FortiSwitch security policies

To control network access, the managed FortiSwitch unit supports IEEE 802.1X authentication. A supplicant connected to a port on the switch must be authenticated by a RADIUS/Diameter server to gain access to the network. The supplicant and the authentication server communicate using the switch using the Extensible Authentication Protocol (EAP). The managed FortiSwitch unit supports EAP-PEAP, EAP-TTLS, and EAP-TLS.

To use the RADIUS server for authentication, you must configure the server before configuring the users or user groups on the managed FortiSwitch unit.

In FortiLink mode, you must manually create a firewall policy to allow RADIUS traffic for 802.1X authentication from the FortiSwitch unit (for example, from the FortiLink interface) to the RADIUS server through the FortiGate device.

The managed FortiSwitch unit implements MAC-based authentication. The switch saves the MAC address of each supplicantʼs device. The switch provides network access only to devices that have successfully been authenticated.

You can enable the MAC Authentication Bypass (MAB) option for devices (such as network printers) that cannot respond to the 802.1X authentication request. With MAB enabled on the port, the system will use the device MAC address as the user name and password for authentication. If a link goes down, you can select whether the impacted devices must reauthenticate. By default, reauthentication is disabled.

You can configure a guest VLAN for unauthorized users and a VLAN for users whose authentication was unsuccessful. Starting in FortiSwitchOS 6.4.3, if the RADIUS server cannot be reached for 802.1X authentication, you can specify a untagged VLAN for users after the authentication server timeout period expires.

Starting in FortiOS 7.4.4, you can specify a tagged VLAN for users to be assigned to when the authentication server is unavailable. This feature is available with 802.1x MAC-based authentication. It is compatible with both EAP and MAB.

When you are testing your system configuration for 802.1X authentication, you can use the monitor mode to allow network traffic to flow, even if there are configuration problems or authentication failures.

Fortinet recommends an 802.1X setup rate of 5 to 10 sessions per second.

This section covers the following topics:

• Number of devices supported per port for 802.1X MAC-based authentication
• Configuring the 802.1X settings for a virtual domain
• Overriding the virtual domain settings
• Specifying how RADIUS request attributes are formatted
• Dynamically and manually assigning the NAS-IP-Address attribute

• Dynamic VLAN assignment

• Dynamic access control lists

• Defining an 802.1X security policy
• Applying an 802.1X security policy to a FortiSwitch port

• Changing the priority of MAB and EAP 802.1X authentication

• Testing 802.1X authentication with monitor mode
• Clearing authorized sessions
• RADIUS accounting support
• RADIUS change of authorization (CoA) support
• 802.1X authentication deployment example
• Detailed deployment notes

Number of devices supported per port for 802.1X MAC-based authentication

The FortiSwitch unit supports up to 20 devices per port for 802.1X MAC-based authentication. System-wide, the FortiSwitch unit now supports a total of 10 times the number of interfaces for 802.1X MAC-based authentication. See the following table.

Model	Total number of devices supported per switch
108	80
124/224/424/524/1024	240
148/248/448/548/1048	480
3032	320

Configuring the 802.1X settings for a virtual domain

To configure the 802.1X security policy for a virtual domain:

config switch-controller 802-1X-settings

set link-down-auth {set-unauth | no-action}

set reauth-period <integer>

set max-reauth-attempt <integer>

set tx-period <integer>

set mab-reauth {enable | disable}

end

Option	Description	Default
link-down-auth {set-unauth | no-action}	If a link is down, this command determines the authentication state. Choosing set-unauth sets the interface to unauthenticated when a link is down, and reauthentication is needed. Choosing no-action means that the interface does not need to be reauthenticated when a link is down.	set-unauth
reauth-period <integer>	This command sets how often reauthentication is needed. The range is 1-1440 minutes. Setting the value to 0 minutes disables reauthentication. NOTE: Setting the reauth-period to 0 is supported only in the CLI. The RADIUS dynamic session timeout and CoA session timeout do not support setting the Session Timeout to 0. For MAB authentication, the host entry is automatically reauthenticated after the reauth-period. To clear the host entry, you need to clear the entry manually.	60
max-reauth-attempt <integer>	This command sets the maximum number of reauthentication attempts. The range is 1-15. Setting the value to 0 disables reauthentication.	3
tx-period <integer>	This command sets the 802.1X transmission period in seconds. The range is 4-60.	30
mab-reauth {enable | disable}	This command enables or disables MAB reauthentication.	disable

Overriding the virtual domain settings

You can override the virtual domain settings for the 802.1X security policy.

Using the FortiGate GUI

To override the 802.1X settings for a virtual domain:

1. Go to WiFi & Switch Controller > Managed FortiSwitches.
2. Click on a FortiSwitch faceplate and select Edit.
3. In the Edit Managed FortiSwitch page, move the Override 802-1X settings slider to the right.
4. In the Reauthentication Interval field, enter the number of minutes before reauthentication is required. The maximum interval is 1,440 minutes. Setting the value to 0 minutes disables reauthentiction.
5. In the Max Reauthentication Attempts field, enter the maximum times that reauthentication is attempted. The maximum number of attempts is 15. Setting the value to 0 disables reauthentication.
6. Select Deauthenticate or None for the link down action. Selecting Deauthenticate sets the interface to unauthenticated when a link is down, and reauthentication is needed. Selecting None means that the interface does not need to be reauthenticated when a link is down.
7. Select OK.

Using the FortiGate CLI

To override the 802.1X settings for a virtual domain:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config 802-1X-settings

set local-override {enable | *disable}

set reauth-period <integer> // visible if override enabled

set max-reauth-attempt <integer> // visible if override enabled

set link-down-auth {*set-unauth | no-action} // visible if override enabled

set mab-reauth {enable | disable} // visible if override enabled

end

next

end

For a description of the options, see Configuring the 802.1X settings for a virtual domain.

Specifying how RADIUS request attributes are formatted

Starting in FortiOS 7.4.2 with FortiSwitchOS 7.4.1, you can specify how the following RADIUS request attributes are formatted when they are sent to the RADIUS server:

• User-Name

  You can select a colon, hyphen, or single hyphen to use as a delimiter, or you can select none for no delimiter. By default, you can use a hyphen as the delimiter.

• User-Password

  You can select a colon, hyphen, or single hyphen to use as a delimiter, or you can select none for no delimiter. By default, you can use a hyphen as the delimiter.

• Called-Station-Id

  You can select a colon, hyphen, or single hyphen to use as a delimiter, or you can select none for no delimiter. By default, you can use a hyphen as the delimiter.

• Calling-Station-Id

  You can select a colon, hyphen, or single hyphen to use as a delimiter, or you can select none for no delimiter. By default, you can use a hyphen as the delimiter.

The following are examples of MAC addresses with the different delimiters:

• Using a colon as a delimiter: 00:11:22:33:44:55

• Using a hyphen as a delimiter: 00-11-22-33-44-55

• Using a single hyphen as a delimiter: 001122-334455

• Using none for no delimiter: 001122334455

You can also select whether to use lowercase or uppercase letters in MAC addresses. By default, lowercase letters are used.

To specify how RADIUS request attributes are formatted:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config 802-1X-settings

set local-override enable

set mac-username-delimiter {colon| hyphen | none | single-hyphen}

set mac-password-delimiter {colon| hyphen | none | single-hyphen}

set mac-calling-station-delimiter {colon| hyphen | none | single-hyphen}

set mac-called-station-delimiter {colon| hyphen | none | single-hyphen}

set mac-case {lowercase | uppercase}

end

next

end

Dynamically and manually assigning the NAS-IP-Address attribute

Starting in FortiOS 7.4.2, you can dynamically assign a different NAS-IP-Address attribute to the managed switches when authenticating users with a RADIUS server. When this feature is enabled, the NAS-IP-Address attribute is based on the FortiLink IP address when the IP address is IPv4.

If needed, you can override the dynamic NAS-IP-Address attribute and manually assign the NAS-IP-Address attribute to individual managed switches.

Note: FortiSwitchOS supports only IPv4 addresses for the NAS-IP-Address attribute. You can enable switch-controller-nas-ip-dynamic only when the nas-ip value is not set (under the config user radius command). When radius-nas-ip-override is enabled and the radius-nas-ip value is set, the IP address is assigned to the NAS-IP-Address attribute, even if switch-controller-nas-ip-dynamic is not enabled and the nas-ip value is not set.

To dynamically assign a different NAS-IP-Address attribute on the FortiGate device to all managed switches:

config user radius

edit <RADIUS_server_name>

set switch-controller-nas-ip-dynamic enable

next

end

To override the dynamic NAS-IP-Address attribute on the FortiGate device for a specific managed switch:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

set radius-nas-ip-override enable

set radius-nas-ip <IPv4_address>

next

end

For example:

config switch-controller managed-switch

edit S524DF4K15000024

set radius-nas-ip-override enable

set radius-nas-ip 1.2.3.4

next

end

Dynamic VLAN assignment

You can configure the RADIUS server to return a VLAN in the authentication reply message.

Starting in FortiOS 6.2, when the FortiSwitch unit receives a VLAN assignment from RADIUS, it determines if the data is an integer or string representation. If the representation is an integer, the FortiSwitch unit assigns the VLAN. If the representation is a string, the 802.1X agent will search each VLANʼs description field for all VLANs (names defined by the FortiOS VLAN name). If found, the 802.1X agent will make the assignment.

On the FortiGate device, all VLANs are specified as a system interface. Each system interface has a well-defined and unique name. The switch controller synchronizes the FortiGate system interface name (maximum of 15 characters) to the FortiSwitch VLAN description.

Starting in FortiOS 7.4.1, the FortiOS switch controller also supports the synchronization of the FortiGate system interface description to the switch VLAN description (up to the first 63 characters of FortiSwitch VLAN description field in FortiOS). This allows a more flexible use of the Tunnel-Private-Group-Id RADIUS attribute. To use the maximum length of 63 characters, set the vlan-identity command to description (under config switch-controller global).

Configuration examples

To configure dynamic VLAN name assignment:

1. Configure a RADIUS server. In this example, the Tunnel-Private-Group-Id is set to the VLAN name, instead of the VLAN identifier.

   • Set Tunnel-Type to "VLAN".

   • Set Tunnel-Medium-Type to "IEEE-802".

   • Set Tunnel-Private-Group-Id to "my.vlan.10".

2. Configure the FortiGate device:

   config system interface

   ​​​​​​​edit "my.vlan.10"

   set vdom "root"

   set ip 1.1.1.254 255.255.255.0

   set allowaccess ping

   set interface "my.fortlink"

   set vlanid 10

   next

   end

3. Check the FortiSwitch unit. The VLAN name is stored in the value for the set description command.

   # show switch vlan

   config switch vlan

   edit 10

   set description "my.vlan.10"

   next

   end

To synchronize the FortiGate system interface description to the switch VLAN description:

1. Configure the FortiSwitch VLAN on the FortiGate device:

   config system interface

   edit "vlan11"

   set vdom "vdom1"

   set ip 6.6.6.1 255.255.255.0

   set allowaccess ping https ssh http fabric

   set description "Test VLAN"

   set device-identification enable

   set role lan

   set snmp-index 45

   set interface "port11"

   set vlanid 111

   next

   end

2. On the FortiSwitch unit, check that the FortiLink interface name is stored in the value for the set description command.

   config switch vlan

   edit 11

   set description "Test VLAN"

   next

   end

Setting the priority for dynamic or egress VLAN assignment

Starting in FortiOS 7.4.2 with FortiSwitchOS 7.4.2, you can change how a managed FortiSwitch unit searches for VLANs with names (specified in the set description command) that match the Tunnel-Private-Group-Id or Egress-VLAN-Name attribute.

Before FortiOS 7.4.2 and FortiSwitchOS 7.4.2, if there was more than one VLAN with the same name (specified in the set description command), the managed FortiSwitch unit selected the VLAN with the lowest VLAN ID that matched the Tunnel-Private-Group-Id or Egress-VLAN-Name attribute.

In the following example, the Tunnel-Private-Group-Id attribute is set to testVLAN, and three VLANs have the same name of testVLAN. The managed FortiSwitch unit matches the Tunnel-Private-Group-Id attribute with the VLAN with the lowest ID, VLAN 4.

VLAN ID	VLAN name
4	testVLAN
5	testVLAN
6	testVLAN

In FortiOS 7.4.2 with FortiSwitchOS 7.4.2, you can assign a priority to each VLAN. If there is more than one VLAN with the same name (specified in the set description command), the managed FortiSwitch unit selects the VLAN with the lowest assignment-priority value (which is the highest priority) of the VLANs with names that match the RADIUS Tunnel-Private-Group-Id or Egress-VLAN-Name attribute. The assignment-priority value can be 1-255. By default, the assignment-priority is 128. The lowest assignment-priority value gets the highest priority.

In the following example, the Tunnel-Private-Group-Id attribute is set to localVLAN, and four VLANs have the same name of localVLAN. The managed FortiSwitch unit matches the Tunnel-Private-Group-Id attribute with the VLAN with the lowest priority, VLAN 5.

VLAN ID	VLAN name	VLAN priority
4	localVLAN	50
5	localVLAN	25
6	localVLAN	75
7	localVLAN	100

To set the priority on the managed FortiSwitch unit for matching VLAN names:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config vlan

edit <VLAN_name>

set assignment-priority <1-255>

next

end

next

end

For example:

config switch-controller managed-switch

edit "S524DF4K15000024"

config vlan

edit vlan5

set assignment-priority 200

next

end

next

end

Dynamic access control lists

Starting in FortiOS 7.4.4, you can use RADIUS attributes to configure dynamic access control lists (DACLs) on the 802.1x ports of managed switches. DACLs are configured on a switch or saved on a RADIUS server. You can use DACLs to control traffic per user session or per port for switch ports directly connected to user clients. DACLs apply to hardware only when 802.1x authentication is successful.

You can use DACLs with 802.1X port-based authentication and 802.1X MAC-based authentication. IPv4 is supported, but IPv6 is not supported. You can use DACLs with monitor mode (open-auth) and with static ACLs.

DACLs are disabled by default. After you enable DACL in an 802.1X security policy, you must apply the 802.1X security policy to a managed FortiSwitch port. See Applying an 802.1X security policy to a FortiSwitch port.

The maximum number of ACL entries per port is 45. The maximum number of entries includes both static ACL entries and DACL entries. Duplicate entries might cause an error.

FortiSwitch models	Maximum number of static ACL and DACL entries
2xxD/2xxE	896
424E/426E	1,792
448E/424E-Fiber	2,816
5xx	3,584
1024E	3,034
1048E	6,144
3032E	986

Two RADIUS attributes are supported:

• Filter-Id —You need to use a custom command to use the Filter-Id attribute.
• NAS-Filter-Rule—The NAS-Filter-Rule attribute defines the filter rules at the RADIUS server. After authentication, the DACL applies to the port.
  • The NAS-Filter-Rule supports a maximum of 80 characters, and you can specify a maximum of 45 entries per authentication session or a maximum of 45 entries per port.

  • Do not include blank spaces in the NAS-Filter-Rule. Commas and dashes are allowed.

  • A syntax error in one NAS-Filter-Rule causes the entire DACL to fail.

The following is the Filter-Id format:

Filter-Id += "<filter-name>"

For example:

Filter-Id += "filter-id-service1"

Changing the name of Filter-Id after authentication causes errors in the output of the diagnose switch-controller switch-info 802.1X-dacl command when the session is using Filter-Id.

The following is the NAS-Filter-Rule format:

NAS-Filter-Rule = " <deny|permit> in <ip|ip-protocol-value> from <any|<ip-addr>|ipv4-addr/mask> [<tcp/udp-port|tcp/udp min-max port>] to <any|<ip-addr>|ipv4-addr/mask> [<tcp/udp-port|tcp/udp min-max port>] [cnt] "

The following table explains the syntax of the NAS-Filter-Rule:

Option	Description
<deny|permit>	Select one of the following: permit—Allow packets that match the rule. deny—Drop packets that match the rule.
in	The in keyword specifies that the ACL applies only to the inbound traffic from the authenticated client.
<ip|ip-protocol-value>	Specify one of the following for the type of traffic to filter: ip—Any protocol will match. ip-protocol-value—IP traffic specified by either a protocol number or by tcp, udp, icmp, or (for IPv4 only) igmp. The range of protocol numbers is 0-255.
from <any|<ip-addr>|ipv4-addr/mask>	Required. Specify one of the following for the authenticated client source: any—Specifies any IPv4 source address <ip-addr>|ipv4-addr/mask>—Enter a series of contiguous source addresses or all source addresses in a subnet. The <mask> is the number of leftmost bits in a packetʼs source IPv4 address that must match the corresponding bits in the source IPv4 address. For example, 10.100.24.1/24 will match an inbound traffic from the authenticated client that has a source IPv4 address where the first three octets are 10.100.24.
[<tcp/udp-port|tcp/udp min-max port>] to	Specify the TCP or UDP port or range of ports. Used when the access control entry is intended to filter client TCP or UDP traffic with one or more specific TCP or UDP source port numbers. You can specify a single port or a single port range, such as 10.105.0.1/24 80 or 10.105.0.1/24 80-100.
<any|<ip-addr>|ipv4-addr/mask>	Specify one of the following: any—Specifies any IPv4 destination address <ip-addr>|ipv4-addr/mask>—Enter a series of contiguous destination addresses or all destination addresses in a subnet. The <mask> is the number of leftmost bits in a packetʼs destination IPv4 address that must match the corresponding bits in the destination IPv4 address. For example, 10.100.24.1/24 will match an inbound traffic from the authenticated client that has a destination IPv4 address where the first three octets are 10.100.24.
[<tcp/udp-port|tcp/udp min-max port>]	Specify the TCP or UDP port or range of ports. Used when the access control entry is intended to filter client TCP or UDP traffic with one or more specific TCP or UDP destination port numbers. You can specify a single port or a single port range, such as 10.105.0.1/24 80 or 10.105.0.1/24 80-100. For example, to deny any UDP traffic from an authenticated client that has a destination address of any address and a UDP destination port of 357-457: deny in udp from any to any 357-457
[cnt]	Specify the counter for a RADIUS-assigned access control entry.

For example:

• NAS-Filter-Rule += "permit in 20 from any to any cnt"

• NAS-Filter-Rule += "deny in tcp from any to 10.10.10.1 23"

• NAS-Filter-Rule += "permit in tcp from any to any 23"

When you use the NAS-Filter-Rule attribute, follow these guidelines: You can use 8 port ranges (source or destination ports) on the FS-148E, FS-148E-POE, and FS-148E-FPOE models. You can use 16 port ranges (source or destination ports) on the FS-108F, FS-108F-POE, FS-108F-FPOE, FS-124E, FS-124E-POE, FS-124E-FPOE, FS-124F, FS-124F-POE, FS-124F-FPOE, FS-148F, FS-148F-POE, and FS-148F-FPOE models. You can use up to 32 port ranges (source or destination ports) on the FS-1024E, FS-T1024E, FS-T1024F-FPOE, FS-1048E, FS-3032E, FS-424E, FS-424E-POE, FS-424E-FPOE, FS-M426E-FPOE, FS-224D-FPOE, FS-248D, FS-224E, FS-224E-POE, FS-248E-POE, FS-248E-FPOE, FS-424E-Fiber, FS-448E, FS-448E-POE, FS-448E-FPOE, FS-524D, FS-524D-FPOE, FS-548D, and FS-548D-FPOE models. Port ranges must have the smaller port number as the first number in the range and the larger port number as the second number in the range. For example, you can specify a port range of 8-10 but not 10-8. If you specify a layer-4 port or layer-4 port range (for example, permit in TCP from any to any 100-200 cnt) when defining the source or destination in a dynamic ACL entry, FortiSwitchOS discards any port configurations made after the layer-4 configuration.

To enable DACL:

config switch-controller security-policy 802-1X

edit <policy_name>

set dacl enable

next

end

For example:

config switch-controller security-policy 802-1X

edit "802-1X-policy-default"

set user-group "radius-users"

set mac-auth-bypass enable

set open-auth disable

set eap-passthru enable

set eap-auto-untagged-vlans enable

set guest-vlan disable

set auth-fail-vlan disable

set framevid-apply enable

set radius-timeout-overwrite disable

set authserver-timeout-vlan disable

set dacl enable

next

end

To configure a value for NAS-Filter-Rule:

config switch acl service custom

edit <ACL_service>

set comment <string>

set color <0-32>

set protocol {ICMP | IP | TCP/UDP/SCTP}

set protocol-number <IP protocol number>

set tcp-portrange <port_number>-<port_number>

set udp-portrange <port_number>-<port_number>

next

end

For example:

config switch acl service custom

edit nas-filter-rule-service1

set comment "NAS filter rule for service 1"

set udp-portrange 10000-20000

next

end

To use a custom command to configure Filter-Id:

1. Define the Filter-Id attribute.

2. Define the action and classifier.

For example:

set command "config switch acl 802-1X %0a edit 403 %0a set filter-id %22 111111 %22 %0a next %0a edit 403 %0a config access-list-entry %0a edit 1 %0a config action %0a set count enable %0a end %0a config classifier %0a set ether-type 0x800 %0a end %0a end %0a"

To display the status of DACLs on a specific FortiSwitch unit:

diagnose switch-controller switch-info 802.1X-dacl <FortiSwitch_serial_number>

For example:

diagnose switch-controller switch-info 802.1X-dacl S548DF5018000776

To display the status of DACLs on a specified 802.1X port:

diagnose switch-controller switch-info 802.1X-dacl <FortiSwitch_serial_number> <port_name>

For example:

diagnose switch-controller switch-info 802.1X-dacl S548DF5018000776 port10

Defining an 802.1X security policy

You can define multiple 802.1X security policies.

Using the FortiGate GUI

To create an 802.1X security policy:

1. Go to WiFi & Switch Controller > FortiSwitch Port Policies.
2. Under Security Policies, click Create New.
3. Enter a name for the new FortiSwitch security policy.
4. For the security mode, click Port-based or MAC-based.
5. Select + to select which user groups will have access.
6. Enable or disable guest VLANs on this interface to allow restricted access for some users.
7. Enter the number of seconds for authentication delay for guest VLANs. The range is 1-900 seconds.
8. Enable or disable authentication fail VLAN on this interface to allow restricted access for users who fail to access the guest VLAN.
9. Enable or disable MAC authentication bypass (MAB) on this interface.
10. Enable or disable EAP pass-through mode on this interface.
11. Enable or disable whether the session timeout for the RADIUS server will overwrite the local timeout.
12. Select OK.

Using the FortiGate CLI

To create an 802.1X security policy, use the following commands:

config switch-controller security-policy 802-1X

edit "<policy_name>"

set security-mode {802.1X | 802.1X-mac-based}

set user-group <*group_name | Guest-group | SSO_Guest_Users>

set mac-auth-bypass {enable | *disable}

set eap-passthru {enable | disable}

set guest-vlan {enable | *disable}

set guest-vlan-id "<guest-VLAN-name>"

set guest-auth-delay <integer>

set auth-fail-vlan {enable | *disable}

set auth-fail-vlan-id "<auth-fail-VLAN-name>"

set radius-timeout-overwrite {enable | *disable}

set policy-type 802.1X

set authserver-timeout-period <integer>

set authserver-timeout-tagged {lldp-voice | static | disable}

set authserver-timeout-tagged-vlanid <1-4094>

set authserver-timeout-vlan {enable | disable}

set authserver-timeout-vlanid "<RADIUS-timeout-VLAN-name>"

end

end

Option	Description
set security-mode	You can restrict access with 802.1X port-based authentication or with 802.1X MAC-based authentication. Use port-based authentication when the client is connected directly to a switch port and is capable of 802.1X authentication. Use MAC-based authentication when more than one device needs to be authenticated on the same switch port, and you need to authenticate based on the MAC address.
set user-group	You can set a specific group name, Guest-group, or SSO_Guest_Users to have access. This setting is mandatory.
set mac-auth-bypass	You can enable or disable MAB on this interface.
set eap-passthrough	You can enable or disable EAP pass-through mode on this interface.
set guest-vlan	You can enable or disable guest VLANs on this interface to allow restricted access for some users.
set guest-vlan-id "<guest-VLAN-name>"	You can specify the name of the guest VLAN.
set guest-auth-delay	You can set the authentication delay for guest VLANs on this interface. The range is 1-900 seconds.
set auth-fail-vlan	You can enable or disablethe authentication fail VLAN on this interface to allow restricted access for users who fail to access the guest VLAN.
set auth-fail-vlan-id "<auth-fail-VLAN-name>"	You can specify the name of the authentication fail VLAN
set radius-timeout-overwrite	You can enable or disable whether the session timeout for the RADIUS server will overwrite the local timeout.
set policy-type 802.1X	You can set the policy type to the 802.1X security policy.
set authserver-timeout-period	You can set how many seconds the RADIUS server has to authenticate users. The range of values is 3-15 seconds; the default time is 3 seconds. This option is only visible when authserver-timeout-vlan is enabled.
set authserver-timeout-tagged {lldp-voice | static | disable}	Select whether users are assigned to the specified VLAN when the authentication server times out: lldp-voice—Users are assigned to the VLAN specified in the set lldp-profile command (under config switch-controller managed-switch). static—Users are assigned to the tagged VLAN specified in the set authserver-timeout-tagged-vlanid command. disable—Users are not assigned to a specified VLAN when the authentication server times out. The default is disable.
set authserver-timeout-tagged-vlanid <1-4094>	Enter the identifier for the tagged VLAN that the system assigns to users when the authentication server times out.
set authserver-timeout-vlan	Enable or disable the RADIUS timeout VLAN on this interface to allow limited access for users when the RADIUS server times out before finishing authentication. By default, this option is disabled.
set authserver-timeout-vlanid "<RADIUS-timeout-VLAN-name>"	The VLAN name that is used for users when the RADIUS server times out before finishing authentication. This option is only visible when authserver-timeout-vlan is enabled.

Applying an 802.1X security policy to a FortiSwitch port

You can apply a different 802.1X security policy to each FortiSwitch port.

Using the FortiGate GUI

To apply an 802.1X security policy to a managed FortiSwitch port:

1. Go to WiFi & Switch Controller > FortiSwitch Ports.
2. Select the + next to a FortiSwitch unit.
3. In the Security Policy column for a port, click + to select a security policy.
4. Select OK to apply the security policy to that port.

Using the FortiGate CLI

To apply an 802.1X security policy to a managed FortiSwitch port, use the following commands:

config switch-controller managed-switch

edit <managed-switch>

config ports

edit <port>

set port-security-policy <802.1x-policy>

next

end

next

end

Changing the priority of MAB and EAP 802.1X authentication

802.1X authentication and MAB authentication must be enabled before you can change the priority of MAB and EAP 802.1X authentication. This feature requires FortiSwitchOS 7.2.1 or later. This feature is supported by both 802.1X port-based authentication and 802.1X MAC-based authentication.

You can use the CLI to change the priority of MAB authentication and EAP 802.1X authentication to fit your specific network security requirements.

• Before FortiOS 7.6.0, the managed switch tried EAP 802.1X authentication and MAB authentication in the order that they were received with EAP 802.1X authentication having absolute priority. If authentication failed, users were assigned to the auth-fail-vlanid VLAN if it had been configured. There was no time delay. Starting inFortiOS 7.6.0, use the set auth-priority legacy command to keep this priority. After an upgrade, auth-priority is set to legacy by default.

• Starting in FortiOS 7.6.0, if you want the managed switch to try EAP 802.1X authentication first and then MAB authentication if EAP 802.1X fails, use the set auth-priority dot1x-mab command. If MAB authentication also fails, users are assigned to the auth-fail-vlanid VLAN if it is configured.

• Starting in FortiOS 7.6.0, if you want the managed switch to try MAB authentication first and then EAP 802.1X authentication if MAB authentication fails, use the set auth-priority mab-dot1x command. If EAP 802.1X authentication also fails, users are assigned to the auth-fail-vlanid VLAN if it is configured.

• Starting in FortiOS 7.6.0 with FortiSwitchOS 7.2.3, MAB-only authentication is supported. In this mode, the managed FortiSwitch unit performs MAB authentication without performing EAP authentication. EAP packets are not sent. To enable MAB-only authentication, set the auth-order command to mab.

The following flowchart shows the FortiSwitch 802.1X port-based authentication with MAB enabled and with an authentication priority of auth-priority legacy:

The following flowchart shows the FortiSwitch 802.1X MAC-based authentication with MAB enabled and with an authentication priority of auth-priority legacy:

In the following flowchart, the authentication priority is dot1x-mab. If both EAP 802.1X authentication and MAB authentication fail, the user is assigned to the auth-fail-vlanid VLAN. If an EAPoL-Start packet is received after MAB authentication, the switch changes to EAP 802.1X authentication.

In the following flowchart, the authentication priority is mab-dot1x. If MAB authentication fails, the switch attempts EAP 802.1X authentication. If an EAPoL-Start packet is received after MAB authentication, the switch attempts EAP 802.1X authentication without any time delay or processing impact.

To configure the priority of MAB and EAP 802.1X authentication for managed switches:

1. Enable 802.1X authentication and MAB authentication.

   config switch-controller security-policy 802-1X

   edit <policy_name>

   set security-mode {802.1X | 802.1X-mac-based}

   set mac-auth-bypass enable

   Variable	Description	Default
   security-mode 802.1X | 802.1X-mac-based}	Set the security mode for the port. 802.1X—Use this setting for port-based authentication. 802.1X-mac-based—Use this setting for MAC-based authentication. If you change the security mode to 802.1X or 802.1X-mac-based, you must set the user group with the set user-group command.	802.1X

2. Specify the authentication order and priority.

   set auth-order mab

   set auth-priority {legacy | dot1x-mab | mab-dot1x}

   Variable	Description
   auth-order mab	This command is available only when the set mac-auth-bypass command is enabled. Use this command if you want to use the MAB-only authentication mode, where the FortiSwitch unit performs MAB authentication without performing EAP authentication. EAP packets are not sent.
   auth-priority {legacy | dot1x-mab | mab-dot1x}	Select the priority of MAB authentication and EAP 802.1X authentication. legacy—The switch tries EAP 802.1X authentication and MAB authentication in the order that they are received with EAP 802.1X authentication having absolute priority. If authentication fails, users are assigned to a guest VLAN if it has been configured. There is no time delay involved. This is the default value. dot1x-mab—The switch tries EAP 802.1X authentication first and then MAB authentication if EAP 802.1X fails. If MAB authentication also fails, users are assigned to the auth-fail-vlanid VLAN if it is configured. mab-dot1x—The switch tries MAB authentication first and then EAP 802.1X authentication if MAB authentication fails. If EAP 802.1X authentication also fails, users are assigned to the auth-fail-vlanid VLAN if it is configured. This command is available only when the set mac-auth-bypass command is enabled.

For example:

config switch-controller security-policy 802-1X

edit "8021Xmabpolicy"

set security-mode 802.1X

set user-group "1X_RADIUS_GROUP"

set mac-auth-bypass enable

set auth-order mab-dot1x

set auth-priority mab-dot1x

next

end

Testing 802.1X authentication with monitor mode

Use the monitor mode to test your system configuration for 802.1X authentication. You can use monitor mode to test port-based authentication, MAC-based authentication, EAP pass-through mode, and MAC authentication bypass. Monitor mode is disabled by default. After you enable monitor mode, the network traffic will continue to flow, even if the users fail authentication.

To enable or disable monitor mode, use the following commands:

config switch-controller security-policy 802-1X

edit "<policy_name>"

set open-auth {enable | disable}

next

end

Clearing authorized sessions

You can clear authorized sessions associated with a specific interface or a specific MAC address.

To clear the 802.1X-authorized session associated with a specific MAC address:

execute switch-controller switch-action 802-1X clear-auth-mac <FortiSwitch_serial_number> <MAC_address>

For example:

execute switch-controller switch-action 802-1X clear-auth-mac S548DF5018000776 4f:8d:c2:73:dd:fe

To clear the 802.1X-authorized sessions associated with a specific interface:

execute switch-controller switch-action 802-1X clear-auth-port <FortiSwitch_serial_number> <port_name>

For example:

execute switch-controller switch-action 802-1X clear-auth-port S524DF4K15000024 port1

RADIUS accounting support

The FortiSwitch unit uses 802.1X-authenticated ports to send five types of RADIUS accounting messages to the RADIUS accounting server to support FortiGate RADIUS single sign-on:

• START—The FortiSwitch has been successfully authenticated, and the session has started.
• STOP—The FortiSwitch session has ended.
• INTERIM—Periodic messages sent based on the value set using the set acct-interim-interval command.
• ON—FortiSwitch will send this message when the switch is turned on.
• OFF—FortiSwitch will send this message when the switch is shut down.

You can specify more than one value to be sent in the RADIUS Service-Type attribute. Use a space between multiple values.

Use the following commands to set up RADIUS accounting so that FortiOS can send accounting messages to managed FortiSwitch units:

config user radius

edit <RADIUS_server_name>

set acct-interim-interval <seconds>

set switch-controller-service-type {administrative | authenticate-only | callback-administrative | callback-framed | callback-login | callback-nas-prompt | call-check | framed | login | nas-prompt | outbound}

config accounting-server

edit <entry_ID>

set status {enable | disable}

set server <server_IP_address>

set secret <secret_key>

set port <port_number>

next

end

next

end

RADIUS change of authorization (CoA) support

For increased security, each subnet interface that will be receiving CoA requests must be configured with the set allowaccess radius-acct command.

Starting in FortiSwitchOS 6.2.1, RADIUS accounting and CoA support EAP and MAB 802.1X authentication.

The FortiSwitch unit supports two types of RADIUS CoA messages:

• CoA messages to change session authorization attributes (such as data filters and the session-timeout setting ) during an active session.
• Disconnect messages (DMs) to flush an existing session. For MAC-based authentication, all other sessions are unchanged, and the port stays up. For port-based authentication, only one session is deleted.

RADIUS CoA messages use the following Fortinet proprietary attribute:

Fortinet-Host-Port-AVPair 42 string

The format of the value is as follows:

Attribute	Value	Description
Fortinet-Host-Port-AVPair	action=bounce-port	The FortiSwitch unit disconnects all sessions on a port. The port goes down for 10 seconds and then up again.
Fortinet-Host-Port-AVPair	action=disable-port	The FortiSwitch unit disconnects all session on a port. The port goes down until the user resets it.
Fortinet-Host-Port-AVPair	action=reauth-port	The FortiSwitch unit forces the reauthentication of the current session.

In addition, RADIUS CoA uses the session-timeout attribute:

Attribute	Value	Description
session-timeout	<session_timeout_value>	The FortiSwitch unit disconnects a session after the specified number of seconds of idleness. This value must be more than 60 seconds. NOTE: To use the session-timeout attribute, you must enable the set radius-timeout-overwrite command first.

The FortiSwitch unit sends the following Error-Cause codes in RADIUS CoA-NAK and Disconnect-NAK messages.

Error Cause	Error Code	Description
Unsupported Attribute	401	This error is a fatal error, which is sent if a request contains an attribute that is not supported.
NAS Identification Mismatch	403	This error is a fatal error, which is sent if one or more NAS-Identifier Attributes do not match the identity of the NAS receiving the request.
Invalid Attribute Value	407	This error is a fatal error, which is sent if a CoA-Request or Disconnect-Request message contains an attribute with an unsupported value.
Session Context Not Found	503	This error is a fatal error if the session context identified in the CoA-Request or Disconnect-Request message does not exist on the NAS.

Configuring CoA and disconnect messages

Use the following commands to enable a FortiSwitch unit to receive CoA and disconnect messages from a RADIUS server:

config system interface

edit "mgmt"

set ip <address> <netmask>

set allowaccess <access_types>

set type physical

next

config user radius

edit <RADIUS_server_name>

set radius-coa {enable | disable}

set radius-port <port_number>

set secret <secret_key>

set server <server_name_IPv4>

end

Variable	Description
config system interface
ip <address> <netmask>	Enter the interface IP address and netmask.
allowaccess <access_types>	Enter the types of management access permitted on this interface. Valid types are as follows: http https ping snmp ssh telnet radius-acct. Separate each type with a space. You must include radius-acct to receive CoA and disconnect messages.
<RADIUS_server_name>	Enter the name of the RADIUS server that will be sending CoA and disconnect messages to the FortiSwitch unit. By default, the messages use port 3799.
config user radius
radius-coa {enable | disable}	Enable or disable whether the FortiSwitch unit will accept CoA and disconnect messages. The default is disable.
radius-port <port_number>	Enter the RADIUS port number. By default, the value is 0 for FortiOS, which uses port 1812 for the FortiSwitch unit in FortiLink mode.
secret <secret_key>	Enter the shared secret key for authentication with the RADIUS server. There is no default.
server <server_name_IPv4>	Enter the domain name or IPv4 address for the RADIUS server. There is no default.

Example: RADIUS CoA

The following example uses the FortiOS CLI to enable the FortiSwitch unit to receive CoA and disconnect messages from the specified RADIUS server:

config switch-controller security-policy local-access

edit default

set internal-allowaccess ping https http ssh snmp telnet radius-acct

next

end

config user radius

edit "Radius-188-200"

set radius-coa enable

set radius-port 0

set secret ENC +2NyBcp8JF3/OijWl/w5nOC++aDKQPWnlC8Ug2HKwn4RcmhqVYE+q07yI9eSDhtiIw63kR/oMBLGwFQoeZfOQWengIlGTb+YQo/lYJn1V3Nwp9sdkcblfyayfc9gTeqe+mFltKl5IWNI7WRYiJC8sxaF9Iyr2/l4hpCiVUMiPOU6fSrj

set server "10.105.188.200"

next

end

802.1X authentication deployment example

To control network access, you can configure 802.1X authentication from a FortiGate unit managing FortiSwitch units. A supplicant connected to a port on the switch must be authenticated by a RADIUS/Diameter server to gain access to the network.

To use the RADIUS server for authentication, you must configure the server before configuring the users or user groups on the FortiSwitch unit. You also need a firewall policy on the FortiGate unit to allow traffic from the FortiSwitch unit to the RADIUS server.

To create a firewall policy to allow the FortiSwitch unit to reach the RADIUS server:

config firewall policy

edit 1

set name "fortilink-to-radius"

set srcintf "fortilink"

set dstintf "accounting-server"

set action accept

set service "ALL"

set nat enable

end

To create a group for users who will be authenticated by 802.1X:

config user radius

edit "dot1x-radius"

set server "192.168.174.10"

set secret ENC ***

set radius-port 1812

config accounting-server

edit 1

set status enable

set server "192.168.174.10"

set secret ENC ***

set port 1813

next

end

next

end

config user group

edit "radius users"

set member "dot1x-radius"

next

end

To create an 802.1X security policy:

You can create an 802.1X security policy using the FortiGate GUI by going to WiFi & Switch Controller > FortiSwitch Security Policies and selecting Create New.

config switch-controller security-policy 802-1X

edit "802-1X-policy-default"

set security-mode 802.1X-mac-based

set user-group "dot1x-local"

set mac-auth-bypass enable

set eap-passthru enable

set guest-vlan enable

set guest-vlan-id "guest-VLAN"

set auth-fail-vlan enable

set auth-fail-vlan-id "auth-fail-VLAN"

set radius-timeout-overwrite disable

next

end

To configure the global 802.1X settings:

config switch-controller 802-1X-settings

set link-down-auth no-action

set reauth-period 90

set max-reauth-attempt 4

end

To apply an 802.1X security policy to a managed FortiSwitch port:

You can apply an 802.1X security policy to a managed FortiSwitch port using the FortiGate GUI by going to WiFi & Switch Controller > FortiSwitch Ports.

config switch-controller managed-switch

edit S548DN4K16000360

config ports

edit "port1"

set dhcp-snooping trusted

set dhcp-snoop-option82-trust enable

set port-security-policy "802-1X-policydefault"

next

end

Detailed deployment notes

• Using more than one security group (with the set security-groups command) per security profile is not supported.
• CoA and single sign-on are supported only by the CLI in this release.
• RADIUS CoA is supported in standalone mode. In addition, RADIUS CoA is supported in FortiLink mode when NAT is disabled in the firewall policy (set nat disable under the config firewall policy command), and the interfaces on the link between the FortiGate unit and FortiSwitch unit are assigned routable addresses other than 169.254.1.x.
• The FortiSwitch unit supports using FortiAuthenticator, FortiConnect, Microsoft Network Policy Server (NPS), Aruba ClearPass, and Cisco Identity Services Engine (ISE) as the RADIUS server for CoA and RSSO.
• Each RADIUS CoA server can support only one accounting manager in this release.
• RADIUS accounting/CoA/VLAN-by-name features are supported only with eap-passthru enable.
• Fortinet recommends a unique secret key for each accounting server.
• For CoA to correctly function with FortiAuthenticator or FortiConnect, you must include the User-Name attribute (you can optionally include the Framed-IP-Address attribute) or the User-Name and Calling-Station-ID attributes in the CoA request.
• To obtain a valid Framed-IP-Address attribute value, you need to manually configure DHCP snooping in the 802.1X-authenticated ports of your VLAN network for both port and MAC modes.
• Port-based basic statistics for RADIUS accounting messages are supported in the Accounting Stop request.
• By default, the accounting server is disabled. You must enable the accounting server with the set status enable command.
• The default port for FortiAuthenticator single sign-on is 1813 for the FortiSwitch unit.
• In MAC-based authentication, the maximum number of client MAC addresses is 20. Each model has its own maximum limit.
• Static MAC addresses and sticky MAC addresses are mechanisms for manual/local authorization; 802.1X is a mechanism for protocol-based authorization. Do not mix them.
• Fortinet recommends an 802.1X setup rate of 5 to 10 sessions per second.
• Starting in FortiSwitch 6.2.0, when 802.1X authentication is configured, the EAP pass-through mode (set eap-passthru) is enabled by default.
• For information about the RADIUS attributes supported by FortiSwitchOS, refer to the “Supported attributes for RADIUS CoA and RSSO” appendix in the FortiSwitchOS Administration Guide—Standalone Mode.
• EAP-MD5 is not supported.