x dacl-reinstall [<interface_name>]

Dynamic access control lists

Dynamic access control lists

Starting in FortiSwitchOS 7.0.2, you can use RADIUS attributes to configure dynamic access control lists (DACLs) on 802.1X ports. DACLs are configured on a switch or saved on a RADIUS server. You can use DACLs to control traffic per user session, per port, or per MAC address for switch ports directly connected to user clients. DACLs apply to hardware only when 802.1X authentication is successful.

You can use DACLs with 802.1X port-based authentication and 802.1X MAC-based authentication. IPv4 is supported, but IPv6 is not supported. You can use DACLs with monitor mode (open-auth) and with static ACLs.

DACLs are disabled by default.

The maximum number of ACL entries per port is 45. The maximum number of entries includes both static ACL entries and DACL entries. Duplicate entries might cause an error.

FortiSwitch models

Maximum number of static ACL and DACL entries

124D

896

2xxD/2xxE

896

4xxD

896

424E/426E

1,792

448E/424E-Fiber

2,816

5xx

3,584

1024D/1048D

1,792

1024E

3,034

1048E

6,144

3032D

3,072

3032E

986

To use the maximum number of DACL entries, you must enable the density mode:

config switch acl settings

set density-mode enable

end

Two RADIUS attributes are supported:

  • Filter-Id —The Filter-Id attribute defines the name of a access control list (ACL) predefined in FortiSwitchOS. With 802.1X port-based authentication, the DACL applies to the physical interface. With 802.1X MAC-based authentication, the DACL applies to the source MAC address of the authenticated client. If the Filter-Id cannot be found, the entire DACL fails.
  • NAS-Filter-Rule—The NAS-Filter-Rule attribute defines the filter rules at the RADIUS server. After authentication, the DACL applies to the port.
    • The NAS-Filter-Rule supports a maximum of 80 characters, and you can specify a maximum of 45 entries per authentication session or a maximum of 45 entries per port.
    • Do not include blank spaces in the NAS-Filter-Rule. Commas and dashes are allowed.

    • A syntax error in one NAS-Filter-Rule causes the entire DACL to fail.

The following is the Filter-Id format:

Filter-Id += "<filter-name>"

For example:

Filter-Id += "filter-id-service1"

tooltip icon Changing the name of Filter-Id after authentication causes errors in the output of the diagnose switch 802-1x status-dacl command when the session is using Filter-Id.

The following is the NAS-Filter-Rule format:

NAS-Filter-Rule = " <deny|permit> in <ip|ip-protocol-value> from <any|<ip-addr>|ipv4-addr/mask> [<tcp/udp-port|tcp/udp min-max port>] to <any|<ip-addr>|ipv4-addr/mask> [<tcp/udp-port|tcp/udp min-max port>] [cnt] "

The following table explains the syntax of the NAS-Filter-Rule:

Option

Description

<deny|permit>

Select one of the following:

  • permit—Allow packets that match the rule.

  • deny—Drop packets that match the rule.

in

The in keyword specifies that the ACL applies only to the inbound traffic from the authenticated client.

<ip|ip-protocol-value>

Specify one of the following for the type of traffic to filter:

  • ip—Any protocol will match.

  • ip-protocol-value—IP traffic specified by either a protocol number or by tcp, udp, icmp, or (for IPv4 only) igmp. The range of protocol numbers is 0-255.

from <any|<ip-addr>|ipv4-addr/mask>

Required. Specify one of the following for the authenticated client source:

  • any—Specifies any IPv4 source address

  • <ip-addr>|ipv4-addr/mask>—Enter a series of contiguous source addresses or all source addresses in a subnet. The <mask> is the number of leftmost bits in a packetʼs source IPv4 address that must match the corresponding bits in the source IPv4 address. For example, 10.100.24.1/24 will match an inbound traffic from the authenticated client that has a source IPv4 address where the first three octets are 10.100.24.

[<tcp/udp-port|tcp/udp min-max port>] to

Specify the TCP or UDP port or range of ports. Used when the access control entry is intended to filter client TCP or UDP traffic with one or more specific TCP or UDP source port numbers.

You can specify a single port or a single port range, such as 10.105.0.1/24 80 or 10.105.0.1/24 80-100.

<any|<ip-addr>|ipv4-addr/mask>

Specify one of the following:

  • any—Specifies any IPv4 destination address

  • <ip-addr>|ipv4-addr/mask>—Enter a series of contiguous destination addresses or all destination addresses in a subnet. The <mask> is the number of leftmost bits in a packetʼs destination IPv4 address that must match the corresponding bits in the destination IPv4 address. For example, 10.100.24.1/24 will match an inbound traffic from the authenticated client that has a destination IPv4 address where the first three octets are 10.100.24.

[<tcp/udp-port|tcp/udp min-max port>]

Specify the TCP or UDP port or range of ports. Used when the access control entry is intended to filter client TCP or UDP traffic with one or more specific TCP or UDP destination port numbers.

You can specify a single port or a single port range, such as 10.105.0.1/24 80 or 10.105.0.1/24 80-100. For example, to deny any UDP traffic from an authenticated client that has a destination address of any address and a UDP destination port of 357-457:

deny in udp from any to any 357-457

[cnt]

Specify the counter for a RADIUS-assigned access control entry.

For example:

  • NAS-Filter-Rule += "permit in 20 from any to any cnt"

  • NAS-Filter-Rule += "deny in tcp from any to 10.10.10.1 23"

  • NAS-Filter-Rule += "permit in tcp from any to any 23"

tooltip icon

When you use the NAS-Filter-Rule attribute, follow these guidelines:

  • You can use 8 port ranges (source or destination ports) on the FS-148E, FS-148E-POE, and FS-148E-FPOE models.

  • You can use 16 port ranges (source or destination ports) on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148F, FS-148F-POE, and FS-148F-FPOE models.

  • You can use up to 32 port ranges (source or destination ports) on the FS-1024D, FS-1024E, FS-T1024E, FS-1048E, FS-3032E, FS-424E, FS-424E-POE, FS-424E-FPOE, FS-M426E-FPOE, FSR-124D, FS-224D-FPOE, FS-248D, FS-224E, FS-224E-POE, FS-248E-POE, FS-248E-FPOE, FS-424E-Fiber, FS-448E, FS-448E-POE, FS-448E-FPOE, FS-524D, FS-524D-FPOE, FS-548D, and FS-548D-FPOE models.

  • Port ranges must have the smaller port number as the first number in the range and the larger port number as the second number in the range. For example, you can specify a port range of 8-10 but not 10-8.

  • If you specify a layer-4 port or layer-4 port range (for example, permit in TCP from any to any 100-200 cnt) when defining the source or destination in a dynamic ACL entry, FortiSwitchOS discards any port configurations made after the layer-4 configuration.

To enable DACL on an interface:

config switch interface

edit <interface_name>

config port-security

set port-security-mode {802.1X | 802.1X-mac-based}

set dacl enable

end

next

end

For example:

config switch interface

edit port11

config port-security

set port-security-mode 802.1X

set dacl enable

end

next

end

To configure a value for NAS-Filter-Rule or Filter-Id:

config switch acl service custom

edit <ACL_service>

set comment <string>

set color <0-32>

set protocol {ICMP | IP | TCP/UDP/SCTP}

set protocol-number <IP protocol number>

set tcp-portrange <port_number>-<port_number>

set udp-portrange <port_number>-<port_number>

next

end

For example:

config switch acl service custom

edit filter-id-service1

set comment "filter ID for service 1"

set udp-portrange 10000-20000

next

end

To create a template for the Filter-Id RADIUS attribute:

config switch acl 802-1X

edit <policy_ID>

set description <string>

set filter-id <string>

config access-list-entry

edit <ingress_policy_ID>

set description <string>

set group <integer>

config action

set count {enable | disable}

set drop {enable | disable}

end

config classifier

set dst-ip-prefix <IP_address_and_netmask>

set dst-mac <MAC_address>

set ether-type <integer>

set service <service_name>

set src-ip-prefix <IP_address_and netmask>

set src-mac <MAC_address>

end

next

end

next

end

For example:

config switch acl 802-1X

edit 1

set description "Test Filter-Id"

set filter-id “Testing”

config access-list-entry

edit 1

set description "Test ACL entry”

config action

set count enable

set drop enable

end

config classifier

set dst-ip-prefix 192.168.0.0 255.255.255.0

set ether-type 0x0800

set service "filter-id-service1"

set src-ip-prefix 192.168.0.0 255.255.255.0

set src-mac 00:00:00:00:00:00

end

next

end

next

end

To display the status of DACLs on a specified 802.1X port or on all ports:

diagnose switch 802-1x status-dacl [<port_name>]

To clear the DACLs from a specified interface or from all interfaces:

execute 802-1x dacl-clr-stat [<interface_name>]

To reinstall the DACLs on a specified interface or on all interfaces:

execute 802-1x dacl-reinstall [<interface_name>]