Fortinet white logo
Fortinet white logo

CLI Reference

switch-controller security-policy 802-1X

Configure 802.1x MAC Authentication Bypass (MAB) policies.

  config switch-controller security-policy 802-1X
      Description: Configure 802.1x MAC Authentication Bypass (MAB) policies.
      edit <name>
          set security-mode [802.1X|802.1X-mac-based]
          set user-group <name1>, <name2>, ...
          set mac-auth-bypass [disable|enable]
          set open-auth [disable|enable]
          set eap-passthru [disable|enable]
          set eap-auto-untagged-vlans [disable|enable]
          set guest-vlan [disable|enable]
          set guest-vlan-id {string}
          set guest-auth-delay {integer}
          set auth-fail-vlan [disable|enable]
          set auth-fail-vlan-id {string}
          set framevid-apply [disable|enable]
          set radius-timeout-overwrite [disable|enable]
          set policy-type {option}
          set authserver-timeout-period {integer}
          set authserver-timeout-vlan [disable|enable]
          set authserver-timeout-vlanid {string}
      next
  end

config switch-controller security-policy 802-1X

Parameter Name Description Type Size
security-mode Port or MAC based 802.1X security mode.
802.1X: 802.1X port based authentication.
802.1X-mac-based: 802.1X MAC based authentication.
option -
user-group <name> Name of user-group to assign to this MAC Authentication Bypass (MAB) policy.
Group name.
string Maximum length: 79
mac-auth-bypass Enable/disable MAB for this policy.
disable: Disable MAB.
enable: Enable MAB.
option -
open-auth Enable/disable open authentication for this policy.
disable: Disable open authentication.
enable: Enable open authentication.
option -
eap-passthru Enable/disable EAP pass-through mode, allowing protocols (such as LLDP) to pass through ports for more flexible authentication.
disable: Disable EAP pass-through mode on this interface.
enable: Enable EAP pass-through mode on this interface.
option -
eap-auto-untagged-vlans Enable/disable automatic inclusion of untagged VLANs.
disable: Disable automatic inclusion of untagged VLANs.
enable: Enable automatic inclusion of untagged VLANs.
option -
guest-vlan Enable the guest VLAN feature to allow limited access to non-802.1X-compliant clients.
disable: Disable guest VLAN on this interface.
enable: Enable guest VLAN on this interface.
option -
guest-vlan-id Guest VLAN name. string Maximum length: 15
guest-auth-delay Guest authentication delay (1 - 900 sec, default = 30). integer Minimum value: 1 Maximum value: 900
auth-fail-vlan Enable to allow limited access to clients that cannot authenticate.
disable: Disable authentication fail VLAN on this interface.
enable: Enable authentication fail VLAN on this interface.
option -
auth-fail-vlan-id VLAN ID on which authentication failed. string Maximum length: 15
framevid-apply Enable/disable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.
disable: Disable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.
enable: Enable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.
option -
radius-timeout-overwrite Enable to override the global RADIUS session timeout.
disable: Override the global RADIUS session timeout.
enable: Use the global RADIUS session timeout.
option -
policy-type Policy type.
802.1X: 802.1X security policy.
option -
authserver-timeout-period Authentication server timeout period (3 - 15 sec, default = 3). integer Minimum value: 3 Maximum value: 15
authserver-timeout-vlan Enable/disable the authentication server timeout VLAN to allow limited access when RADIUS is unavailable.
disable: Disable authentication server timeout VLAN on this interface.
enable: Enable authentication server timeout VLAN on this interface.
option -
authserver-timeout-vlanid Authentication server timeout VLAN name. string Maximum length: 15

switch-controller security-policy 802-1X

Configure 802.1x MAC Authentication Bypass (MAB) policies.

  config switch-controller security-policy 802-1X
      Description: Configure 802.1x MAC Authentication Bypass (MAB) policies.
      edit <name>
          set security-mode [802.1X|802.1X-mac-based]
          set user-group <name1>, <name2>, ...
          set mac-auth-bypass [disable|enable]
          set open-auth [disable|enable]
          set eap-passthru [disable|enable]
          set eap-auto-untagged-vlans [disable|enable]
          set guest-vlan [disable|enable]
          set guest-vlan-id {string}
          set guest-auth-delay {integer}
          set auth-fail-vlan [disable|enable]
          set auth-fail-vlan-id {string}
          set framevid-apply [disable|enable]
          set radius-timeout-overwrite [disable|enable]
          set policy-type {option}
          set authserver-timeout-period {integer}
          set authserver-timeout-vlan [disable|enable]
          set authserver-timeout-vlanid {string}
      next
  end

config switch-controller security-policy 802-1X

Parameter Name Description Type Size
security-mode Port or MAC based 802.1X security mode.
802.1X: 802.1X port based authentication.
802.1X-mac-based: 802.1X MAC based authentication.
option -
user-group <name> Name of user-group to assign to this MAC Authentication Bypass (MAB) policy.
Group name.
string Maximum length: 79
mac-auth-bypass Enable/disable MAB for this policy.
disable: Disable MAB.
enable: Enable MAB.
option -
open-auth Enable/disable open authentication for this policy.
disable: Disable open authentication.
enable: Enable open authentication.
option -
eap-passthru Enable/disable EAP pass-through mode, allowing protocols (such as LLDP) to pass through ports for more flexible authentication.
disable: Disable EAP pass-through mode on this interface.
enable: Enable EAP pass-through mode on this interface.
option -
eap-auto-untagged-vlans Enable/disable automatic inclusion of untagged VLANs.
disable: Disable automatic inclusion of untagged VLANs.
enable: Enable automatic inclusion of untagged VLANs.
option -
guest-vlan Enable the guest VLAN feature to allow limited access to non-802.1X-compliant clients.
disable: Disable guest VLAN on this interface.
enable: Enable guest VLAN on this interface.
option -
guest-vlan-id Guest VLAN name. string Maximum length: 15
guest-auth-delay Guest authentication delay (1 - 900 sec, default = 30). integer Minimum value: 1 Maximum value: 900
auth-fail-vlan Enable to allow limited access to clients that cannot authenticate.
disable: Disable authentication fail VLAN on this interface.
enable: Enable authentication fail VLAN on this interface.
option -
auth-fail-vlan-id VLAN ID on which authentication failed. string Maximum length: 15
framevid-apply Enable/disable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.
disable: Disable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.
enable: Enable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.
option -
radius-timeout-overwrite Enable to override the global RADIUS session timeout.
disable: Override the global RADIUS session timeout.
enable: Use the global RADIUS session timeout.
option -
policy-type Policy type.
802.1X: 802.1X security policy.
option -
authserver-timeout-period Authentication server timeout period (3 - 15 sec, default = 3). integer Minimum value: 3 Maximum value: 15
authserver-timeout-vlan Enable/disable the authentication server timeout VLAN to allow limited access when RADIUS is unavailable.
disable: Disable authentication server timeout VLAN on this interface.
enable: Enable authentication server timeout VLAN on this interface.
option -
authserver-timeout-vlanid Authentication server timeout VLAN name. string Maximum length: 15