Fortinet white logo
Fortinet white logo

CLI Reference

config switch-controller security-policy 802-1X

config switch-controller security-policy 802-1X

Configure 802.1x MAC Authentication Bypass (MAB) policies.

config switch-controller security-policy 802-1X

Description: Configure 802.1x MAC Authentication Bypass (MAB) policies.

edit <name>

set security-mode [802.1X|802.1X-mac-based]

set user-group <name1>, <name2>, ...

set mac-auth-bypass [disable|enable]

set open-auth [disable|enable]

set eap-passthru [disable|enable]

set eap-auto-untagged-vlans [disable|enable]

set guest-vlan [disable|enable]

set guest-vlan-id {string}

set guest-auth-delay {integer}

set auth-fail-vlan [disable|enable]

set auth-fail-vlan-id {string}

set framevid-apply [disable|enable]

set radius-timeout-overwrite [disable|enable]

set policy-type {option}

set authserver-timeout-period {integer}

set authserver-timeout-vlan [disable|enable]

set authserver-timeout-vlanid {string}

next

end

config switch-controller security-policy 802-1X

Parameter

Description

Type

Size

Default

security-mode

Port or MAC based 802.1X security mode.

option

-

802.1X

Option

Description

802.1X

802.1X port based authentication.

802.1X-mac-based

802.1X MAC based authentication.

user-group <name>

Name of user-group to assign to this MAC Authentication Bypass (MAB) policy.

Group name.

string

Maximum length: 79

mac-auth-bypass

Enable/disable MAB for this policy.

option

-

disable

Option

Description

disable

Disable MAB.

enable

Enable MAB.

open-auth

Enable/disable open authentication for this policy.

option

-

disable

Option

Description

disable

Disable open authentication.

enable

Enable open authentication.

eap-passthru

Enable/disable EAP pass-through mode, allowing protocols (such as LLDP) to pass through ports for more flexible authentication.

option

-

enable

Option

Description

disable

Disable EAP pass-through mode on this interface.

enable

Enable EAP pass-through mode on this interface.

eap-auto-untagged-vlans

Enable/disable automatic inclusion of untagged VLANs.

option

-

enable

Option

Description

disable

Disable automatic inclusion of untagged VLANs.

enable

Enable automatic inclusion of untagged VLANs.

guest-vlan

Enable the guest VLAN feature to allow limited access to non-802.1X-compliant clients.

option

-

disable

Option

Description

disable

Disable guest VLAN on this interface.

enable

Enable guest VLAN on this interface.

guest-vlan-id

Guest VLAN name.

string

Not Specified

guest-auth-delay

Guest authentication delay .

integer

Minimum value: 1 Maximum value: 900

30

auth-fail-vlan

Enable to allow limited access to clients that cannot authenticate.

option

-

disable

Option

Description

disable

Disable authentication fail VLAN on this interface.

enable

Enable authentication fail VLAN on this interface.

auth-fail-vlan-id

VLAN ID on which authentication failed.

string

Not Specified

framevid-apply

Enable/disable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

option

-

enable

Option

Description

disable

Disable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

enable

Enable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

radius-timeout-overwrite

Enable to override the global RADIUS session timeout.

option

-

disable

Option

Description

disable

Override the global RADIUS session timeout.

enable

Use the global RADIUS session timeout.

policy-type

Policy type.

option

-

802.1X

Option

Description

802.1X

802.1X security policy.

authserver-timeout-period

Authentication server timeout period .

integer

Minimum value: 3 Maximum value: 15

3

authserver-timeout-vlan

Enable/disable the authentication server timeout VLAN to allow limited access when RADIUS is unavailable.

option

-

disable

Option

Description

disable

Disable authentication server timeout VLAN on this interface.

enable

Enable authentication server timeout VLAN on this interface.

authserver-timeout-vlanid

Authentication server timeout VLAN name.

string

Not Specified

config switch-controller security-policy 802-1X

config switch-controller security-policy 802-1X

Configure 802.1x MAC Authentication Bypass (MAB) policies.

config switch-controller security-policy 802-1X

Description: Configure 802.1x MAC Authentication Bypass (MAB) policies.

edit <name>

set security-mode [802.1X|802.1X-mac-based]

set user-group <name1>, <name2>, ...

set mac-auth-bypass [disable|enable]

set open-auth [disable|enable]

set eap-passthru [disable|enable]

set eap-auto-untagged-vlans [disable|enable]

set guest-vlan [disable|enable]

set guest-vlan-id {string}

set guest-auth-delay {integer}

set auth-fail-vlan [disable|enable]

set auth-fail-vlan-id {string}

set framevid-apply [disable|enable]

set radius-timeout-overwrite [disable|enable]

set policy-type {option}

set authserver-timeout-period {integer}

set authserver-timeout-vlan [disable|enable]

set authserver-timeout-vlanid {string}

next

end

config switch-controller security-policy 802-1X

Parameter

Description

Type

Size

Default

security-mode

Port or MAC based 802.1X security mode.

option

-

802.1X

Option

Description

802.1X

802.1X port based authentication.

802.1X-mac-based

802.1X MAC based authentication.

user-group <name>

Name of user-group to assign to this MAC Authentication Bypass (MAB) policy.

Group name.

string

Maximum length: 79

mac-auth-bypass

Enable/disable MAB for this policy.

option

-

disable

Option

Description

disable

Disable MAB.

enable

Enable MAB.

open-auth

Enable/disable open authentication for this policy.

option

-

disable

Option

Description

disable

Disable open authentication.

enable

Enable open authentication.

eap-passthru

Enable/disable EAP pass-through mode, allowing protocols (such as LLDP) to pass through ports for more flexible authentication.

option

-

enable

Option

Description

disable

Disable EAP pass-through mode on this interface.

enable

Enable EAP pass-through mode on this interface.

eap-auto-untagged-vlans

Enable/disable automatic inclusion of untagged VLANs.

option

-

enable

Option

Description

disable

Disable automatic inclusion of untagged VLANs.

enable

Enable automatic inclusion of untagged VLANs.

guest-vlan

Enable the guest VLAN feature to allow limited access to non-802.1X-compliant clients.

option

-

disable

Option

Description

disable

Disable guest VLAN on this interface.

enable

Enable guest VLAN on this interface.

guest-vlan-id

Guest VLAN name.

string

Not Specified

guest-auth-delay

Guest authentication delay .

integer

Minimum value: 1 Maximum value: 900

30

auth-fail-vlan

Enable to allow limited access to clients that cannot authenticate.

option

-

disable

Option

Description

disable

Disable authentication fail VLAN on this interface.

enable

Enable authentication fail VLAN on this interface.

auth-fail-vlan-id

VLAN ID on which authentication failed.

string

Not Specified

framevid-apply

Enable/disable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

option

-

enable

Option

Description

disable

Disable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

enable

Enable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

radius-timeout-overwrite

Enable to override the global RADIUS session timeout.

option

-

disable

Option

Description

disable

Override the global RADIUS session timeout.

enable

Use the global RADIUS session timeout.

policy-type

Policy type.

option

-

802.1X

Option

Description

802.1X

802.1X security policy.

authserver-timeout-period

Authentication server timeout period .

integer

Minimum value: 3 Maximum value: 15

3

authserver-timeout-vlan

Enable/disable the authentication server timeout VLAN to allow limited access when RADIUS is unavailable.

option

-

disable

Option

Description

disable

Disable authentication server timeout VLAN on this interface.

enable

Enable authentication server timeout VLAN on this interface.

authserver-timeout-vlanid

Authentication server timeout VLAN name.

string

Not Specified