Fortinet black logo

Administration Guide

Home FortiSwitch 7.2.4 Administration Guide
7.2.4
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.9
7.0.8
7.0.6
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.11
6.4.6
6.4.5
6.4.3
6.4.2
6.4.0
6.2.5
6.2.2
6.2.1
6.2.0

Configuring the 802.1X settings on an interface

Configuring the 802.1X settings on an interface

Starting in FortiSwitchOS 7.0.0, you can use the CLI to allow an 802.1X client to move between ports that are not directly connected to the FortiSwitch unit without having to delete the 802.1X session. For example, you can move an 802.1X client PC that connects through an IP phone to port1 of the FortiSwitch unit to a port of a third-party switch that connects to port2 of the FortiSwitch unit.

This feature is available for 802.1X port-based authentication, 802.1X MAC-based authentication, MAB enabled or disabled, and EAP pass-through mode enabled or disabled. To see which models support this feature, refer to the FortiSwitch feature matrix.

NOTE: MAC-move tagged EAP is not supported.

To use this feature, enable allow-mac-move on the destination port (port2 in the example). When you are using the MAC move feature with EAP authentication, you can disable eap-egress-tagged to force the switch to always use the untagged EAP response.

Starting in FortiSwitchOS 7.2.3, the MAC move command has changed in the CLI:

  • For FSR-124D, 200 Series, FS-4xxE, 500 Series, FS-1024D, FS-1024E, FS-T1024E, FS-1048E, and FS-3032E: Use the set allow-mac-move-to {enable | disable} command under config switch interface. If you want to move an 802.1X client from interface 1 to interface 2, enable the MAC move command on interface 2.

  • For the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models: Use the set allow-mac-move-from {enable | disable} command under config switch interface. If you want to move an 802.1X client from interface 1 to interface 2, enable the MAC move command on interface 1.

  • For the FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148F, FS-148F-POE, and FS-148F-FPOE models: Use the set allow-mac-move {enable | disable} command under config switch global. Instead of configuring the MAC move command on an interface, configure it globally.

Using the GUI:
  1. Go to Switch > Interfaces.
  2. Select a port and then select Edit.

  3. Select 802.1X for port-based authentication or select 802.1X-MAC-based for MAC-based authentication.
    The Port Security section displays additional options.

  4. Select MAC Auth Bypass.
  5. Select EAP Pass-Through Mode.
    NOTE: EAP Pass-Through Mode is enabled by default, which is the recommended setting. If the RADIUS authentication server does not support EAP-TLS, the EAP Pass-Through Mode needs to be disabled.
  6. Select Frame VLAN Apply to apply the EAP/MAB frame VLAN to the port native VLAN.
    NOTE: For phone and PC configuration only, clear the checkbox to preserve the native VLAN when the data traffic is expected to be untagged.
  7. Select Open Authentication to enable open authentication (monitor mode) on this interface. Use the monitor mode to test your system configuration for 802.1X authentication. You can use monitor mode to test port-based authentication, MAC-based authentication, EAP pass-through mode, and MAC authentication bypass. After you enable monitor mode, the network traffic will continue to flow, even if the users fail authentication.
  8. Select Guest VLAN if you want to assign a VLAN to unauthorized users. If you select Guest VLAN, enter the guest VLAN identifier in the Guest VLAN ID field and enter the number of seconds for an unauthorized user to have access as a guest before authorization fails in the Guest Auth Delay field.
  9. Select Auth Fail VLAN if you want to assign a VLAN to users who attempted to authenticate but failed to provide valid credentials. If you select Auth Fail VLAN, enter the VLAN identifier in the Auth Fail VLAN ID field.
  10. If you want to use the RADIUS-provided reauthentication time, select RADUS Session Timeout.
  11. If you are using port-based authentication or MAC-based authentication, select one or more security groups.
  12. Select Update.
Using the CLI (for FSR-124D, 200 Series, FS-4xxE, 500 Series, FS-1024D, FS-1024E, FS-T1024E, FS-1048E, and FS-3032E):

config switch interface

edit <port>

config port-security

set allow-mac-move-to {disable | enable}

set eap-egress-tagged {disable | enable}

set port-security-mode {none | 802.1X | 802.1X-mac-based}

set framevid-apply {disable | enable}

set auth-fail-vlan {enable | disable}

set auth-fail-vlanid <vlanid>

set auth-priority {MAB-dot1x | dot1x-MAB | legacy}

set authserver-timeout-period <3-15>

set authserver-timeout-vlan {enable | disable}

set authserver-timeout-vlanid <1-4094>

set eap-passthru {enable | disable}

set guest-auth-delay <integer>

set guest-vlan {enable | disable}

set guest-vlanid <vlanid>

set mac-auth-bypass {enable | disable}

set open-auth {enable | disable}

set radius-timeout-overwrite {enable | disable}

end

set security-groups <security-group-name>

end

Using the CLI (for FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE):

config switch interface

edit <port>

config port-security

set allow-mac-move-from {disable | enable}

set eap-egress-tagged {disable | enable}

set port-security-mode {none | 802.1X | 802.1X-mac-based}

set framevid-apply {disable | enable}

set auth-fail-vlan {enable | disable}

set auth-fail-vlanid <vlanid>

set auth-priority {MAB-dot1x | dot1x-MAB | legacy}

set authserver-timeout-period <3-15>

set authserver-timeout-vlan {enable | disable}

set authserver-timeout-vlanid <1-4094>

set eap-passthru {enable | disable}

set guest-auth-delay <integer>

set guest-vlan {enable | disable}

set guest-vlanid <vlanid>

set mac-auth-bypass {enable | disable}

set open-auth {enable | disable}

set radius-timeout-overwrite {enable | disable}

end

set security-groups <security-group-name>

end

Using the CLI (for FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148F, FS-148F-POE, and FS-148F-FPOE):

config switch global

config port-security

set allow-mac-move {disable | enable}

end

end

config switch interface

edit <port>

config port-security

set eap-egress-tagged {disable | enable}

set port-security-mode {none | 802.1X | 802.1X-mac-based}

set framevid-apply {disable | enable}

set auth-fail-vlan {enable | disable}

set auth-fail-vlanid <vlanid>

set auth-priority {MAB-dot1x | dot1x-MAB | legacy}

set authserver-timeout-period <3-15>

set authserver-timeout-vlan {enable | disable}

set authserver-timeout-vlanid <1-4094>

set eap-passthru {enable | disable}

set guest-auth-delay <integer>

set guest-vlan {enable | disable}

set guest-vlanid <vlanid>

set mac-auth-bypass {enable | disable}

set open-auth {enable | disable}

set radius-timeout-overwrite {enable | disable}

end

set security-groups <security-group-name>

end

Previous
Next

Configuring the 802.1X settings on an interface

Starting in FortiSwitchOS 7.0.0, you can use the CLI to allow an 802.1X client to move between ports that are not directly connected to the FortiSwitch unit without having to delete the 802.1X session. For example, you can move an 802.1X client PC that connects through an IP phone to port1 of the FortiSwitch unit to a port of a third-party switch that connects to port2 of the FortiSwitch unit.

This feature is available for 802.1X port-based authentication, 802.1X MAC-based authentication, MAB enabled or disabled, and EAP pass-through mode enabled or disabled. To see which models support this feature, refer to the FortiSwitch feature matrix.

NOTE: MAC-move tagged EAP is not supported.

To use this feature, enable allow-mac-move on the destination port (port2 in the example). When you are using the MAC move feature with EAP authentication, you can disable eap-egress-tagged to force the switch to always use the untagged EAP response.

Starting in FortiSwitchOS 7.2.3, the MAC move command has changed in the CLI:

  • For FSR-124D, 200 Series, FS-4xxE, 500 Series, FS-1024D, FS-1024E, FS-T1024E, FS-1048E, and FS-3032E: Use the set allow-mac-move-to {enable | disable} command under config switch interface. If you want to move an 802.1X client from interface 1 to interface 2, enable the MAC move command on interface 2.

  • For the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models: Use the set allow-mac-move-from {enable | disable} command under config switch interface. If you want to move an 802.1X client from interface 1 to interface 2, enable the MAC move command on interface 1.

  • For the FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148F, FS-148F-POE, and FS-148F-FPOE models: Use the set allow-mac-move {enable | disable} command under config switch global. Instead of configuring the MAC move command on an interface, configure it globally.

Using the GUI:
  1. Go to Switch > Interfaces.
  2. Select a port and then select Edit.

  3. Select 802.1X for port-based authentication or select 802.1X-MAC-based for MAC-based authentication.
    The Port Security section displays additional options.

  4. Select MAC Auth Bypass.
  5. Select EAP Pass-Through Mode.
    NOTE: EAP Pass-Through Mode is enabled by default, which is the recommended setting. If the RADIUS authentication server does not support EAP-TLS, the EAP Pass-Through Mode needs to be disabled.
  6. Select Frame VLAN Apply to apply the EAP/MAB frame VLAN to the port native VLAN.
    NOTE: For phone and PC configuration only, clear the checkbox to preserve the native VLAN when the data traffic is expected to be untagged.
  7. Select Open Authentication to enable open authentication (monitor mode) on this interface. Use the monitor mode to test your system configuration for 802.1X authentication. You can use monitor mode to test port-based authentication, MAC-based authentication, EAP pass-through mode, and MAC authentication bypass. After you enable monitor mode, the network traffic will continue to flow, even if the users fail authentication.
  8. Select Guest VLAN if you want to assign a VLAN to unauthorized users. If you select Guest VLAN, enter the guest VLAN identifier in the Guest VLAN ID field and enter the number of seconds for an unauthorized user to have access as a guest before authorization fails in the Guest Auth Delay field.
  9. Select Auth Fail VLAN if you want to assign a VLAN to users who attempted to authenticate but failed to provide valid credentials. If you select Auth Fail VLAN, enter the VLAN identifier in the Auth Fail VLAN ID field.
  10. If you want to use the RADIUS-provided reauthentication time, select RADUS Session Timeout.
  11. If you are using port-based authentication or MAC-based authentication, select one or more security groups.
  12. Select Update.
Using the CLI (for FSR-124D, 200 Series, FS-4xxE, 500 Series, FS-1024D, FS-1024E, FS-T1024E, FS-1048E, and FS-3032E):

config switch interface

edit <port>

config port-security

set allow-mac-move-to {disable | enable}

set eap-egress-tagged {disable | enable}

set port-security-mode {none | 802.1X | 802.1X-mac-based}

set framevid-apply {disable | enable}

set auth-fail-vlan {enable | disable}

set auth-fail-vlanid <vlanid>

set auth-priority {MAB-dot1x | dot1x-MAB | legacy}

set authserver-timeout-period <3-15>

set authserver-timeout-vlan {enable | disable}

set authserver-timeout-vlanid <1-4094>

set eap-passthru {enable | disable}

set guest-auth-delay <integer>

set guest-vlan {enable | disable}

set guest-vlanid <vlanid>

set mac-auth-bypass {enable | disable}

set open-auth {enable | disable}

set radius-timeout-overwrite {enable | disable}

end

set security-groups <security-group-name>

end

Using the CLI (for FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE):

config switch interface

edit <port>

config port-security

set allow-mac-move-from {disable | enable}

set eap-egress-tagged {disable | enable}

set port-security-mode {none | 802.1X | 802.1X-mac-based}

set framevid-apply {disable | enable}

set auth-fail-vlan {enable | disable}

set auth-fail-vlanid <vlanid>

set auth-priority {MAB-dot1x | dot1x-MAB | legacy}

set authserver-timeout-period <3-15>

set authserver-timeout-vlan {enable | disable}

set authserver-timeout-vlanid <1-4094>

set eap-passthru {enable | disable}

set guest-auth-delay <integer>

set guest-vlan {enable | disable}

set guest-vlanid <vlanid>

set mac-auth-bypass {enable | disable}

set open-auth {enable | disable}

set radius-timeout-overwrite {enable | disable}

end

set security-groups <security-group-name>

end

Using the CLI (for FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148F, FS-148F-POE, and FS-148F-FPOE):

config switch global

config port-security

set allow-mac-move {disable | enable}

end

end

config switch interface

edit <port>

config port-security

set eap-egress-tagged {disable | enable}

set port-security-mode {none | 802.1X | 802.1X-mac-based}

set framevid-apply {disable | enable}

set auth-fail-vlan {enable | disable}

set auth-fail-vlanid <vlanid>

set auth-priority {MAB-dot1x | dot1x-MAB | legacy}

set authserver-timeout-period <3-15>

set authserver-timeout-vlan {enable | disable}

set authserver-timeout-vlanid <1-4094>

set eap-passthru {enable | disable}

set guest-auth-delay <integer>

set guest-vlan {enable | disable}

set guest-vlanid <vlanid>

set mac-auth-bypass {enable | disable}

set open-auth {enable | disable}

set radius-timeout-overwrite {enable | disable}

end

set security-groups <security-group-name>

end

Previous
Next