Fortinet white logo
Fortinet white logo

FortiLink Guide

FortiSwitch security policies

FortiSwitch security policies

To control network access, the managed FortiSwitch unit supports IEEE 802.1X authentication. A supplicant connected to a port on the switch must be authenticated by a RADIUS/Diameter server to gain access to the network. The supplicant and the authentication server communicate using the switch using the EAP protocol. The managed FortiSwitch unit supports EAP-PEAP, EAP-TTLS, and EAP-TLS.

To use the RADIUS server for authentication, you must configure the server before configuring the users or user groups on the managed FortiSwitch unit.

NOTE: In FortiLink mode, you must manually create a firewall policy to allow RADIUS traffic for 802.1X authentication from the FortiSwitch unit (for example, from the FortiLink interface) to the RADIUS server through the FortiGate.

The managed FortiSwitch unit implements MAC-based authentication. The switch saves the MAC address of each supplicantʼs device. The switch provides network access only to devices that have successfully been authenticated.

You can enable the MAC Authentication Bypass (MAB) option for devices (such as network printers) that cannot respond to the 802.1X authentication request. With MAB enabled on the port, the system will use the device MAC address as the user name and password for authentication. If a link goes down, you can select whether the impacted devices must reauthenticate. By default, reauthentication is disabled.

You can configure a guest VLAN for unauthorized users and a VLAN for users whose authentication was unsuccessful. Starting in FortiSwitchOS 6.4.3, if the RADIUS server cannot be reached for 802.1X authentication, you can specify a RADIUS timeout VLAN for users after the authentication server timeout period expires.

When you are testing your system configuration for 802.1X authentication, you can use the monitor mode to allow network traffic to flow, even if there are configuration problems or authentication failures.

Note

Fortinet recommends an 802.1X setup rate of 5 to 10 sessions per second.

This section covers the following topics:

Number of devices supported per port for 802.1X MAC-based authentication

The FortiSwitch unit supports up to 20 devices per port for 802.1X MAC-based authentication. System-wide, the FortiSwitch unit now supports a total of 10 times the number of interfaces for 802.1X MAC-based authentication. See the following table.

Model

Total number of devices supported per switch

108

80

112

60

124/224/424/524/1024

240

148/248/448/548/1048

480

3032

320

Configuring the 802.1X settings for a virtual domain

To configure the 802.1X security policy for a virtual domain, use the following commands:

config switch-controller 802-1X-settings

set link-down-auth {set-unauth | no-action}

set reauth-period <integer>

set max-reauth-attempt <integer>

set tx-period <integer>

set mab-reauth {enable | disable}

end

Option

Description

Default

link-down-auth {set-unauth | no-action}

If a link is down, this command determines the authentication state. Choosing set-unauth sets the interface to unauthenticated when a link is down, and reauthentication is needed. Choosing no-action means that the interface does not need to be reauthenticated when a link is down.

set-unauth

reauth-period <integer>

This command sets how often reauthentication is needed. The range is 1-1440 minutes. Setting the value to 0 minutes disables reauthentication.

NOTE: Setting the reauth-period to 0 is supported only in the CLI. The RADIUS dynamic session timeout and CoA session timeout do not support setting the Session Timeout to 0. For MAB authentication, the host entry is automatically reauthenticated after the reauth-period. To clear the host entry, you need to clear the entry manually.

60

max-reauth-attempt <integer>

This command sets the maximum number of reauthentication attempts. The range is 1-15. Setting the value to 0 disables reauthentication.

3

tx-period <integer>

This command sets the 802.1X transmission period in seconds. The range is 4-60.

30

mab-reauth {enable | disable}

This command enables or disables MAB reauthentication.

disable

Overriding the virtual domain settings

You can override the virtual domain settings for the 802.1X security policy.

Using the FortiGate GUI

To override the 802.1X settings for a virtual domain:

  1. Go to WiFi & Switch Controller > Managed FortiSwitches.
  2. Click on a FortiSwitch faceplate and select Edit.
  3. In the Edit Managed FortiSwitch page, move the Override 802-1X settings slider to the right.
  4. In the Reauthentication Interval field, enter the number of minutes before reauthentication is required. The maximum interval is 1,440 minutes. Setting the value to 0 minutes disables reauthentiction.
  5. In the Max Reauthentication Attempts field, enter the maximum times that reauthentication is attempted. The maximum number of attempts is 15. Setting the value to 0 disables reauthentication.
  6. Select Deauthenticate or None for the link down action. Selecting Deauthenticate sets the interface to unauthenticated when a link is down, and reauthentication is needed. Selecting None means that the interface does not need to be reauthenticated when a link is down.
  7. Select OK.
Using the FortiGate CLI
To override the 802.1X settings for a virtual domain:

config switch-controller managed-switch

edit < switch >

config 802-1X-settings

set local-override [ enable | *disable ]

set reauth-period < int > // visible if override enabled

set max-reauth-attempt < int > // visible if override enabled

set link-down-auth < *set-unauth | no-action > // visible if override enabled

set mab-reauth {enable | disable} // visible if override enabled

end

next

end

For a description of the options, see Configuring the 802.1X settings for a virtual domain.

Defining an 802.1X security policy

You can define multiple 802.1X security policies.

Using the FortiGate GUI

To create an 802.1X security policy:

  1. Go to WiFi & Switch Controller > FortiSwitch Port Policies.
  2. Under Security Policies, click Create New.
  3. Enter a name for the new FortiSwitch security policy.
  4. For the security mode, click Port-based or MAC-based.
  5. Select + to select which user groups will have access.
  6. Enable or disable guest VLANs on this interface to allow restricted access for some users.
  7. Enter the number of seconds for authentication delay for guest VLANs. The range is 1-900 seconds.
  8. Enable or disable authentication fail VLAN on this interface to allow restricted access for users who fail to access the guest VLAN.
  9. Enable or disable MAC authentication bypass (MAB) on this interface.
  10. Enable or disable EAP pass-through mode on this interface.
  11. Enable or disable whether the session timeout for the RADIUS server will overwrite the local timeout.
  12. Select OK.
Using the FortiGate CLI

To create an 802.1X security policy, use the following commands:

config switch-controller security-policy 802-1X

edit "<policy.name>"

set security-mode {802.1X | 802.1X-mac-based}

set user-group <*group_name | Guest-group | SSO_Guest_Users>

set mac-auth-bypass {enable | *disable}

set eap-passthru {enable | disable}

set guest-vlan {enable | *disable}

set guest-vlan-id "<guest-VLAN-name>"

set guest-auth-delay <integer>

set auth-fail-vlan {enable | *disable}

set auth-fail-vlan-id "<auth-fail-VLAN-name>"

set radius-timeout-overwrite {enable | *disable}

set policy-type 802.1X

set authserver-timeout-vlan {enable | disable}

set authserver-timeout-period <integer>

set authserver-timeout-vlanid "<RADIUS-timeout-VLAN-name>"

end

end

Option

Description

set security-mode

You can restrict access with 802.1X port-based authentication or with 802.1X MAC-based authentication. Use port-based authentication when the client is connected directly to a switch port and is capable of 802.1X authentication. Use MAC-based authentication when more than one device needs to be authenticated on the same switch port, and you need to authenticate based on the MAC address.

set user-group

You can set a specific group name, Guest-group, or SSO_Guest_Users to have access. This setting is mandatory.

set mac-auth-bypass

You can enable or disable MAB on this interface.

set eap-passthrough

You can enable or disable EAP pass-through mode on this interface.

set guest-vlan

You can enable or disable guest VLANs on this interface to allow restricted access for some users.

set guest-vlan-id "<guest-VLAN-name>"

You can specify the name of the guest VLAN.

set guest-auth-delay

You can set the authentication delay for guest VLANs on this interface. The range is 1-900 seconds.

set auth-fail-vlan

You can enable or disablethe authentication fail VLAN on this interface to allow restricted access for users who fail to access the guest VLAN.

set auth-fail-vlan-id "<auth-fail-VLAN-name>"

You can specify the name of the authentication fail VLAN

set radius-timeout-overwrite

You can enable or disable whether the session timeout for the RADIUS server will overwrite the local timeout.

set policy-type 802.1X

You can set the policy type to the 802.1X security policy.

set authserver-timeout-vlan

Enable or disable the RADIUS timeout VLAN on this interface to allow limited access for users when the RADIUS server times out before finishing authentication.

By default, this option is disabled.

set authserver-timeout-period

You can set how many seconds the RADIUS server has to authenticate users. The range of values is 3-15 seconds; the default time is 3 seconds.

This option is only visible when authserver-timeout-vlan is enabled.

set authserver-timeout-vlanid "<RADIUS-timeout-VLAN-name>"

The VLAN name that is used for users when the RADIUS server times out before finishing authentication.

This option is only visible when authserver-timeout-vlan is enabled.

Applying an 802.1X security policy to a FortiSwitch port

You can apply a different 802.1X security policy to each FortiSwitch port.

Using the FortiGate GUI
To apply an 802.1X security policy to a managed FortiSwitch port:
  1. Go to WiFi & Switch Controller > FortiSwitch Ports.
  2. Select the + next to a FortiSwitch unit.
  3. In the Security Policy column for a port, click + to select a security policy.
  4. Select OK to apply the security policy to that port.
Using the FortiGate CLI

To apply an 802.1X security policy to a managed FortiSwitch port, use the following commands:

config switch-controller managed-switch

edit <managed-switch>

config ports

edit <port>

set port-security-policy <802.1x-policy>

next

end

next

end

Testing 802.1X authentication with monitor mode

Use the monitor mode to test your system configuration for 802.1X authentication. You can use monitor mode to test port-based authentication, MAC-based authentication, EAP pass-through mode, and MAC authentication bypass. Monitor mode is disabled by default. After you enable monitor mode, the network traffic will continue to flow, even if the users fail authentication.

To enable or disable monitor mode, use the following commands:

config switch-controller security-policy 802-1X

edit "<policy_name>"

set open-auth {enable | disable}

next

end

Clearing authorized sessions

You can clear authorized sessions associated with a specific interface or a specific MAC address.

To clear the 802.1X-authorized session associated with a specific MAC address:

execute switch-controller switch-action 802-1X clear-auth-mac <FortiSwitch_serial_number> <MAC_address>

For example:

execute switch-controller switch-action 802-1X clear-auth-mac S548DF5018000776 4f:8d:c2:73:dd:fe

To clear the 802.1X-authorized sessions associated with a specific interface:

execute switch-controller switch-action 802-1X clear-auth-port <FortiSwitch_serial_number> <port_name>

For example:

execute switch-controller switch-action 802-1X clear-auth-port S524DF4K15000024 port1

RADIUS accounting support

The FortiSwitch unit uses 802.1X-authenticated ports to send five types of RADIUS accounting messages to the RADIUS accounting server to support FortiGate RADIUS single sign-on:

  • START—The FortiSwitch has been successfully authenticated, and the session has started.
  • STOP—The FortiSwitch session has ended.
  • INTERIM—Periodic messages sent based on the value set using the set acct-interim-interval command.
  • ON—FortiSwitch will send this message when the switch is turned on.
  • OFF—FortiSwitch will send this message when the switch is shut down.

You can specify more than one value to be sent in the RADIUS Service-Type attribute. Use a space between multiple values.

Use the following commands to set up RADIUS accounting so that FortiOS can send accounting messages to managed FortiSwitch units:

config user radius

edit <RADIUS_server_name>

set acct-interim-interval <seconds>

set switch-controller-service-type {administrative | authenticate-only | callback-administrative | callback-framed | callback-login | callback-nas-prompt | call-check | framed | login | nas-prompt | outbound}

config accounting-server

edit <entry_ID>

set status {enable | disable}

set server <server_IP_address>

set secret <secret_key>

set port <port_number>

next

end

next

end

RADIUS change of authorization (CoA) support

For increased security, each subnet interface that will be receiving CoA requests must be configured with the set allowaccess radius-acct command.

Starting in FortiSwitchOS 6.2.1, RADIUS accounting and CoA support EAP and MAB 802.1X authentication.

The FortiSwitch unit supports two types of RADIUS CoA messages:

  • CoA messages to change session authorization attributes (such as data filters and the session-timeout setting ) during an active session.
  • Disconnect messages (DMs) to flush an existing session. For MAC-based authentication, all other sessions are unchanged, and the port stays up. For port-based authentication, only one session is deleted.

RADIUS CoA messages use the following Fortinet proprietary attribute:

Fortinet-Host-Port-AVPair 42 string

The format of the value is as follows:

Attribute Value Description
Fortinet-Host-Port-AVPair action=bounce-port The FortiSwitch unit disconnects all sessions on a port. The port goes down for 10 seconds and then up again.
Fortinet-Host-Port-AVPair action=disable-port The FortiSwitch unit disconnects all session on a port. The port goes down until the user resets it.
Fortinet-Host-Port-AVPair action=reauth-port The FortiSwitch unit forces the reauthentication of the current session.

In addition, RADIUS CoA uses the session-timeout attribute:

Attribute Value Description
session-timeout <session_timeout_value> The FortiSwitch unit disconnects a session after the specified number of seconds of idleness. This value must be more than 60 seconds. NOTE: To use the session-timeout attribute, you must enable the set radius-timeout-overwrite command first.

The FortiSwitch unit sends the following Error-Cause codes in RADIUS CoA-NAK and Disconnect-NAK messages.

Error Cause Error Code Description
Unsupported Attribute 401 This error is a fatal error, which is sent if a request contains an attribute that is not supported.
NAS Identification Mismatch 403 This error is a fatal error, which is sent if one or more NAS-Identifier Attributes do not match the identity of the NAS receiving the request.
Invalid Attribute Value 407 This error is a fatal error, which is sent if a CoA-Request or Disconnect-Request message contains an attribute with an unsupported value.
Session Context Not Found 503 This error is a fatal error if the session context identified in the CoA-Request or Disconnect-Request message does not exist on the NAS.

Configuring CoA and disconnect messages

Use the following commands to enable a FortiSwitch unit to receive CoA and disconnect messages from a RADIUS server:

config system interface

edit "mgmt"

set ip <address> <netmask>

set allowaccess <access_types>

set type physical

next

config user radius

edit <RADIUS_server_name>

set radius-coa {enable | disable}

set radius-port <port_number>

set secret <secret_key>

set server <server_name_IPv4>

end

Variable Description

config system interface

ip <address> <netmask> Enter the interface IP address and netmask.
allowaccess <access_types> Enter the types of management access permitted on this interface. Valid types are as follows: http https ping snmp ssh telnet radius-acct. Separate each type with a space. You must include radius-acct to receive CoA and disconnect messages.
<RADIUS_server_name> Enter the name of the RADIUS server that will be sending CoA and disconnect messages to the FortiSwitch unit. By default, the messages use port 3799.

config user radius

radius-coa {enable | disable} Enable or disable whether the FortiSwitch unit will accept CoA and disconnect messages. The default is disable.
radius-port <port_number> Enter the RADIUS port number. By default, the value is 0 for FortiOS, which uses port 1812 for the FortiSwitch unit in FortiLink mode.
secret <secret_key> Enter the shared secret key for authentication with the RADIUS server. There is no default.
server <server_name_IPv4> Enter the domain name or IPv4 address for the RADIUS server. There is no default.

Example: RADIUS CoA

The following example uses the FortiOS CLI to enable the FortiSwitch unit to receive CoA and disconnect messages from the specified RADIUS server:

config switch-controller security-policy local-access

edit default

set internal-allowaccess ping https http ssh snmp telnet radius-acct

next

end

config user radius

edit "Radius-188-200"

set radius-coa enable

set radius-port 0

set secret ENC +2NyBcp8JF3/OijWl/w5nOC++aDKQPWnlC8Ug2HKwn4RcmhqVYE+q07yI9eSDhtiIw63kR/oMBLGwFQoeZfOQWengIlGTb+YQo/lYJn1V3Nwp9sdkcblfyayfc9gTeqe+mFltKl5IWNI7WRYiJC8sxaF9Iyr2/l4hpCiVUMiPOU6fSrj

set server "10.105.188.200"

next

end

802.1X authentication deployment example

To control network access, you can configure 802.1X authentication from a FortiGate unit managing FortiSwitch units. A supplicant connected to a port on the switch must be authenticated by a RADIUS/Diameter server to gain access to the network.

To use the RADIUS server for authentication, you must configure the server before configuring the users or user groups on the FortiSwitch unit. You also need a firewall policy on the FortiGate unit to allow traffic from the FortiSwitch unit to the RADIUS server.

To create a firewall policy to allow the FortiSwitch unit to reach the RADIUS server:

config firewall policy

edit 1

set name "fortilink-to-radius"

set srcintf "fortilink"

set dstintf "accounting-server"

set action accept

set service "ALL"

set nat enable

end

To create a group for users who will be authenticated by 802.1X:

config user radius

edit "dot1x-radius"

set server "192.168.174.10"

set secret ENC ***

set radius-port 1812

config accounting-server

edit 1

set status enable

set server "192.168.174.10"

set secret ENC ***

set port 1813

next

end

next

end

config user group

edit "radius users"

set member "dot1x-radius"

next

end

To create an 802.1X security policy:

You can create an 802.1X security policy using the FortiGate GUI by going to WiFi & Switch Controller > FortiSwitch Security Policies and selecting Create New.

config switch-controller security-policy 802-1X

edit "802-1X-policy-default"

set security-mode 802.1X-mac-based

set user-group "dot1x-local"

set mac-auth-bypass enable

set eap-passthru enable

set guest-vlan enable

set guest-vlan-id "guest-VLAN"

set auth-fail-vlan enable

set auth-fail-vlan-id "auth-fail-VLAN"

set radius-timeout-overwrite disable

next

end

To configure the global 802.1X settings:

config switch-controller 802-1X-settings

set link-down-auth no-action

set reauth-period 90

set max-reauth-attempt 4

end

To apply an 802.1X security policy to a managed FortiSwitch port:

You can apply an 802.1X security policy to a managed FortiSwitch port using the FortiGate GUI by going to WiFi & Switch Controller > FortiSwitch Ports.

config switch-controller managed-switch

edit S548DN4K16000360

config ports

edit "port1"

set dhcp-snooping trusted

set dhcp-snoop-option82-trust enable

set port-security-policy "802-1X-policydefault"

next

end

Detailed deployment notes

  • Using more than one security group (with the set security-groups command) per security profile is not supported.
  • CoA and single sign-on are supported only by the CLI in this release.
  • RADIUS CoA is supported in standalone mode. In addition, RADIUS CoA is supported in FortiLink mode when NAT is disabled in the firewall policy (set nat disable under the config firewall policy command), and the interfaces on the link between the FortiGate unit and FortiSwitch unit are assigned routable addresses other than 169.254.1.x.
  • The FortiSwitch unit supports using FortiAuthenticator, FortiConnect, Microsoft Network Policy Server (NPS), Aruba ClearPass, and Cisco Identity Services Engine (ISE) as the RADIUS server for CoA and RSSO.
  • Each RADIUS CoA server can support only one accounting manager in this release.
  • RADIUS accounting/CoA/VLAN-by-name features are supported only with eap-passthru enable.
  • Fortinet recommends a unique secret key for each accounting server.
  • For CoA to correctly function with FortiAuthenticator or FortiConnect, you must include the User-Name attribute (you can optionally include the Framed-IP-Address attribute) or the User-Name and Calling-Station-ID attributes in the CoA request.
  • To obtain a valid Framed-IP-Address attribute value, you need to manually configure DHCP snooping in the 802.1X-authenticated ports of your VLAN network for both port and MAC modes.
  • Port-based basic statistics for RADIUS accounting messages are supported in the Accounting Stop request.
  • By default, the accounting server is disabled. You must enable the accounting server with the set status enable command.
  • The default port for FortiAuthenticator single sign-on is 1813 for the FortiSwitch unit.
  • In MAC-based authentication, the maximum number of client MAC addresses is 20. Each model has its own maximum limit.
  • Static MAC addresses and sticky MAC addresses are mechanisms for manual/local authorization; 802.1X is a mechanism for protocol-based authorization. Do not mix them.
  • Fortinet recommends an 802.1X setup rate of 5 to 10 sessions per second.
  • Starting in FortiSwitch 6.2.0, when 802.1X authentication is configured, the EAP pass-through mode (set eap-passthru) is enabled by default.
  • For information about the RADIUS attributes supported by FortiSwitchOS, refer to the “Supported attributes for RADIUS CoA and RSSO” appendix in the FortiSwitchOS Administration Guide—Standalone Mode.
  • EAP-MD5 is not supported.

FortiSwitch security policies

FortiSwitch security policies

To control network access, the managed FortiSwitch unit supports IEEE 802.1X authentication. A supplicant connected to a port on the switch must be authenticated by a RADIUS/Diameter server to gain access to the network. The supplicant and the authentication server communicate using the switch using the EAP protocol. The managed FortiSwitch unit supports EAP-PEAP, EAP-TTLS, and EAP-TLS.

To use the RADIUS server for authentication, you must configure the server before configuring the users or user groups on the managed FortiSwitch unit.

NOTE: In FortiLink mode, you must manually create a firewall policy to allow RADIUS traffic for 802.1X authentication from the FortiSwitch unit (for example, from the FortiLink interface) to the RADIUS server through the FortiGate.

The managed FortiSwitch unit implements MAC-based authentication. The switch saves the MAC address of each supplicantʼs device. The switch provides network access only to devices that have successfully been authenticated.

You can enable the MAC Authentication Bypass (MAB) option for devices (such as network printers) that cannot respond to the 802.1X authentication request. With MAB enabled on the port, the system will use the device MAC address as the user name and password for authentication. If a link goes down, you can select whether the impacted devices must reauthenticate. By default, reauthentication is disabled.

You can configure a guest VLAN for unauthorized users and a VLAN for users whose authentication was unsuccessful. Starting in FortiSwitchOS 6.4.3, if the RADIUS server cannot be reached for 802.1X authentication, you can specify a RADIUS timeout VLAN for users after the authentication server timeout period expires.

When you are testing your system configuration for 802.1X authentication, you can use the monitor mode to allow network traffic to flow, even if there are configuration problems or authentication failures.

Note

Fortinet recommends an 802.1X setup rate of 5 to 10 sessions per second.

This section covers the following topics:

Number of devices supported per port for 802.1X MAC-based authentication

The FortiSwitch unit supports up to 20 devices per port for 802.1X MAC-based authentication. System-wide, the FortiSwitch unit now supports a total of 10 times the number of interfaces for 802.1X MAC-based authentication. See the following table.

Model

Total number of devices supported per switch

108

80

112

60

124/224/424/524/1024

240

148/248/448/548/1048

480

3032

320

Configuring the 802.1X settings for a virtual domain

To configure the 802.1X security policy for a virtual domain, use the following commands:

config switch-controller 802-1X-settings

set link-down-auth {set-unauth | no-action}

set reauth-period <integer>

set max-reauth-attempt <integer>

set tx-period <integer>

set mab-reauth {enable | disable}

end

Option

Description

Default

link-down-auth {set-unauth | no-action}

If a link is down, this command determines the authentication state. Choosing set-unauth sets the interface to unauthenticated when a link is down, and reauthentication is needed. Choosing no-action means that the interface does not need to be reauthenticated when a link is down.

set-unauth

reauth-period <integer>

This command sets how often reauthentication is needed. The range is 1-1440 minutes. Setting the value to 0 minutes disables reauthentication.

NOTE: Setting the reauth-period to 0 is supported only in the CLI. The RADIUS dynamic session timeout and CoA session timeout do not support setting the Session Timeout to 0. For MAB authentication, the host entry is automatically reauthenticated after the reauth-period. To clear the host entry, you need to clear the entry manually.

60

max-reauth-attempt <integer>

This command sets the maximum number of reauthentication attempts. The range is 1-15. Setting the value to 0 disables reauthentication.

3

tx-period <integer>

This command sets the 802.1X transmission period in seconds. The range is 4-60.

30

mab-reauth {enable | disable}

This command enables or disables MAB reauthentication.

disable

Overriding the virtual domain settings

You can override the virtual domain settings for the 802.1X security policy.

Using the FortiGate GUI

To override the 802.1X settings for a virtual domain:

  1. Go to WiFi & Switch Controller > Managed FortiSwitches.
  2. Click on a FortiSwitch faceplate and select Edit.
  3. In the Edit Managed FortiSwitch page, move the Override 802-1X settings slider to the right.
  4. In the Reauthentication Interval field, enter the number of minutes before reauthentication is required. The maximum interval is 1,440 minutes. Setting the value to 0 minutes disables reauthentiction.
  5. In the Max Reauthentication Attempts field, enter the maximum times that reauthentication is attempted. The maximum number of attempts is 15. Setting the value to 0 disables reauthentication.
  6. Select Deauthenticate or None for the link down action. Selecting Deauthenticate sets the interface to unauthenticated when a link is down, and reauthentication is needed. Selecting None means that the interface does not need to be reauthenticated when a link is down.
  7. Select OK.
Using the FortiGate CLI
To override the 802.1X settings for a virtual domain:

config switch-controller managed-switch

edit < switch >

config 802-1X-settings

set local-override [ enable | *disable ]

set reauth-period < int > // visible if override enabled

set max-reauth-attempt < int > // visible if override enabled

set link-down-auth < *set-unauth | no-action > // visible if override enabled

set mab-reauth {enable | disable} // visible if override enabled

end

next

end

For a description of the options, see Configuring the 802.1X settings for a virtual domain.

Defining an 802.1X security policy

You can define multiple 802.1X security policies.

Using the FortiGate GUI

To create an 802.1X security policy:

  1. Go to WiFi & Switch Controller > FortiSwitch Port Policies.
  2. Under Security Policies, click Create New.
  3. Enter a name for the new FortiSwitch security policy.
  4. For the security mode, click Port-based or MAC-based.
  5. Select + to select which user groups will have access.
  6. Enable or disable guest VLANs on this interface to allow restricted access for some users.
  7. Enter the number of seconds for authentication delay for guest VLANs. The range is 1-900 seconds.
  8. Enable or disable authentication fail VLAN on this interface to allow restricted access for users who fail to access the guest VLAN.
  9. Enable or disable MAC authentication bypass (MAB) on this interface.
  10. Enable or disable EAP pass-through mode on this interface.
  11. Enable or disable whether the session timeout for the RADIUS server will overwrite the local timeout.
  12. Select OK.
Using the FortiGate CLI

To create an 802.1X security policy, use the following commands:

config switch-controller security-policy 802-1X

edit "<policy.name>"

set security-mode {802.1X | 802.1X-mac-based}

set user-group <*group_name | Guest-group | SSO_Guest_Users>

set mac-auth-bypass {enable | *disable}

set eap-passthru {enable | disable}

set guest-vlan {enable | *disable}

set guest-vlan-id "<guest-VLAN-name>"

set guest-auth-delay <integer>

set auth-fail-vlan {enable | *disable}

set auth-fail-vlan-id "<auth-fail-VLAN-name>"

set radius-timeout-overwrite {enable | *disable}

set policy-type 802.1X

set authserver-timeout-vlan {enable | disable}

set authserver-timeout-period <integer>

set authserver-timeout-vlanid "<RADIUS-timeout-VLAN-name>"

end

end

Option

Description

set security-mode

You can restrict access with 802.1X port-based authentication or with 802.1X MAC-based authentication. Use port-based authentication when the client is connected directly to a switch port and is capable of 802.1X authentication. Use MAC-based authentication when more than one device needs to be authenticated on the same switch port, and you need to authenticate based on the MAC address.

set user-group

You can set a specific group name, Guest-group, or SSO_Guest_Users to have access. This setting is mandatory.

set mac-auth-bypass

You can enable or disable MAB on this interface.

set eap-passthrough

You can enable or disable EAP pass-through mode on this interface.

set guest-vlan

You can enable or disable guest VLANs on this interface to allow restricted access for some users.

set guest-vlan-id "<guest-VLAN-name>"

You can specify the name of the guest VLAN.

set guest-auth-delay

You can set the authentication delay for guest VLANs on this interface. The range is 1-900 seconds.

set auth-fail-vlan

You can enable or disablethe authentication fail VLAN on this interface to allow restricted access for users who fail to access the guest VLAN.

set auth-fail-vlan-id "<auth-fail-VLAN-name>"

You can specify the name of the authentication fail VLAN

set radius-timeout-overwrite

You can enable or disable whether the session timeout for the RADIUS server will overwrite the local timeout.

set policy-type 802.1X

You can set the policy type to the 802.1X security policy.

set authserver-timeout-vlan

Enable or disable the RADIUS timeout VLAN on this interface to allow limited access for users when the RADIUS server times out before finishing authentication.

By default, this option is disabled.

set authserver-timeout-period

You can set how many seconds the RADIUS server has to authenticate users. The range of values is 3-15 seconds; the default time is 3 seconds.

This option is only visible when authserver-timeout-vlan is enabled.

set authserver-timeout-vlanid "<RADIUS-timeout-VLAN-name>"

The VLAN name that is used for users when the RADIUS server times out before finishing authentication.

This option is only visible when authserver-timeout-vlan is enabled.

Applying an 802.1X security policy to a FortiSwitch port

You can apply a different 802.1X security policy to each FortiSwitch port.

Using the FortiGate GUI
To apply an 802.1X security policy to a managed FortiSwitch port:
  1. Go to WiFi & Switch Controller > FortiSwitch Ports.
  2. Select the + next to a FortiSwitch unit.
  3. In the Security Policy column for a port, click + to select a security policy.
  4. Select OK to apply the security policy to that port.
Using the FortiGate CLI

To apply an 802.1X security policy to a managed FortiSwitch port, use the following commands:

config switch-controller managed-switch

edit <managed-switch>

config ports

edit <port>

set port-security-policy <802.1x-policy>

next

end

next

end

Testing 802.1X authentication with monitor mode

Use the monitor mode to test your system configuration for 802.1X authentication. You can use monitor mode to test port-based authentication, MAC-based authentication, EAP pass-through mode, and MAC authentication bypass. Monitor mode is disabled by default. After you enable monitor mode, the network traffic will continue to flow, even if the users fail authentication.

To enable or disable monitor mode, use the following commands:

config switch-controller security-policy 802-1X

edit "<policy_name>"

set open-auth {enable | disable}

next

end

Clearing authorized sessions

You can clear authorized sessions associated with a specific interface or a specific MAC address.

To clear the 802.1X-authorized session associated with a specific MAC address:

execute switch-controller switch-action 802-1X clear-auth-mac <FortiSwitch_serial_number> <MAC_address>

For example:

execute switch-controller switch-action 802-1X clear-auth-mac S548DF5018000776 4f:8d:c2:73:dd:fe

To clear the 802.1X-authorized sessions associated with a specific interface:

execute switch-controller switch-action 802-1X clear-auth-port <FortiSwitch_serial_number> <port_name>

For example:

execute switch-controller switch-action 802-1X clear-auth-port S524DF4K15000024 port1

RADIUS accounting support

The FortiSwitch unit uses 802.1X-authenticated ports to send five types of RADIUS accounting messages to the RADIUS accounting server to support FortiGate RADIUS single sign-on:

  • START—The FortiSwitch has been successfully authenticated, and the session has started.
  • STOP—The FortiSwitch session has ended.
  • INTERIM—Periodic messages sent based on the value set using the set acct-interim-interval command.
  • ON—FortiSwitch will send this message when the switch is turned on.
  • OFF—FortiSwitch will send this message when the switch is shut down.

You can specify more than one value to be sent in the RADIUS Service-Type attribute. Use a space between multiple values.

Use the following commands to set up RADIUS accounting so that FortiOS can send accounting messages to managed FortiSwitch units:

config user radius

edit <RADIUS_server_name>

set acct-interim-interval <seconds>

set switch-controller-service-type {administrative | authenticate-only | callback-administrative | callback-framed | callback-login | callback-nas-prompt | call-check | framed | login | nas-prompt | outbound}

config accounting-server

edit <entry_ID>

set status {enable | disable}

set server <server_IP_address>

set secret <secret_key>

set port <port_number>

next

end

next

end

RADIUS change of authorization (CoA) support

For increased security, each subnet interface that will be receiving CoA requests must be configured with the set allowaccess radius-acct command.

Starting in FortiSwitchOS 6.2.1, RADIUS accounting and CoA support EAP and MAB 802.1X authentication.

The FortiSwitch unit supports two types of RADIUS CoA messages:

  • CoA messages to change session authorization attributes (such as data filters and the session-timeout setting ) during an active session.
  • Disconnect messages (DMs) to flush an existing session. For MAC-based authentication, all other sessions are unchanged, and the port stays up. For port-based authentication, only one session is deleted.

RADIUS CoA messages use the following Fortinet proprietary attribute:

Fortinet-Host-Port-AVPair 42 string

The format of the value is as follows:

Attribute Value Description
Fortinet-Host-Port-AVPair action=bounce-port The FortiSwitch unit disconnects all sessions on a port. The port goes down for 10 seconds and then up again.
Fortinet-Host-Port-AVPair action=disable-port The FortiSwitch unit disconnects all session on a port. The port goes down until the user resets it.
Fortinet-Host-Port-AVPair action=reauth-port The FortiSwitch unit forces the reauthentication of the current session.

In addition, RADIUS CoA uses the session-timeout attribute:

Attribute Value Description
session-timeout <session_timeout_value> The FortiSwitch unit disconnects a session after the specified number of seconds of idleness. This value must be more than 60 seconds. NOTE: To use the session-timeout attribute, you must enable the set radius-timeout-overwrite command first.

The FortiSwitch unit sends the following Error-Cause codes in RADIUS CoA-NAK and Disconnect-NAK messages.

Error Cause Error Code Description
Unsupported Attribute 401 This error is a fatal error, which is sent if a request contains an attribute that is not supported.
NAS Identification Mismatch 403 This error is a fatal error, which is sent if one or more NAS-Identifier Attributes do not match the identity of the NAS receiving the request.
Invalid Attribute Value 407 This error is a fatal error, which is sent if a CoA-Request or Disconnect-Request message contains an attribute with an unsupported value.
Session Context Not Found 503 This error is a fatal error if the session context identified in the CoA-Request or Disconnect-Request message does not exist on the NAS.

Configuring CoA and disconnect messages

Use the following commands to enable a FortiSwitch unit to receive CoA and disconnect messages from a RADIUS server:

config system interface

edit "mgmt"

set ip <address> <netmask>

set allowaccess <access_types>

set type physical

next

config user radius

edit <RADIUS_server_name>

set radius-coa {enable | disable}

set radius-port <port_number>

set secret <secret_key>

set server <server_name_IPv4>

end

Variable Description

config system interface

ip <address> <netmask> Enter the interface IP address and netmask.
allowaccess <access_types> Enter the types of management access permitted on this interface. Valid types are as follows: http https ping snmp ssh telnet radius-acct. Separate each type with a space. You must include radius-acct to receive CoA and disconnect messages.
<RADIUS_server_name> Enter the name of the RADIUS server that will be sending CoA and disconnect messages to the FortiSwitch unit. By default, the messages use port 3799.

config user radius

radius-coa {enable | disable} Enable or disable whether the FortiSwitch unit will accept CoA and disconnect messages. The default is disable.
radius-port <port_number> Enter the RADIUS port number. By default, the value is 0 for FortiOS, which uses port 1812 for the FortiSwitch unit in FortiLink mode.
secret <secret_key> Enter the shared secret key for authentication with the RADIUS server. There is no default.
server <server_name_IPv4> Enter the domain name or IPv4 address for the RADIUS server. There is no default.

Example: RADIUS CoA

The following example uses the FortiOS CLI to enable the FortiSwitch unit to receive CoA and disconnect messages from the specified RADIUS server:

config switch-controller security-policy local-access

edit default

set internal-allowaccess ping https http ssh snmp telnet radius-acct

next

end

config user radius

edit "Radius-188-200"

set radius-coa enable

set radius-port 0

set secret ENC +2NyBcp8JF3/OijWl/w5nOC++aDKQPWnlC8Ug2HKwn4RcmhqVYE+q07yI9eSDhtiIw63kR/oMBLGwFQoeZfOQWengIlGTb+YQo/lYJn1V3Nwp9sdkcblfyayfc9gTeqe+mFltKl5IWNI7WRYiJC8sxaF9Iyr2/l4hpCiVUMiPOU6fSrj

set server "10.105.188.200"

next

end

802.1X authentication deployment example

To control network access, you can configure 802.1X authentication from a FortiGate unit managing FortiSwitch units. A supplicant connected to a port on the switch must be authenticated by a RADIUS/Diameter server to gain access to the network.

To use the RADIUS server for authentication, you must configure the server before configuring the users or user groups on the FortiSwitch unit. You also need a firewall policy on the FortiGate unit to allow traffic from the FortiSwitch unit to the RADIUS server.

To create a firewall policy to allow the FortiSwitch unit to reach the RADIUS server:

config firewall policy

edit 1

set name "fortilink-to-radius"

set srcintf "fortilink"

set dstintf "accounting-server"

set action accept

set service "ALL"

set nat enable

end

To create a group for users who will be authenticated by 802.1X:

config user radius

edit "dot1x-radius"

set server "192.168.174.10"

set secret ENC ***

set radius-port 1812

config accounting-server

edit 1

set status enable

set server "192.168.174.10"

set secret ENC ***

set port 1813

next

end

next

end

config user group

edit "radius users"

set member "dot1x-radius"

next

end

To create an 802.1X security policy:

You can create an 802.1X security policy using the FortiGate GUI by going to WiFi & Switch Controller > FortiSwitch Security Policies and selecting Create New.

config switch-controller security-policy 802-1X

edit "802-1X-policy-default"

set security-mode 802.1X-mac-based

set user-group "dot1x-local"

set mac-auth-bypass enable

set eap-passthru enable

set guest-vlan enable

set guest-vlan-id "guest-VLAN"

set auth-fail-vlan enable

set auth-fail-vlan-id "auth-fail-VLAN"

set radius-timeout-overwrite disable

next

end

To configure the global 802.1X settings:

config switch-controller 802-1X-settings

set link-down-auth no-action

set reauth-period 90

set max-reauth-attempt 4

end

To apply an 802.1X security policy to a managed FortiSwitch port:

You can apply an 802.1X security policy to a managed FortiSwitch port using the FortiGate GUI by going to WiFi & Switch Controller > FortiSwitch Ports.

config switch-controller managed-switch

edit S548DN4K16000360

config ports

edit "port1"

set dhcp-snooping trusted

set dhcp-snoop-option82-trust enable

set port-security-policy "802-1X-policydefault"

next

end

Detailed deployment notes

  • Using more than one security group (with the set security-groups command) per security profile is not supported.
  • CoA and single sign-on are supported only by the CLI in this release.
  • RADIUS CoA is supported in standalone mode. In addition, RADIUS CoA is supported in FortiLink mode when NAT is disabled in the firewall policy (set nat disable under the config firewall policy command), and the interfaces on the link between the FortiGate unit and FortiSwitch unit are assigned routable addresses other than 169.254.1.x.
  • The FortiSwitch unit supports using FortiAuthenticator, FortiConnect, Microsoft Network Policy Server (NPS), Aruba ClearPass, and Cisco Identity Services Engine (ISE) as the RADIUS server for CoA and RSSO.
  • Each RADIUS CoA server can support only one accounting manager in this release.
  • RADIUS accounting/CoA/VLAN-by-name features are supported only with eap-passthru enable.
  • Fortinet recommends a unique secret key for each accounting server.
  • For CoA to correctly function with FortiAuthenticator or FortiConnect, you must include the User-Name attribute (you can optionally include the Framed-IP-Address attribute) or the User-Name and Calling-Station-ID attributes in the CoA request.
  • To obtain a valid Framed-IP-Address attribute value, you need to manually configure DHCP snooping in the 802.1X-authenticated ports of your VLAN network for both port and MAC modes.
  • Port-based basic statistics for RADIUS accounting messages are supported in the Accounting Stop request.
  • By default, the accounting server is disabled. You must enable the accounting server with the set status enable command.
  • The default port for FortiAuthenticator single sign-on is 1813 for the FortiSwitch unit.
  • In MAC-based authentication, the maximum number of client MAC addresses is 20. Each model has its own maximum limit.
  • Static MAC addresses and sticky MAC addresses are mechanisms for manual/local authorization; 802.1X is a mechanism for protocol-based authorization. Do not mix them.
  • Fortinet recommends an 802.1X setup rate of 5 to 10 sessions per second.
  • Starting in FortiSwitch 6.2.0, when 802.1X authentication is configured, the EAP pass-through mode (set eap-passthru) is enabled by default.
  • For information about the RADIUS attributes supported by FortiSwitchOS, refer to the “Supported attributes for RADIUS CoA and RSSO” appendix in the FortiSwitchOS Administration Guide—Standalone Mode.
  • EAP-MD5 is not supported.