Fortinet white logo
Fortinet white logo

Administration Guide

802.1X authentication

802.1X authentication

To control network access, the FortiSwitch unit supports IEEE 802.1X authentication. A supplicant connected to a port on the switch must be authenticated by a RADIUS server to gain access to the network. The supplicant and the authentication server communicate using the switch using the Extensible Authentication Protocol (EAP). The FortiSwitch unit supports EAP-PEAP, EAP-TTLS, and EAP-TLS. Starting in FortiSwitchOS 7.2.5, EAP-FAST is supported.

To use the RADIUS server for authentication, you must configure the server before configuring the users or user groups on the FortiSwitch unit.

The FortiSwitch unit implements MAC-based authentication. The switch saves the MAC address of each supplicantʼs device. The switch provides network access only to devices that have successfully been authenticated.

The maximum number of MAC sessions per port is 20 for all FortiSwitch models. The following table lists the maximum number of MAC sessions per switch for each FortiSwitch model.

Model

Maximum number of MAC sessions per switch

108

80

112

60

124/224/424/524/1024

240

148/248/448/548/1048

480

3032

320

You can enable the MAC Authentication Bypass (MAB) option for devices (such as network printers) that cannot respond to the 802.1X authentication request. With MAB enabled on the port, the system will use the device MAC address as the user name and password for authentication.

Optionally, you can configure a guest VLAN for unauthorized users, a VLAN for users whose authentication was unsuccessful, and a VLAN for users when the authentication server is unavailable.

When the authentication server is unavailable after the server timeout period expires:

  • You can control how many seconds the authentication server tries to authenticate users for before assigning them to an untagged VLAN:

    config switch interface

    edit <interface_name>

    config port-security

    set port-security-mode {802.1X | 802.1X-mac-based}

    set authserver-timeout-period <3-15 seconds>

    set authserver-timeout-vlan {enable | disable}

    set authserver-timeout-vlanid <1-4094>

    end

    set security-groups <security-group-name>

    next

    end

  • If you are using 802.1x MAC-based authentication and FortSwitchOS 7.2.7 or later, you can control how many seconds the authentication server tries to authenticate users for before assigning them to a tagged VLAN. Select set authserver-timeout-tagged disable if you do not want users to be assigned to a tagged VLAN when the authentication server times out. Select set authserver-timeout-tagged lldp-voice if you want users to be assigned to the VLAN specified in the set lldp-profile command (under config switch physical-port). Select set authserver-timeout-tagged static if you want users to be assigned to the VLAN specified in the set authserver-timeout-tagged-vlanid command.

    config switch interface

    edit <interface_name>

    config port-security

    set port-security-mode 802.1X-mac-based

    set authserver-timeout-period <3-15 seconds>

    set authserver-timeout-tagged {disable | lldp-voice | static}

    set authserver-timeout-tagged-vlanid <1-4094>

    end

    set security-groups <security-group-name>

    next

    end

  • You can control how often the server checks if the RADIUS server is available:

    config user radius

    edit <RADIUS_user_name>

    set link-monitor {enable | disable}

    set link-monitor-interval <5-120 seconds>

    next

    end

Starting in FortiSwitchOS 7.2.1, you use the CLI to change the priority of MAB authentication and EAP 802.1X authentication.

When you are testing your system configuration for 802.1X authentication, you can use the monitor mode to allow network traffic to flow, even if there are configuration problems or authentication failures.

This section covers the following topics:

802.1X authentication

802.1X authentication

To control network access, the FortiSwitch unit supports IEEE 802.1X authentication. A supplicant connected to a port on the switch must be authenticated by a RADIUS server to gain access to the network. The supplicant and the authentication server communicate using the switch using the Extensible Authentication Protocol (EAP). The FortiSwitch unit supports EAP-PEAP, EAP-TTLS, and EAP-TLS. Starting in FortiSwitchOS 7.2.5, EAP-FAST is supported.

To use the RADIUS server for authentication, you must configure the server before configuring the users or user groups on the FortiSwitch unit.

The FortiSwitch unit implements MAC-based authentication. The switch saves the MAC address of each supplicantʼs device. The switch provides network access only to devices that have successfully been authenticated.

The maximum number of MAC sessions per port is 20 for all FortiSwitch models. The following table lists the maximum number of MAC sessions per switch for each FortiSwitch model.

Model

Maximum number of MAC sessions per switch

108

80

112

60

124/224/424/524/1024

240

148/248/448/548/1048

480

3032

320

You can enable the MAC Authentication Bypass (MAB) option for devices (such as network printers) that cannot respond to the 802.1X authentication request. With MAB enabled on the port, the system will use the device MAC address as the user name and password for authentication.

Optionally, you can configure a guest VLAN for unauthorized users, a VLAN for users whose authentication was unsuccessful, and a VLAN for users when the authentication server is unavailable.

When the authentication server is unavailable after the server timeout period expires:

  • You can control how many seconds the authentication server tries to authenticate users for before assigning them to an untagged VLAN:

    config switch interface

    edit <interface_name>

    config port-security

    set port-security-mode {802.1X | 802.1X-mac-based}

    set authserver-timeout-period <3-15 seconds>

    set authserver-timeout-vlan {enable | disable}

    set authserver-timeout-vlanid <1-4094>

    end

    set security-groups <security-group-name>

    next

    end

  • If you are using 802.1x MAC-based authentication and FortSwitchOS 7.2.7 or later, you can control how many seconds the authentication server tries to authenticate users for before assigning them to a tagged VLAN. Select set authserver-timeout-tagged disable if you do not want users to be assigned to a tagged VLAN when the authentication server times out. Select set authserver-timeout-tagged lldp-voice if you want users to be assigned to the VLAN specified in the set lldp-profile command (under config switch physical-port). Select set authserver-timeout-tagged static if you want users to be assigned to the VLAN specified in the set authserver-timeout-tagged-vlanid command.

    config switch interface

    edit <interface_name>

    config port-security

    set port-security-mode 802.1X-mac-based

    set authserver-timeout-period <3-15 seconds>

    set authserver-timeout-tagged {disable | lldp-voice | static}

    set authserver-timeout-tagged-vlanid <1-4094>

    end

    set security-groups <security-group-name>

    next

    end

  • You can control how often the server checks if the RADIUS server is available:

    config user radius

    edit <RADIUS_user_name>

    set link-monitor {enable | disable}

    set link-monitor-interval <5-120 seconds>

    next

    end

Starting in FortiSwitchOS 7.2.1, you use the CLI to change the priority of MAB authentication and EAP 802.1X authentication.

When you are testing your system configuration for 802.1X authentication, you can use the monitor mode to allow network traffic to flow, even if there are configuration problems or authentication failures.

This section covers the following topics: