Fortinet black logo

Handbook

FortiSwitch port security policy

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:756049
Download PDF

FortiSwitch port security policy

To control network access, the managed FortiSwitch unit supports IEEE 802.1x authentication. A supplicant connected to a port on the switch must be authenticated by a RADIUS/Diameter server to gain access to the network. The supplicant and the authentication server communicate using the switch using the EAP protocol. The managed FortiSwitch unit supports EAP-PEAP, EAP-TTLS, EAP-TLS, and EAP-MD5.

To use the RADIUS server for authentication, you must configure the server before configuring the users or user groups on the managed FortiSwitch unit.

NOTE: In FortiLink mode, you must manually create a firewall policy to allow RADIUS traffic for 802.1x authentication from the FortiSwitch unit (for example, from the FortiLink interface) to the RADIUS server through the FortiGate.

The managed FortiSwitch unit implements MAC-based authentication. The switch saves the MAC address of each supplicantʼs device. The switch provides network access only to devices that have successfully been authenticated.

You can enable the MAC Authentication Bypass (MAB) option for devices (such as network printers) that cannot respond to the 802.1x authentication request. With MAB enabled on the port, the system will use the device MAC address as the user name and password for authentication.

Optionally, you can configure a guest VLAN for unauthorized users. Alternatively, you can specify a VLAN for users whose authentication was unsuccessful.

When you are testing your system configuration for 802.1x authentication, you can use the monitor mode to allow network traffic to flow, even if there are configuration problems or authentication failures.

Note

Fortinet recommends an 802.1x setup rate of 5 to 10 sessions per second.

This chapter covers the following topics:

Increased number of devices supported per port for 802.1x MAC-based authentication

The FortiSwitch unit supports up to 20 devices per port for 802.1x MAC-based authentication. System-wide, the FortiSwitch unit now supports a total of 10 times the number of interfaces for 802.1x MAC-based authentication:

Model

Total number of devices supported per switch

108

80

112

120

124/224/424/524/1024124/224/424/524/1024

240

148/248/448/548/1048

480

3032

320

Configure the 802.1X settings for a virtual domain

To configure the 802.1X security policy for a virtual domain, use the following commands:

config switch-controller 802-1X-settings

set reauth-period < int >

set max-reauth-attempt < int >

set link-down-auth < *set-unauth | no-action >

end

Option

Description

set link-down-auth

If a link is down, this command determines the authentication state. Choosing set-auth sets the interface to unauthenticated when a link is down, and reauthentication is needed. Choosing no-auth means that the interface does not need to be reauthenticated when a link is down.

set reauth-period

This command sets how often reauthentication is needed. The range is 1-1440 minutes. The default is 60 minutes. Setting the value to 0 minutes disables reauthenticaion.

set max-reauth-attempt

This command sets the maximum number of reauthentication attempts. The range is 1-15. the default is 3. Setting the value to 0 disables reauthentication.

Override the virtual domain settings

You can override the virtual domain settings for the 802.1X security policy.

Using the FortiGate GUI

To override the 802.1X settings for a virtual domain:

  1. Go to WiFi & Switch Controller > Managed FortiSwitch.
  2. Click on a FortiSwitch faceplate and select Edit.
  3. In the Edit Managed FortiSwitch page, move the Override 802-1X settings slider to the right.
  4. In the Reauthentication Interval field, enter the number of minutes before reauthentication is required. The maximum interval is 1,440 minutes. Setting the value to 0 minutes disables reauthentiction.
  5. In the Max Reauthentication Attempts field, enter the maximum times that reauthentication is attempted. The maximum number of attempts is 15. Setting the value to 0 disables reauthentication.
  6. Select Deauthenticate or None for the link down action. Selecting Deauthenticate sets the interface to unauthenticated when a link is down, and reauthentication is needed. Selecting None means that the interface does not need to be reauthenticated when a link is down.
  7. Select OK.
Using the FortiGate CLI

To override the 802.1X settings for a virtual domain, use the following commands:

config switch-controller managed-switch

edit < switch >

config 802-1X-settings

set local-override [ enable | *disable ]

set reauth-period < int > // visible if override enabled

set max-reauth-attempt < int > // visible if override enabled

set link-down-auth < *set-unauth | no-action > // visible if override enabled

end

next

end

For a description of the options, see Configure the 802.1X settings for a virtual domain.

Define an 802.1X security policy

You can define multiple 802.1X security policies.

Using the FortiGate GUI

To create an 802.1X security policy:

  1. Go to WiFi & Switch Controller > FortiSwitch Security Policies.
  2. Select Create New.
  3. Enter a name for the new FortiSwitch security policy.
  4. For the security mode, select Port-based or MAC-based.
  5. Select + to select which user groups will have access.
  6. Enable or disable guest VLANs on this interface to allow restricted access for some users.
  7. Enter the number of seconds for authentication delay for guest VLANs. The range is 1-900 seconds.
  8. Enable or disable authentication fail VLAN on this interface to allow restricted access for users who fail to access the guest VLAN.
  9. Enable or disable MAC authentication bypass (MAB) on this interface.
  10. Enable or disable EAP pass-through mode on this interface.
  11. Enable or disable whether the session timeout for the RADIUS server will overwrite the local timeout.
  12. Select OK.
Using the FortiGate CLI

To create an 802.1X security policy, use the following commands:

config switch-controller security-policy 802-1X

edit "<policy.name>"

set security-mode {802.1X | 802.1X-mac-based)

set user-group <*group_name | Guest-group | SSO_Guest_Users>

set mac-auth-bypass [enable | *disable]

set eap-passthru [enable | disable]

set guest-vlan [enable | *disable]

set guest-vlan-id "guest-VLAN-name"

set guest-auth-delay <integer>

set auth-fail-vlan [enable | *disable]

set auth-fail-vlan-id "auth-fail-VLAN-name"

set radius-timeout-overwrite [enable | *disable]

set policy-type 802.1X

end

end

Option

Description

set security-mode

You can restrict access with 802.1X port-based authentication or with 802.1X MAC-based authentication.

set user-group

You can set a specific group name, Guest-group, or SSO_Guest_Users to have access. This setting is mandatory.

set mac-auth-bypass

You can enable or disable MAB on this interface.

set eap-passthrough

You can enable or disable EAP pass-through mode on this interface.

set guest-vlan

You can enable or disable guest VLANs on this interface to allow restricted access for some users.

set guest-vlan-id "guest-VLAN-name"

You can specify the name of the guest VLAN.

set guest-auth-delay

You can set the authentication delay for guest VLANs on this interface. The range is 1-900 seconds.

set auth-fail-vlan

You can enable or disable authentication fail VLAN on this interface to allow restricted access for users who fail to access the guest VLAN.

set auth-fail-vlan-id "auth-fail-VLAN-name"

You can specify the name of the authentication fail VLAN

set radius-timeout-overwrite

You can enable or disable whether the session timeout for the RADIUS server will overwrite the local timeout.

set policy-type 802.1X

You can set the policy type to the 802.1X security policy.

Apply an 802.1X security policy to a FortiSwitch port

You can apply a different 802.1X security policy to each FortiSwitch port.

Using the FortiGate GUI

To apply an 802.1X security policy to a managed FortiSwitch port:

  1. Go to WiFi & Switch Controller > FortiSwitch Ports.
  2. Select the + next to a FortiSwitch unit.
  3. In the Security Policy column for a port, click + to select a security policy.
  4. Select OK to apply the security policy to that port.
Using the FortiGate CLI

To apply an 802.1X security policy to a managed FortiSwitch port, use the following commands:

config switch-controller managed-switch

edit <managed-switch>

config ports

edit <port>

set port-security-policy <802.1X-policy>

next

end

next

end

Test 802.1x authentication with monitor mode

Use the monitor mode to test your system configuration for 802.1x authentication. You can use monitor mode to test port-based authentication, MAC-based authentication, EAP pass-through mode, and MAC authentication bypass. Monitor mode is disabled by default. After you enable monitor mode, the network traffic will continue to flow, even if the users fail authentication.

To enable or disable monitor mode, use the following commands:

config switch-controller security-policy 802-1X

edit "<policy_name>"

set open-auth {enable | disable}

next

end

Restrict the type of frames allowed through IEEE 802.1Q ports

You can now specify whether each FortiSwitch port discards tagged 802.1Q frames or untagged 802.1Q frames or allows all frames access to the port. By default, all frames have access to each FortiSwitch port.

Use the following CLI commands:

config switch-controller managed-switch <SN>

config ports

edit <port_name>

set discard-mode <none | all-tagged | all-untagged>

next

next

end

RADIUS accounting support

The FortiSwitch unit uses 802.1x-authenticated ports to send five types of RADIUS accounting messages to the RADIUS accounting server to support FortiGate RADIUS single sign-on:

  • START—The FortiSwitch has been successfully authenticated, and the session has started.
  • STOP—The FortiSwitch session has ended.
  • INTERIM—Periodic messages sent based on the value set using the set acct-interim-interval command.
  • ON—FortiSwitch will send this message when the switch is turned on.
  • OFF—FortiSwitch will send this message when the switch is shut down.

Use the following commands to set up RADIUS accounting so that FortiOS can send accounting messages to managed FortiSwitch units:

config user radius

edit <RADIUS_server_name>

set acct-interim-interval <seconds>

config accounting-server

edit <entry_ID>

set status {enable | disable}

set server <server_IP_address>

set secret <secret_key>

set port <port_number>

next

end

next

end

FortiSwitch port security policy

To control network access, the managed FortiSwitch unit supports IEEE 802.1x authentication. A supplicant connected to a port on the switch must be authenticated by a RADIUS/Diameter server to gain access to the network. The supplicant and the authentication server communicate using the switch using the EAP protocol. The managed FortiSwitch unit supports EAP-PEAP, EAP-TTLS, EAP-TLS, and EAP-MD5.

To use the RADIUS server for authentication, you must configure the server before configuring the users or user groups on the managed FortiSwitch unit.

NOTE: In FortiLink mode, you must manually create a firewall policy to allow RADIUS traffic for 802.1x authentication from the FortiSwitch unit (for example, from the FortiLink interface) to the RADIUS server through the FortiGate.

The managed FortiSwitch unit implements MAC-based authentication. The switch saves the MAC address of each supplicantʼs device. The switch provides network access only to devices that have successfully been authenticated.

You can enable the MAC Authentication Bypass (MAB) option for devices (such as network printers) that cannot respond to the 802.1x authentication request. With MAB enabled on the port, the system will use the device MAC address as the user name and password for authentication.

Optionally, you can configure a guest VLAN for unauthorized users. Alternatively, you can specify a VLAN for users whose authentication was unsuccessful.

When you are testing your system configuration for 802.1x authentication, you can use the monitor mode to allow network traffic to flow, even if there are configuration problems or authentication failures.

Note

Fortinet recommends an 802.1x setup rate of 5 to 10 sessions per second.

This chapter covers the following topics:

Increased number of devices supported per port for 802.1x MAC-based authentication

The FortiSwitch unit supports up to 20 devices per port for 802.1x MAC-based authentication. System-wide, the FortiSwitch unit now supports a total of 10 times the number of interfaces for 802.1x MAC-based authentication:

Model

Total number of devices supported per switch

108

80

112

120

124/224/424/524/1024124/224/424/524/1024

240

148/248/448/548/1048

480

3032

320

Configure the 802.1X settings for a virtual domain

To configure the 802.1X security policy for a virtual domain, use the following commands:

config switch-controller 802-1X-settings

set reauth-period < int >

set max-reauth-attempt < int >

set link-down-auth < *set-unauth | no-action >

end

Option

Description

set link-down-auth

If a link is down, this command determines the authentication state. Choosing set-auth sets the interface to unauthenticated when a link is down, and reauthentication is needed. Choosing no-auth means that the interface does not need to be reauthenticated when a link is down.

set reauth-period

This command sets how often reauthentication is needed. The range is 1-1440 minutes. The default is 60 minutes. Setting the value to 0 minutes disables reauthenticaion.

set max-reauth-attempt

This command sets the maximum number of reauthentication attempts. The range is 1-15. the default is 3. Setting the value to 0 disables reauthentication.

Override the virtual domain settings

You can override the virtual domain settings for the 802.1X security policy.

Using the FortiGate GUI

To override the 802.1X settings for a virtual domain:

  1. Go to WiFi & Switch Controller > Managed FortiSwitch.
  2. Click on a FortiSwitch faceplate and select Edit.
  3. In the Edit Managed FortiSwitch page, move the Override 802-1X settings slider to the right.
  4. In the Reauthentication Interval field, enter the number of minutes before reauthentication is required. The maximum interval is 1,440 minutes. Setting the value to 0 minutes disables reauthentiction.
  5. In the Max Reauthentication Attempts field, enter the maximum times that reauthentication is attempted. The maximum number of attempts is 15. Setting the value to 0 disables reauthentication.
  6. Select Deauthenticate or None for the link down action. Selecting Deauthenticate sets the interface to unauthenticated when a link is down, and reauthentication is needed. Selecting None means that the interface does not need to be reauthenticated when a link is down.
  7. Select OK.
Using the FortiGate CLI

To override the 802.1X settings for a virtual domain, use the following commands:

config switch-controller managed-switch

edit < switch >

config 802-1X-settings

set local-override [ enable | *disable ]

set reauth-period < int > // visible if override enabled

set max-reauth-attempt < int > // visible if override enabled

set link-down-auth < *set-unauth | no-action > // visible if override enabled

end

next

end

For a description of the options, see Configure the 802.1X settings for a virtual domain.

Define an 802.1X security policy

You can define multiple 802.1X security policies.

Using the FortiGate GUI

To create an 802.1X security policy:

  1. Go to WiFi & Switch Controller > FortiSwitch Security Policies.
  2. Select Create New.
  3. Enter a name for the new FortiSwitch security policy.
  4. For the security mode, select Port-based or MAC-based.
  5. Select + to select which user groups will have access.
  6. Enable or disable guest VLANs on this interface to allow restricted access for some users.
  7. Enter the number of seconds for authentication delay for guest VLANs. The range is 1-900 seconds.
  8. Enable or disable authentication fail VLAN on this interface to allow restricted access for users who fail to access the guest VLAN.
  9. Enable or disable MAC authentication bypass (MAB) on this interface.
  10. Enable or disable EAP pass-through mode on this interface.
  11. Enable or disable whether the session timeout for the RADIUS server will overwrite the local timeout.
  12. Select OK.
Using the FortiGate CLI

To create an 802.1X security policy, use the following commands:

config switch-controller security-policy 802-1X

edit "<policy.name>"

set security-mode {802.1X | 802.1X-mac-based)

set user-group <*group_name | Guest-group | SSO_Guest_Users>

set mac-auth-bypass [enable | *disable]

set eap-passthru [enable | disable]

set guest-vlan [enable | *disable]

set guest-vlan-id "guest-VLAN-name"

set guest-auth-delay <integer>

set auth-fail-vlan [enable | *disable]

set auth-fail-vlan-id "auth-fail-VLAN-name"

set radius-timeout-overwrite [enable | *disable]

set policy-type 802.1X

end

end

Option

Description

set security-mode

You can restrict access with 802.1X port-based authentication or with 802.1X MAC-based authentication.

set user-group

You can set a specific group name, Guest-group, or SSO_Guest_Users to have access. This setting is mandatory.

set mac-auth-bypass

You can enable or disable MAB on this interface.

set eap-passthrough

You can enable or disable EAP pass-through mode on this interface.

set guest-vlan

You can enable or disable guest VLANs on this interface to allow restricted access for some users.

set guest-vlan-id "guest-VLAN-name"

You can specify the name of the guest VLAN.

set guest-auth-delay

You can set the authentication delay for guest VLANs on this interface. The range is 1-900 seconds.

set auth-fail-vlan

You can enable or disable authentication fail VLAN on this interface to allow restricted access for users who fail to access the guest VLAN.

set auth-fail-vlan-id "auth-fail-VLAN-name"

You can specify the name of the authentication fail VLAN

set radius-timeout-overwrite

You can enable or disable whether the session timeout for the RADIUS server will overwrite the local timeout.

set policy-type 802.1X

You can set the policy type to the 802.1X security policy.

Apply an 802.1X security policy to a FortiSwitch port

You can apply a different 802.1X security policy to each FortiSwitch port.

Using the FortiGate GUI

To apply an 802.1X security policy to a managed FortiSwitch port:

  1. Go to WiFi & Switch Controller > FortiSwitch Ports.
  2. Select the + next to a FortiSwitch unit.
  3. In the Security Policy column for a port, click + to select a security policy.
  4. Select OK to apply the security policy to that port.
Using the FortiGate CLI

To apply an 802.1X security policy to a managed FortiSwitch port, use the following commands:

config switch-controller managed-switch

edit <managed-switch>

config ports

edit <port>

set port-security-policy <802.1X-policy>

next

end

next

end

Test 802.1x authentication with monitor mode

Use the monitor mode to test your system configuration for 802.1x authentication. You can use monitor mode to test port-based authentication, MAC-based authentication, EAP pass-through mode, and MAC authentication bypass. Monitor mode is disabled by default. After you enable monitor mode, the network traffic will continue to flow, even if the users fail authentication.

To enable or disable monitor mode, use the following commands:

config switch-controller security-policy 802-1X

edit "<policy_name>"

set open-auth {enable | disable}

next

end

Restrict the type of frames allowed through IEEE 802.1Q ports

You can now specify whether each FortiSwitch port discards tagged 802.1Q frames or untagged 802.1Q frames or allows all frames access to the port. By default, all frames have access to each FortiSwitch port.

Use the following CLI commands:

config switch-controller managed-switch <SN>

config ports

edit <port_name>

set discard-mode <none | all-tagged | all-untagged>

next

next

end

RADIUS accounting support

The FortiSwitch unit uses 802.1x-authenticated ports to send five types of RADIUS accounting messages to the RADIUS accounting server to support FortiGate RADIUS single sign-on:

  • START—The FortiSwitch has been successfully authenticated, and the session has started.
  • STOP—The FortiSwitch session has ended.
  • INTERIM—Periodic messages sent based on the value set using the set acct-interim-interval command.
  • ON—FortiSwitch will send this message when the switch is turned on.
  • OFF—FortiSwitch will send this message when the switch is shut down.

Use the following commands to set up RADIUS accounting so that FortiOS can send accounting messages to managed FortiSwitch units:

config user radius

edit <RADIUS_server_name>

set acct-interim-interval <seconds>

config accounting-server

edit <entry_ID>

set status {enable | disable}

set server <server_IP_address>

set secret <secret_key>

set port <port_number>

next

end

next

end