802.1X authentication
To control network access, the FortiSwitch unit supports IEEE 802.1X authentication. A supplicant connected to a port on the switch must be authenticated by a RADIUS server to gain access to the network. The supplicant and the authentication server communicate using the switch using the Extensible Authentication Protocol (EAP). The FortiSwitch unit supports EAP-PEAP, EAP-TTLS, and EAP-TLS. Starting in FortiSwitchOS 7.2.5, EAP-FAST is supported.
To use the RADIUS server for authentication, you must configure the server before configuring the users or user groups on the FortiSwitch unit.
The FortiSwitch unit implements MAC-based authentication. The switch saves the MAC address of each supplicantʼs device. The switch provides network access only to devices that have successfully been authenticated.
The maximum number of MAC sessions per port is 20 for all FortiSwitch models. The following table lists the maximum number of MAC sessions per switch for each FortiSwitch model.
Model |
Maximum number of MAC sessions per switch |
---|---|
108 |
80 |
112 |
60 |
124/224/424/524/1024 |
240 |
148/248/448/548/1048 |
480 |
3032 |
320 |
You can enable the MAC Authentication Bypass (MAB) option for devices (such as network printers) that cannot respond to the 802.1X authentication request. With MAB enabled on the port, the system will use the device MAC address as the user name and password for authentication.
Optionally, you can configure a guest VLAN for unauthorized users, a VLAN for users whose authentication was unsuccessful, and a VLAN for users when the authentication server is unavailable.
When the authentication server is unavailable after the server timeout period expires:
- You can control how many seconds the authentication server tries to authenticate users for before assigning them to the specified VLAN:
config switch interface
edit <interface_name>
config port-security
set port-security-mode {802.1X | 802.1X-mac-based}
set authserver-timeout-period <3-15 seconds>
set authserver-timeout-vlan {enable | disable}
set authserver-timeout-vlanid <1-4094>
end
set security-groups <security-group-name>
next
end
- You can control how often the server checks if the RADIUS server is available:
config user radius
edit <RADIUS_user_name>
set link-monitor {enable | disable}
set link-monitor-interval <5-120 seconds>
next
end
Starting in FortiSwitchOS 7.2.1, you use the CLI to change the priority of MAB authentication and EAP 802.1X authentication.
When you are testing your system configuration for 802.1X authentication, you can use the monitor mode to allow network traffic to flow, even if there are configuration problems or authentication failures.
This section covers the following topics:
- Dynamic VLAN assignment
- Dynamic access control lists
- MAC authentication bypass (MAB)
- Configuring global settings
- Configuring the 802.1X settings on an interface
- Viewing the 802.1X details
- Clearing authorized sessions
- Authenticating users with a RADIUS server
- Authenticating an admin user with RADIUS
- RADIUS accounting and FortiGate RADIUS single sign-on
- RADIUS change of authorization (CoA)
- Use cases
- Detailed deployment notes