Fortinet white logo
Fortinet white logo

Cookbook

Port-based 802.1X authentication

Port-based 802.1X authentication

This example show how to configure Port-based 802.1X authentication to managed FortiSwitch ports when using FortiLink. Managed FortiSwitch devices will authenticate user devices per each FortiSwitch port. If there is a hub after the FortiSwitch that connects multiple user devices to the same port, they can all access the network after authentication, which is not recommended from a security perspective.

Prerequisites:
  • The certificates and authentication protocol supported by the supplicant software and RADIUS server are compatible.
  • The managed FortiSwitches using FortiLink act as authenticators.

Create a firewall policy to allow the RADIUS authentication related traffic from the Fortilink interface to the outbound interface on the FortiGate:
config firewall policy
    edit 0
        set srcintf "fortilink-interface"
        set dstintf "outbound-interface-to-RadiusSVR"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "RADIUS"
        set nat enable
    next
end
Designate a RADIUS server and create a user group:

Using the CLI:

config user radius
      edit "Radius1"
          set server "172.18.60.203"
          set secret ENC 1dddddd
     next
end
config user group
     edit "Radius-Grp1"
         set member "Radius1"
     next
end

Using the GUI:

  1. On the FortiGate, go to User & Device > RADIUS Servers.
  2. Edit an existing server, or create a new one.
  3. If necessary, add a Name for the server.
  4. Set the IP/Name to 172.18.60.203 and Secret to 1dddddd .
  5. Configure other fields as necessary.
  6. Click OK.
  7. Go to User & Device > User Groups.
  8. Create a new group, and add the RADIUS server to the Remote Groups list.

  9. Click OK.
Use the new user group in a security policy:

Using the CLI:

config switch-controller security-policy 802-1X
    edit "802-1X-policy-default"
        set security-mode 802.1X
        set user-group "Radius-Grp1"
        set mac-auth-bypass disable
        set open-auth disable
        set eap-passthru enable
        set guest-vlan disable
        set auth-fail-vlan disable
        set framevid-apply enable
        set radius-timeout-overwrite disable
    next
end

Configure the guest VLAN, authentication fail VLAN, and other parameters as needed.

Using the GUI:

  1. Go to WiFi & Switch Controller > FortiSwitch Security Policies
  2. Use the default 802-1X-policy-default, or create a new security policy.
  3. Use the RADIUS server group in the policy.
  4. Set the Security mode to Port-based.
  5. Configure other fields as necessary.
  6. Click OK.
Apply the security policy to the ports of the managed FortiSwitches:

Using the CLI:

config switch-controller  managed-switch 
    edit S248EPTF1800XXXX 
        config ports
            edit "port6"      
                set port-security-policy "802-1X-policy-default"
            next
        end
    next
end

Using the GUI:

  1. On the FortiGate, go to WiFi & Switch Controller > FortiSwitch VLANs.
  2. Configure the VLAN interfaces that are applied on FortiSwitch.

    On FortiGate, these switch VLAN interfaces are treated as layer-3 interfaces and are available to be applied by firewall policy and other security controls in FortiOS. This means that security boundary is extended to FortiSwitch.

Execute 802.1X authentication on a user device:

On Linux, run wpa_supplicant:

wpa_supplicant -c /etc/wpa_supplicant/local_supplicant.conf  -D wired -i eth2 -dd

On the FortiGate, view the status of the 802.1X authentication:

diagnose switch-controller switch-info 802.1X Managed Switch : S248EPTF18001384

   port6 : Mode: port-based (mac-by-pass disable) 
           Link: Link up
           Port State: authorized: (  ) 
           Dynamic Authorized Vlan : 0
           EAP pass-through mode : Enable
           Native Vlan : 1
           Allowed Vlan list: 1,4093
           Untagged Vlan list: 4093
           Guest VLAN :
           Auth-Fail Vlan :

           Sessions info:
           00:0c:29:d4:4f:3c     Type=802.1x,MD5,state=AUTHENTICATED,etime=0,eap_cnt=6 params:reAuth=3600  

Port-based 802.1X authentication

Port-based 802.1X authentication

This example show how to configure Port-based 802.1X authentication to managed FortiSwitch ports when using FortiLink. Managed FortiSwitch devices will authenticate user devices per each FortiSwitch port. If there is a hub after the FortiSwitch that connects multiple user devices to the same port, they can all access the network after authentication, which is not recommended from a security perspective.

Prerequisites:
  • The certificates and authentication protocol supported by the supplicant software and RADIUS server are compatible.
  • The managed FortiSwitches using FortiLink act as authenticators.

Create a firewall policy to allow the RADIUS authentication related traffic from the Fortilink interface to the outbound interface on the FortiGate:
config firewall policy
    edit 0
        set srcintf "fortilink-interface"
        set dstintf "outbound-interface-to-RadiusSVR"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "RADIUS"
        set nat enable
    next
end
Designate a RADIUS server and create a user group:

Using the CLI:

config user radius
      edit "Radius1"
          set server "172.18.60.203"
          set secret ENC 1dddddd
     next
end
config user group
     edit "Radius-Grp1"
         set member "Radius1"
     next
end

Using the GUI:

  1. On the FortiGate, go to User & Device > RADIUS Servers.
  2. Edit an existing server, or create a new one.
  3. If necessary, add a Name for the server.
  4. Set the IP/Name to 172.18.60.203 and Secret to 1dddddd .
  5. Configure other fields as necessary.
  6. Click OK.
  7. Go to User & Device > User Groups.
  8. Create a new group, and add the RADIUS server to the Remote Groups list.

  9. Click OK.
Use the new user group in a security policy:

Using the CLI:

config switch-controller security-policy 802-1X
    edit "802-1X-policy-default"
        set security-mode 802.1X
        set user-group "Radius-Grp1"
        set mac-auth-bypass disable
        set open-auth disable
        set eap-passthru enable
        set guest-vlan disable
        set auth-fail-vlan disable
        set framevid-apply enable
        set radius-timeout-overwrite disable
    next
end

Configure the guest VLAN, authentication fail VLAN, and other parameters as needed.

Using the GUI:

  1. Go to WiFi & Switch Controller > FortiSwitch Security Policies
  2. Use the default 802-1X-policy-default, or create a new security policy.
  3. Use the RADIUS server group in the policy.
  4. Set the Security mode to Port-based.
  5. Configure other fields as necessary.
  6. Click OK.
Apply the security policy to the ports of the managed FortiSwitches:

Using the CLI:

config switch-controller  managed-switch 
    edit S248EPTF1800XXXX 
        config ports
            edit "port6"      
                set port-security-policy "802-1X-policy-default"
            next
        end
    next
end

Using the GUI:

  1. On the FortiGate, go to WiFi & Switch Controller > FortiSwitch VLANs.
  2. Configure the VLAN interfaces that are applied on FortiSwitch.

    On FortiGate, these switch VLAN interfaces are treated as layer-3 interfaces and are available to be applied by firewall policy and other security controls in FortiOS. This means that security boundary is extended to FortiSwitch.

Execute 802.1X authentication on a user device:

On Linux, run wpa_supplicant:

wpa_supplicant -c /etc/wpa_supplicant/local_supplicant.conf  -D wired -i eth2 -dd

On the FortiGate, view the status of the 802.1X authentication:

diagnose switch-controller switch-info 802.1X Managed Switch : S248EPTF18001384

   port6 : Mode: port-based (mac-by-pass disable) 
           Link: Link up
           Port State: authorized: (  ) 
           Dynamic Authorized Vlan : 0
           EAP pass-through mode : Enable
           Native Vlan : 1
           Allowed Vlan list: 1,4093
           Untagged Vlan list: 4093
           Guest VLAN :
           Auth-Fail Vlan :

           Sessions info:
           00:0c:29:d4:4f:3c     Type=802.1x,MD5,state=AUTHENTICATED,etime=0,eap_cnt=6 params:reAuth=3600