On the FortiGate, all VLANs are specified as a system interface. Each system interface has a well-defined and unique name. When running FortiLink, the switch has no knowledge of the name association. The switch communicates directly with the RADIUS server and needs to know the mapping to make the proper selection. This information must be provided to the switch.
In order to make the feature generic and applicable to the switch in standalone mode, the system interface description field is leveraged. The switch-controller synchronizes this field to the switch for information purposes. All descriptions on the FortiGate remain on the FortiGate. The switch-controller synchronizes the FortiGate system interface name to the switch VLAN description.
When FortiSwitch receives a VLAN assignment from a RADIUS server, it determines if the data is an integer or string representation. If the representation is an integer, FortiSwitch assigns the VLAN. If the representation is a string, the 802.1x agent searches each FortiGate VLAN description field and, if a match is found, synchronizes the FortiGate interface name to the switch's VLAN description. If no match is found, it will generate a syslog error stating that the VLAN string was not found, the assingment could not be made, and the result is treated as in unauthorized or a failure.
To configure dynamic VLAN name assignment:
- Configure a RADIUS server:
- Set Tunnel-Type to "VLAN"
- Set Tunnel-Medium-Type to "IEEE-802"
- Set Tunnel-Private-Group-Id to "my.vlan.10"
Designate the VLAN name instead of VLAN ID.
- Configure the FortiGate:
config system interface edit "my.vlan.10" set vdom "root" set ip 126.96.36.199 255.255.255.0 set allowaccess ping set interface "my.fortlink" set vlanid 10 next end
- Configure the FortiSwitch:
config switch vlan edit 10 set description "my.vlan.10" next end