Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    7.0.7
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.0.0
    5.6.0
    5.4.0
    5.2.0
    5.0.0

    config switch-controller security-policy 802-1X

    config switch-controller security-policy 802-1X

    Configure 802.1x MAC Authentication Bypass (MAB) policies.

    config switch-controller security-policy 802-1X

    Description: Configure 802.1x MAC Authentication Bypass (MAB) policies.

    edit <name>

    set security-mode [802.1X|802.1X-mac-based]

    set user-group <name1>, <name2>, ...

    set mac-auth-bypass [disable|enable]

    set open-auth [disable|enable]

    set eap-passthru [disable|enable]

    set eap-auto-untagged-vlans [disable|enable]

    set guest-vlan [disable|enable]

    set guest-vlan-id {string}

    set guest-auth-delay {integer}

    set auth-fail-vlan [disable|enable]

    set auth-fail-vlan-id {string}

    set framevid-apply [disable|enable]

    set radius-timeout-overwrite [disable|enable]

    set policy-type {option}

    set authserver-timeout-period {integer}

    set authserver-timeout-vlan [disable|enable]

    set authserver-timeout-vlanid {string}

    next

    end

    config switch-controller security-policy 802-1X

    Parameter

    Description

    Type

    Size

    Default

    security-mode

    Port or MAC based 802.1X security mode.

    option

    -

    802.1X

    Option

    Description

    802.1X

    802.1X port based authentication.

    802.1X-mac-based

    802.1X MAC based authentication.

    user-group <name>

    Name of user-group to assign to this MAC Authentication Bypass (MAB) policy.

    Group name.

    string

    Maximum length: 79

    mac-auth-bypass

    Enable/disable MAB for this policy.

    option

    -

    disable

    Option

    Description

    disable

    Disable MAB.

    enable

    Enable MAB.

    open-auth

    Enable/disable open authentication for this policy.

    option

    -

    disable

    Option

    Description

    disable

    Disable open authentication.

    enable

    Enable open authentication.

    eap-passthru

    Enable/disable EAP pass-through mode, allowing protocols (such as LLDP) to pass through ports for more flexible authentication.

    option

    -

    enable

    Option

    Description

    disable

    Disable EAP pass-through mode on this interface.

    enable

    Enable EAP pass-through mode on this interface.

    eap-auto-untagged-vlans

    Enable/disable automatic inclusion of untagged VLANs.

    option

    -

    enable

    Option

    Description

    disable

    Disable automatic inclusion of untagged VLANs.

    enable

    Enable automatic inclusion of untagged VLANs.

    guest-vlan

    Enable the guest VLAN feature to allow limited access to non-802.1X-compliant clients.

    option

    -

    disable

    Option

    Description

    disable

    Disable guest VLAN on this interface.

    enable

    Enable guest VLAN on this interface.

    guest-vlan-id

    Guest VLAN name.

    string

    Maximum length: 15

    guest-auth-delay

    Guest authentication delay .

    integer

    Minimum value: 1 Maximum value: 900

    30

    auth-fail-vlan

    Enable to allow limited access to clients that cannot authenticate.

    option

    -

    disable

    Option

    Description

    disable

    Disable authentication fail VLAN on this interface.

    enable

    Enable authentication fail VLAN on this interface.

    auth-fail-vlan-id

    VLAN ID on which authentication failed.

    string

    Maximum length: 15

    framevid-apply

    Enable/disable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

    option

    -

    enable

    Option

    Description

    disable

    Disable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

    enable

    Enable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

    radius-timeout-overwrite

    Enable to override the global RADIUS session timeout.

    option

    -

    disable

    Option

    Description

    disable

    Override the global RADIUS session timeout.

    enable

    Use the global RADIUS session timeout.

    policy-type

    Policy type.

    option

    -

    802.1X

    Option

    Description

    802.1X

    802.1X security policy.

    authserver-timeout-period

    Authentication server timeout period .

    integer

    Minimum value: 3 Maximum value: 15

    3

    authserver-timeout-vlan

    Enable/disable the authentication server timeout VLAN to allow limited access when RADIUS is unavailable.

    option

    -

    disable

    Option

    Description

    disable

    Disable authentication server timeout VLAN on this interface.

    enable

    Enable authentication server timeout VLAN on this interface.

    authserver-timeout-vlanid

    Authentication server timeout VLAN name.

    string

    Maximum length: 15

    Previous
    Next

    config switch-controller security-policy 802-1X

    config switch-controller security-policy 802-1X

    Configure 802.1x MAC Authentication Bypass (MAB) policies.

    config switch-controller security-policy 802-1X

    Description: Configure 802.1x MAC Authentication Bypass (MAB) policies.

    edit <name>

    set security-mode [802.1X|802.1X-mac-based]

    set user-group <name1>, <name2>, ...

    set mac-auth-bypass [disable|enable]

    set open-auth [disable|enable]

    set eap-passthru [disable|enable]

    set eap-auto-untagged-vlans [disable|enable]

    set guest-vlan [disable|enable]

    set guest-vlan-id {string}

    set guest-auth-delay {integer}

    set auth-fail-vlan [disable|enable]

    set auth-fail-vlan-id {string}

    set framevid-apply [disable|enable]

    set radius-timeout-overwrite [disable|enable]

    set policy-type {option}

    set authserver-timeout-period {integer}

    set authserver-timeout-vlan [disable|enable]

    set authserver-timeout-vlanid {string}

    next

    end

    config switch-controller security-policy 802-1X

    Parameter

    Description

    Type

    Size

    Default

    security-mode

    Port or MAC based 802.1X security mode.

    option

    -

    802.1X

    Option

    Description

    802.1X

    802.1X port based authentication.

    802.1X-mac-based

    802.1X MAC based authentication.

    user-group <name>

    Name of user-group to assign to this MAC Authentication Bypass (MAB) policy.

    Group name.

    string

    Maximum length: 79

    mac-auth-bypass

    Enable/disable MAB for this policy.

    option

    -

    disable

    Option

    Description

    disable

    Disable MAB.

    enable

    Enable MAB.

    open-auth

    Enable/disable open authentication for this policy.

    option

    -

    disable

    Option

    Description

    disable

    Disable open authentication.

    enable

    Enable open authentication.

    eap-passthru

    Enable/disable EAP pass-through mode, allowing protocols (such as LLDP) to pass through ports for more flexible authentication.

    option

    -

    enable

    Option

    Description

    disable

    Disable EAP pass-through mode on this interface.

    enable

    Enable EAP pass-through mode on this interface.

    eap-auto-untagged-vlans

    Enable/disable automatic inclusion of untagged VLANs.

    option

    -

    enable

    Option

    Description

    disable

    Disable automatic inclusion of untagged VLANs.

    enable

    Enable automatic inclusion of untagged VLANs.

    guest-vlan

    Enable the guest VLAN feature to allow limited access to non-802.1X-compliant clients.

    option

    -

    disable

    Option

    Description

    disable

    Disable guest VLAN on this interface.

    enable

    Enable guest VLAN on this interface.

    guest-vlan-id

    Guest VLAN name.

    string

    Maximum length: 15

    guest-auth-delay

    Guest authentication delay .

    integer

    Minimum value: 1 Maximum value: 900

    30

    auth-fail-vlan

    Enable to allow limited access to clients that cannot authenticate.

    option

    -

    disable

    Option

    Description

    disable

    Disable authentication fail VLAN on this interface.

    enable

    Enable authentication fail VLAN on this interface.

    auth-fail-vlan-id

    VLAN ID on which authentication failed.

    string

    Maximum length: 15

    framevid-apply

    Enable/disable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

    option

    -

    enable

    Option

    Description

    disable

    Disable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

    enable

    Enable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

    radius-timeout-overwrite

    Enable to override the global RADIUS session timeout.

    option

    -

    disable

    Option

    Description

    disable

    Override the global RADIUS session timeout.

    enable

    Use the global RADIUS session timeout.

    policy-type

    Policy type.

    option

    -

    802.1X

    Option

    Description

    802.1X

    802.1X security policy.

    authserver-timeout-period

    Authentication server timeout period .

    integer

    Minimum value: 3 Maximum value: 15

    3

    authserver-timeout-vlan

    Enable/disable the authentication server timeout VLAN to allow limited access when RADIUS is unavailable.

    option

    -

    disable

    Option

    Description

    disable

    Disable authentication server timeout VLAN on this interface.

    enable

    Enable authentication server timeout VLAN on this interface.

    authserver-timeout-vlanid

    Authentication server timeout VLAN name.

    string

    Maximum length: 15

    Previous
    Next