Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiSwitch 7.2.5 Administration Guide
    7.2.5
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.9
    7.0.8
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.11
    6.4.6
    6.4.5
    6.4.3
    6.4.2
    6.4.0
    6.2.5
    6.2.2
    6.2.1
    6.2.0

    Dynamic access control lists

    Dynamic access control lists

    Starting in FortiSwitchOS 7.0.2, you can use RADIUS attributes to configure dynamic access control lists (DACLs) on 802.1X ports. DACLs are configured on a switch or saved on a RADIUS server. You can use DACLs to control traffic per user session, per port, or per MAC address for switch ports directly connected to user clients. DACLs apply to hardware only when 802.1X authentication is successful.

    You can use DACLs with 802.1X port-based authentication and 802.1X MAC-based authentication. IPv4 is supported, but IPv6 is not supported. You can use DACLs with monitor mode (open-auth) and with static ACLs.

    DACLs are disabled by default.

    The maximum number of ACL entries per port is 45. The maximum number of entries includes both static ACL entries and DACL entries. Duplicate entries might cause an error.

    FortiSwitch models

    Maximum number of static ACL and DACL entries

    124D

    896

    2xxD/2xxE

    896

    4xxD

    896

    424E/426E

    1,792

    448E/424E-Fiber

    2,816

    5xx

    3,584

    1024D/1048D

    1,792

    1024E

    3,034

    1048E

    6,144

    3032D

    3,072

    3032E

    986

    To use the maximum number of DACL entries, you must enable the density mode:

    config switch acl settings

    set density-mode enable

    end

    Two RADIUS attributes are supported:

    • Filter-Id —The Filter-Id attribute defines the name of a access control list (ACL) predefined in FortiSwitchOS. With 802.1X port-based authentication, the DACL applies to the physical interface. With 802.1X MAC-based authentication, the DACL applies to the source MAC address of the authenticated client. If the Filter-Id cannot be found, the entire DACL fails.
    • NAS-Filter-Rule—The NAS-Filter-Rule attribute defines the filter rules at the RADIUS server. After authentication, the DACL applies to the port.
      • The NAS-Filter-Rule supports a maximum of 80 characters, and you can specify a maximum of 45 entries per authentication session or a maximum of 45 entries per port.

      • Do not include blank spaces in the NAS-Filter-Rule. Commas and dashes are allowed.

      • A syntax error in one NAS-Filter-Rule causes the entire DACL to fail.

    The following is the Filter-Id format:

    Filter-Id += "<filter-name>"

    For example:

    Filter-Id += "filter-id-service1"

    tooltip icon Changing the name of Filter-Id after authentication causes errors in the output of the diagnose switch 802-1x status-dacl command when the session is using Filter-Id.

    The following is the NAS-Filter-Rule format:

    NAS-Filter-Rule = " <deny|permit> in <ip|ip-protocol-value> from <any|<ip-addr>|ipv4-addr/mask> [<tcp/udp-port|tcp/udp min-max port>] to <any|<ip-addr>|ipv4-addr/mask> [<tcp/udp-port|tcp/udp min-max port>] [cnt] "

    The following table explains the syntax of the NAS-Filter-Rule:

    Option

    Description

    <deny|permit>

    Select one of the following:

    • permit—Allow packets that match the rule.

    • deny—Drop packets that match the rule.

    in

    The in keyword specifies that the ACL applies only to the inbound traffic from the authenticated client.

    <ip|ip-protocol-value>

    Specify one of the following for the type of traffic to filter:

    • ip—Any protocol will match.

    • ip-protocol-value—IP traffic specified by either a protocol number or by tcp, udp, icmp, or (for IPv4 only) igmp. The range of protocol numbers is 0-255.

    from <any|<ip-addr>|ipv4-addr/mask>

    Required. Specify one of the following for the authenticated client source:

    • any—Specifies any IPv4 source address

    • <ip-addr>|ipv4-addr/mask>—Enter a series of contiguous source addresses or all source addresses in a subnet. The <mask> is the number of leftmost bits in a packetʼs source IPv4 address that must match the corresponding bits in the source IPv4 address. For example, 10.100.24.1/24 will match an inbound traffic from the authenticated client that has a source IPv4 address where the first three octets are 10.100.24.

    [<tcp/udp-port|tcp/udp min-max port>] to

    Specify the TCP or UDP port or range of ports. Used when the access control entry is intended to filter client TCP or UDP traffic with one or more specific TCP or UDP source port numbers.

    You can specify a single port or a single port range, such as 10.105.0.1/24 80 or 10.105.0.1/24 80-100.

    <any|<ip-addr>|ipv4-addr/mask>

    Specify one of the following:

    • any—Specifies any IPv4 destination address

    • <ip-addr>|ipv4-addr/mask>—Enter a series of contiguous destination addresses or all destination addresses in a subnet. The <mask> is the number of leftmost bits in a packetʼs destination IPv4 address that must match the corresponding bits in the destination IPv4 address. For example, 10.100.24.1/24 will match an inbound traffic from the authenticated client that has a destination IPv4 address where the first three octets are 10.100.24.

    [<tcp/udp-port|tcp/udp min-max port>]

    Specify the TCP or UDP port or range of ports. Used when the access control entry is intended to filter client TCP or UDP traffic with one or more specific TCP or UDP destination port numbers.

    You can specify a single port or a single port range, such as 10.105.0.1/24 80 or 10.105.0.1/24 80-100. For example, to deny any UDP traffic from an authenticated client that has a destination address of any address and a UDP destination port of 357-457:

    deny in udp from any to any 357-457

    [cnt]

    Specify the counter for a RADIUS-assigned access control entry.

    For example:

    • NAS-Filter-Rule += "permit in 20 from any to any cnt"

    • NAS-Filter-Rule += "deny in tcp from any to 10.10.10.1 23"

    • NAS-Filter-Rule += "permit in tcp from any to any 23"

    tooltip icon

    When you use the NAS-Filter-Rule attribute, follow these guidelines:

    • You can use 8 port ranges (source or destination ports) on the FS-148E, FS-148E-POE, and FS-148E-FPOE models.

    • You can use 16 port ranges (source or destination ports) on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148F, FS-148F-POE, and FS-148F-FPOE models.

    • You can use up to 32 port ranges (source or destination ports) on the FS-1024D, FS-1024E, FS-T1024E, FS-1048E, FS-3032E, FS-424E, FS-424E-POE, FS-424E-FPOE, FS-M426E-FPOE, FSR-124D, FS-224D-FPOE, FS-248D, FS-224E, FS-224E-POE, FS-248E-POE, FS-248E-FPOE, FS-424E-Fiber, FS-448E, FS-448E-POE, FS-448E-FPOE, FS-524D, FS-524D-FPOE, FS-548D, and FS-548D-FPOE models.

    • Port ranges must have the smaller port number as the first number in the range and the larger port number as the second number in the range. For example, you can specify a port range of 8-10 but not 10-8.

    • If you specify a layer-4 port or layer-4 port range (for example, permit in TCP from any to any 100-200 cnt) when defining the source or destination in a dynamic ACL entry, FortiSwitchOS discards any port configurations made after the layer-4 configuration.
    To enable DACL on an interface:

    config switch interface

    edit <interface_name>

    config port-security

    set port-security-mode {802.1X | 802.1X-mac-based}

    set dacl enable

    end

    next

    end

    For example:

    config switch interface

    edit port11

    config port-security

    set port-security-mode 802.1X

    set dacl enable

    end

    next

    end

    To configure a value for NAS-Filter-Rule or Filter-Id:

    config switch acl service custom

    edit <ACL_service>

    set comment <string>

    set color <0-32>

    set protocol {ICMP | IP | TCP/UDP/SCTP}

    set protocol-number <IP protocol number>

    set tcp-portrange <port_number>-<port_number>

    set udp-portrange <port_number>-<port_number>

    next

    end

    For example:

    config switch acl service custom

    edit filter-id-service1

    set comment "filter ID for service 1"

    set udp-portrange 10000-20000

    next

    end

    To create a template for the Filter-Id RADIUS attribute:

    config switch acl 802-1X

    edit <policy_ID>

    set description <string>

    set filter-id <string>

    config access-list-entry

    edit <ingress_policy_ID>

    set description <string>

    set group <integer>

    config action

    set count {enable | disable}

    set drop {enable | disable}

    end

    config classifier

    set dst-ip-prefix <IP_address_and_netmask>

    set dst-mac <MAC_address>

    set ether-type <integer>

    set service <service_name>

    set src-ip-prefix <IP_address_and netmask>

    set src-mac <MAC_address>

    end

    next

    end

    next

    end

    For example:

    config switch acl 802-1X

    edit 1

    set description "Test Filter-Id"

    set filter-id “Testing”

    config access-list-entry

    edit 1

    set description "Test ACL entry”

    config action

    set count enable

    set drop enable

    end

    config classifier

    set dst-ip-prefix 192.168.0.0 255.255.255.0

    set ether-type 0x0800

    set service "filter-id-service1"

    set src-ip-prefix 192.168.0.0 255.255.255.0

    set src-mac 00:00:00:00:00:00

    end

    next

    end

    next

    end

    To display the status of DACLs on a specified 802.1X port or on all ports:

    diagnose switch 802-1x status-dacl [<port_name>]

    To clear the DACLs from a specified interface or from all interfaces:

    execute 802-1x dacl-clr-stat [<interface_name>]

    To reinstall the DACLs on a specified interface or on all interfaces:

    execute 802-1x dacl-reinstall [<interface_name>]

    Previous
    Next

    Dynamic access control lists

    Dynamic access control lists

    Starting in FortiSwitchOS 7.0.2, you can use RADIUS attributes to configure dynamic access control lists (DACLs) on 802.1X ports. DACLs are configured on a switch or saved on a RADIUS server. You can use DACLs to control traffic per user session, per port, or per MAC address for switch ports directly connected to user clients. DACLs apply to hardware only when 802.1X authentication is successful.

    You can use DACLs with 802.1X port-based authentication and 802.1X MAC-based authentication. IPv4 is supported, but IPv6 is not supported. You can use DACLs with monitor mode (open-auth) and with static ACLs.

    DACLs are disabled by default.

    The maximum number of ACL entries per port is 45. The maximum number of entries includes both static ACL entries and DACL entries. Duplicate entries might cause an error.

    FortiSwitch models

    Maximum number of static ACL and DACL entries

    124D

    896

    2xxD/2xxE

    896

    4xxD

    896

    424E/426E

    1,792

    448E/424E-Fiber

    2,816

    5xx

    3,584

    1024D/1048D

    1,792

    1024E

    3,034

    1048E

    6,144

    3032D

    3,072

    3032E

    986

    To use the maximum number of DACL entries, you must enable the density mode:

    config switch acl settings

    set density-mode enable

    end

    Two RADIUS attributes are supported:

    • Filter-Id —The Filter-Id attribute defines the name of a access control list (ACL) predefined in FortiSwitchOS. With 802.1X port-based authentication, the DACL applies to the physical interface. With 802.1X MAC-based authentication, the DACL applies to the source MAC address of the authenticated client. If the Filter-Id cannot be found, the entire DACL fails.
    • NAS-Filter-Rule—The NAS-Filter-Rule attribute defines the filter rules at the RADIUS server. After authentication, the DACL applies to the port.
      • The NAS-Filter-Rule supports a maximum of 80 characters, and you can specify a maximum of 45 entries per authentication session or a maximum of 45 entries per port.

      • Do not include blank spaces in the NAS-Filter-Rule. Commas and dashes are allowed.

      • A syntax error in one NAS-Filter-Rule causes the entire DACL to fail.

    The following is the Filter-Id format:

    Filter-Id += "<filter-name>"

    For example:

    Filter-Id += "filter-id-service1"

    tooltip icon Changing the name of Filter-Id after authentication causes errors in the output of the diagnose switch 802-1x status-dacl command when the session is using Filter-Id.

    The following is the NAS-Filter-Rule format:

    NAS-Filter-Rule = " <deny|permit> in <ip|ip-protocol-value> from <any|<ip-addr>|ipv4-addr/mask> [<tcp/udp-port|tcp/udp min-max port>] to <any|<ip-addr>|ipv4-addr/mask> [<tcp/udp-port|tcp/udp min-max port>] [cnt] "

    The following table explains the syntax of the NAS-Filter-Rule:

    Option

    Description

    <deny|permit>

    Select one of the following:

    • permit—Allow packets that match the rule.

    • deny—Drop packets that match the rule.

    in

    The in keyword specifies that the ACL applies only to the inbound traffic from the authenticated client.

    <ip|ip-protocol-value>

    Specify one of the following for the type of traffic to filter:

    • ip—Any protocol will match.

    • ip-protocol-value—IP traffic specified by either a protocol number or by tcp, udp, icmp, or (for IPv4 only) igmp. The range of protocol numbers is 0-255.

    from <any|<ip-addr>|ipv4-addr/mask>

    Required. Specify one of the following for the authenticated client source:

    • any—Specifies any IPv4 source address

    • <ip-addr>|ipv4-addr/mask>—Enter a series of contiguous source addresses or all source addresses in a subnet. The <mask> is the number of leftmost bits in a packetʼs source IPv4 address that must match the corresponding bits in the source IPv4 address. For example, 10.100.24.1/24 will match an inbound traffic from the authenticated client that has a source IPv4 address where the first three octets are 10.100.24.

    [<tcp/udp-port|tcp/udp min-max port>] to

    Specify the TCP or UDP port or range of ports. Used when the access control entry is intended to filter client TCP or UDP traffic with one or more specific TCP or UDP source port numbers.

    You can specify a single port or a single port range, such as 10.105.0.1/24 80 or 10.105.0.1/24 80-100.

    <any|<ip-addr>|ipv4-addr/mask>

    Specify one of the following:

    • any—Specifies any IPv4 destination address

    • <ip-addr>|ipv4-addr/mask>—Enter a series of contiguous destination addresses or all destination addresses in a subnet. The <mask> is the number of leftmost bits in a packetʼs destination IPv4 address that must match the corresponding bits in the destination IPv4 address. For example, 10.100.24.1/24 will match an inbound traffic from the authenticated client that has a destination IPv4 address where the first three octets are 10.100.24.

    [<tcp/udp-port|tcp/udp min-max port>]

    Specify the TCP or UDP port or range of ports. Used when the access control entry is intended to filter client TCP or UDP traffic with one or more specific TCP or UDP destination port numbers.

    You can specify a single port or a single port range, such as 10.105.0.1/24 80 or 10.105.0.1/24 80-100. For example, to deny any UDP traffic from an authenticated client that has a destination address of any address and a UDP destination port of 357-457:

    deny in udp from any to any 357-457

    [cnt]

    Specify the counter for a RADIUS-assigned access control entry.

    For example:

    • NAS-Filter-Rule += "permit in 20 from any to any cnt"

    • NAS-Filter-Rule += "deny in tcp from any to 10.10.10.1 23"

    • NAS-Filter-Rule += "permit in tcp from any to any 23"

    tooltip icon

    When you use the NAS-Filter-Rule attribute, follow these guidelines:

    • You can use 8 port ranges (source or destination ports) on the FS-148E, FS-148E-POE, and FS-148E-FPOE models.

    • You can use 16 port ranges (source or destination ports) on the FS-108E, FS-108E-POE, FS-108E-FPOE, FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148F, FS-148F-POE, and FS-148F-FPOE models.

    • You can use up to 32 port ranges (source or destination ports) on the FS-1024D, FS-1024E, FS-T1024E, FS-1048E, FS-3032E, FS-424E, FS-424E-POE, FS-424E-FPOE, FS-M426E-FPOE, FSR-124D, FS-224D-FPOE, FS-248D, FS-224E, FS-224E-POE, FS-248E-POE, FS-248E-FPOE, FS-424E-Fiber, FS-448E, FS-448E-POE, FS-448E-FPOE, FS-524D, FS-524D-FPOE, FS-548D, and FS-548D-FPOE models.

    • Port ranges must have the smaller port number as the first number in the range and the larger port number as the second number in the range. For example, you can specify a port range of 8-10 but not 10-8.

    • If you specify a layer-4 port or layer-4 port range (for example, permit in TCP from any to any 100-200 cnt) when defining the source or destination in a dynamic ACL entry, FortiSwitchOS discards any port configurations made after the layer-4 configuration.
    To enable DACL on an interface:

    config switch interface

    edit <interface_name>

    config port-security

    set port-security-mode {802.1X | 802.1X-mac-based}

    set dacl enable

    end

    next

    end

    For example:

    config switch interface

    edit port11

    config port-security

    set port-security-mode 802.1X

    set dacl enable

    end

    next

    end

    To configure a value for NAS-Filter-Rule or Filter-Id:

    config switch acl service custom

    edit <ACL_service>

    set comment <string>

    set color <0-32>

    set protocol {ICMP | IP | TCP/UDP/SCTP}

    set protocol-number <IP protocol number>

    set tcp-portrange <port_number>-<port_number>

    set udp-portrange <port_number>-<port_number>

    next

    end

    For example:

    config switch acl service custom

    edit filter-id-service1

    set comment "filter ID for service 1"

    set udp-portrange 10000-20000

    next

    end

    To create a template for the Filter-Id RADIUS attribute:

    config switch acl 802-1X

    edit <policy_ID>

    set description <string>

    set filter-id <string>

    config access-list-entry

    edit <ingress_policy_ID>

    set description <string>

    set group <integer>

    config action

    set count {enable | disable}

    set drop {enable | disable}

    end

    config classifier

    set dst-ip-prefix <IP_address_and_netmask>

    set dst-mac <MAC_address>

    set ether-type <integer>

    set service <service_name>

    set src-ip-prefix <IP_address_and netmask>

    set src-mac <MAC_address>

    end

    next

    end

    next

    end

    For example:

    config switch acl 802-1X

    edit 1

    set description "Test Filter-Id"

    set filter-id “Testing”

    config access-list-entry

    edit 1

    set description "Test ACL entry”

    config action

    set count enable

    set drop enable

    end

    config classifier

    set dst-ip-prefix 192.168.0.0 255.255.255.0

    set ether-type 0x0800

    set service "filter-id-service1"

    set src-ip-prefix 192.168.0.0 255.255.255.0

    set src-mac 00:00:00:00:00:00

    end

    next

    end

    next

    end

    To display the status of DACLs on a specified 802.1X port or on all ports:

    diagnose switch 802-1x status-dacl [<port_name>]

    To clear the DACLs from a specified interface or from all interfaces:

    execute 802-1x dacl-clr-stat [<interface_name>]

    To reinstall the DACLs on a specified interface or on all interfaces:

    execute 802-1x dacl-reinstall [<interface_name>]

    Previous
    Next