Fortinet white logo
Fortinet white logo

CLI Reference

config switch-controller security-policy 802-1X

config switch-controller security-policy 802-1X

Note

This command is available for model(s): FortiGate 1000D, FortiGate 1000F, FortiGate 1001F, FortiGate 100F, FortiGate 101F, FortiGate 1100E, FortiGate 1101E, FortiGate 120G, FortiGate 121G, FortiGate 140E-POE, FortiGate 140E, FortiGate 1800F, FortiGate 1801F, FortiGate 2000E, FortiGate 200E, FortiGate 200F, FortiGate 201E, FortiGate 201F, FortiGate 2200E, FortiGate 2201E, FortiGate 2500E, FortiGate 2600F, FortiGate 2601F, FortiGate 3000D, FortiGate 3000F, FortiGate 3001F, FortiGate 300E, FortiGate 301E, FortiGate 3100D, FortiGate 3200D, FortiGate 3200F, FortiGate 3201F, FortiGate 3300E, FortiGate 3301E, FortiGate 3400E, FortiGate 3401E, FortiGate 3500F, FortiGate 3501F, FortiGate 3600E, FortiGate 3601E, FortiGate 3700D, FortiGate 3700F, FortiGate 3701F, FortiGate 3960E, FortiGate 3980E, FortiGate 400E Bypass, FortiGate 400E, FortiGate 400F, FortiGate 401E, FortiGate 401F, FortiGate 40F 3G4G, FortiGate 40F, FortiGate 4200F, FortiGate 4201F, FortiGate 4400F, FortiGate 4401F, FortiGate 500E, FortiGate 501E, FortiGate 600E, FortiGate 600F, FortiGate 601E, FortiGate 601F, FortiGate 60E DSLJ, FortiGate 60E DSL, FortiGate 60E-POE, FortiGate 60E, FortiGate 60F, FortiGate 61E, FortiGate 61F, FortiGate 70F, FortiGate 71F, FortiGate 800D, FortiGate 80E-POE, FortiGate 80E, FortiGate 80F Bypass, FortiGate 80F DSL, FortiGate 80F-POE, FortiGate 80F, FortiGate 81E-POE, FortiGate 81E, FortiGate 81F-POE, FortiGate 81F, FortiGate 900D, FortiGate 900G, FortiGate 901G, FortiGate 90G, FortiGate 91E, FortiGate 91G, FortiGate VM for AWS, FortiGate VM for Azure, FortiGate VM64, FortiGateRugged 60F 3G4G, FortiGateRugged 60F, FortiGateRugged 70F 3G4G, FortiGateRugged 70F, FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi 60E DSLJ, FortiWiFi 60E DSL, FortiWiFi 60E, FortiWiFi 60F, FortiWiFi 61E, FortiWiFi 61F, FortiWiFi 80F 2R 3G4G DSL, FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G DSL, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.

It is not available for: FortiGate 5001E1, FortiGate 5001E.

Configure 802.1x MAC Authentication Bypass (MAB) policies.

config switch-controller security-policy 802-1X
    Description: Configure 802.1x MAC Authentication Bypass (MAB) policies.
    edit <name>
        set auth-fail-vlan [disable|enable]
        set auth-fail-vlan-id {string}
        set authserver-timeout-period {integer}
        set authserver-timeout-tagged [disable|lldp-voice|...]
        set authserver-timeout-tagged-vlanid {string}
        set authserver-timeout-vlan [disable|enable]
        set authserver-timeout-vlanid {string}
        set dacl [disable|enable]
        set eap-auto-untagged-vlans [disable|enable]
        set eap-passthru [disable|enable]
        set framevid-apply [disable|enable]
        set guest-auth-delay {integer}
        set guest-vlan [disable|enable]
        set guest-vlan-id {string}
        set mac-auth-bypass [disable|enable]
        set open-auth [disable|enable]
        set policy-type {option}
        set radius-timeout-overwrite [disable|enable]
        set security-mode [802.1X|802.1X-mac-based]
        set user-group <name1>, <name2>, ...
    next
end

config switch-controller security-policy 802-1X

Parameter

Description

Type

Size

Default

auth-fail-vlan

Enable to allow limited access to clients that cannot authenticate.

option

-

disable

Option

Description

disable

Disable authentication fail VLAN on this interface.

enable

Enable authentication fail VLAN on this interface.

auth-fail-vlan-id

VLAN ID on which authentication failed.

string

Maximum length: 15

authserver-timeout-period

Authentication server timeout period.

integer

Minimum value: 3 Maximum value: 15

3

authserver-timeout-tagged

Configure timeout option for the tagged VLAN which allows limited access when the authentication server is unavailable.

option

-

disable

Option

Description

disable

Disable authentication server timeout on this interface.

lldp-voice

LLDP voice timeout for the tagged VLAN on this interface.

static

Static timeout for the tagged VLAN on this interface.

authserver-timeout-tagged-vlanid

Tagged VLAN name for which the timeout option is applied to (only one VLAN ID).

string

Maximum length: 15

authserver-timeout-vlan

Enable/disable the authentication server timeout VLAN to allow limited access when RADIUS is unavailable.

option

-

disable

Option

Description

disable

Disable authentication server timeout VLAN on this interface.

enable

Enable authentication server timeout VLAN on this interface.

authserver-timeout-vlanid

Authentication server timeout VLAN name.

string

Maximum length: 15

dacl

Enable/disable dynamic access control list on this interface.

option

-

disable

Option

Description

disable

Disable dynamic access control list on this interface.

enable

Enable dynamic access control on this interface.

eap-auto-untagged-vlans

Enable/disable automatic inclusion of untagged VLANs.

option

-

enable

Option

Description

disable

Disable automatic inclusion of untagged VLANs.

enable

Enable automatic inclusion of untagged VLANs.

eap-passthru

Enable/disable EAP pass-through mode, allowing protocols (such as LLDP) to pass through ports for more flexible authentication.

option

-

enable

Option

Description

disable

Disable EAP pass-through mode on this interface.

enable

Enable EAP pass-through mode on this interface.

framevid-apply

Enable/disable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

option

-

enable

Option

Description

disable

Disable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

enable

Enable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

guest-auth-delay

Guest authentication delay.

integer

Minimum value: 1 Maximum value: 900

30

guest-vlan

Enable the guest VLAN feature to allow limited access to non-802.1X-compliant clients.

option

-

disable

Option

Description

disable

Disable guest VLAN on this interface.

enable

Enable guest VLAN on this interface.

guest-vlan-id

Guest VLAN name.

string

Maximum length: 15

mac-auth-bypass

Enable/disable MAB for this policy.

option

-

disable

Option

Description

disable

Disable MAB.

enable

Enable MAB.

name

Policy name.

string

Maximum length: 31

open-auth

Enable/disable open authentication for this policy.

option

-

disable

Option

Description

disable

Disable open authentication.

enable

Enable open authentication.

policy-type

Policy type.

option

-

802.1X

Option

Description

802.1X

802.1X security policy.

radius-timeout-overwrite

Enable to override the global RADIUS session timeout.

option

-

disable

Option

Description

disable

Override the global RADIUS session timeout.

enable

Use the global RADIUS session timeout.

security-mode

Port or MAC based 802.1X security mode.

option

-

802.1X

Option

Description

802.1X

802.1X port based authentication.

802.1X-mac-based

802.1X MAC based authentication.

user-group <name>

Name of user-group to assign to this MAC Authentication Bypass (MAB) policy.

Group name.

string

Maximum length: 79

config switch-controller security-policy 802-1X

config switch-controller security-policy 802-1X

Note

This command is available for model(s): FortiGate 1000D, FortiGate 1000F, FortiGate 1001F, FortiGate 100F, FortiGate 101F, FortiGate 1100E, FortiGate 1101E, FortiGate 120G, FortiGate 121G, FortiGate 140E-POE, FortiGate 140E, FortiGate 1800F, FortiGate 1801F, FortiGate 2000E, FortiGate 200E, FortiGate 200F, FortiGate 201E, FortiGate 201F, FortiGate 2200E, FortiGate 2201E, FortiGate 2500E, FortiGate 2600F, FortiGate 2601F, FortiGate 3000D, FortiGate 3000F, FortiGate 3001F, FortiGate 300E, FortiGate 301E, FortiGate 3100D, FortiGate 3200D, FortiGate 3200F, FortiGate 3201F, FortiGate 3300E, FortiGate 3301E, FortiGate 3400E, FortiGate 3401E, FortiGate 3500F, FortiGate 3501F, FortiGate 3600E, FortiGate 3601E, FortiGate 3700D, FortiGate 3700F, FortiGate 3701F, FortiGate 3960E, FortiGate 3980E, FortiGate 400E Bypass, FortiGate 400E, FortiGate 400F, FortiGate 401E, FortiGate 401F, FortiGate 40F 3G4G, FortiGate 40F, FortiGate 4200F, FortiGate 4201F, FortiGate 4400F, FortiGate 4401F, FortiGate 500E, FortiGate 501E, FortiGate 600E, FortiGate 600F, FortiGate 601E, FortiGate 601F, FortiGate 60E DSLJ, FortiGate 60E DSL, FortiGate 60E-POE, FortiGate 60E, FortiGate 60F, FortiGate 61E, FortiGate 61F, FortiGate 70F, FortiGate 71F, FortiGate 800D, FortiGate 80E-POE, FortiGate 80E, FortiGate 80F Bypass, FortiGate 80F DSL, FortiGate 80F-POE, FortiGate 80F, FortiGate 81E-POE, FortiGate 81E, FortiGate 81F-POE, FortiGate 81F, FortiGate 900D, FortiGate 900G, FortiGate 901G, FortiGate 90G, FortiGate 91E, FortiGate 91G, FortiGate VM for AWS, FortiGate VM for Azure, FortiGate VM64, FortiGateRugged 60F 3G4G, FortiGateRugged 60F, FortiGateRugged 70F 3G4G, FortiGateRugged 70F, FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi 60E DSLJ, FortiWiFi 60E DSL, FortiWiFi 60E, FortiWiFi 60F, FortiWiFi 61E, FortiWiFi 61F, FortiWiFi 80F 2R 3G4G DSL, FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G DSL, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.

It is not available for: FortiGate 5001E1, FortiGate 5001E.

Configure 802.1x MAC Authentication Bypass (MAB) policies.

config switch-controller security-policy 802-1X
    Description: Configure 802.1x MAC Authentication Bypass (MAB) policies.
    edit <name>
        set auth-fail-vlan [disable|enable]
        set auth-fail-vlan-id {string}
        set authserver-timeout-period {integer}
        set authserver-timeout-tagged [disable|lldp-voice|...]
        set authserver-timeout-tagged-vlanid {string}
        set authserver-timeout-vlan [disable|enable]
        set authserver-timeout-vlanid {string}
        set dacl [disable|enable]
        set eap-auto-untagged-vlans [disable|enable]
        set eap-passthru [disable|enable]
        set framevid-apply [disable|enable]
        set guest-auth-delay {integer}
        set guest-vlan [disable|enable]
        set guest-vlan-id {string}
        set mac-auth-bypass [disable|enable]
        set open-auth [disable|enable]
        set policy-type {option}
        set radius-timeout-overwrite [disable|enable]
        set security-mode [802.1X|802.1X-mac-based]
        set user-group <name1>, <name2>, ...
    next
end

config switch-controller security-policy 802-1X

Parameter

Description

Type

Size

Default

auth-fail-vlan

Enable to allow limited access to clients that cannot authenticate.

option

-

disable

Option

Description

disable

Disable authentication fail VLAN on this interface.

enable

Enable authentication fail VLAN on this interface.

auth-fail-vlan-id

VLAN ID on which authentication failed.

string

Maximum length: 15

authserver-timeout-period

Authentication server timeout period.

integer

Minimum value: 3 Maximum value: 15

3

authserver-timeout-tagged

Configure timeout option for the tagged VLAN which allows limited access when the authentication server is unavailable.

option

-

disable

Option

Description

disable

Disable authentication server timeout on this interface.

lldp-voice

LLDP voice timeout for the tagged VLAN on this interface.

static

Static timeout for the tagged VLAN on this interface.

authserver-timeout-tagged-vlanid

Tagged VLAN name for which the timeout option is applied to (only one VLAN ID).

string

Maximum length: 15

authserver-timeout-vlan

Enable/disable the authentication server timeout VLAN to allow limited access when RADIUS is unavailable.

option

-

disable

Option

Description

disable

Disable authentication server timeout VLAN on this interface.

enable

Enable authentication server timeout VLAN on this interface.

authserver-timeout-vlanid

Authentication server timeout VLAN name.

string

Maximum length: 15

dacl

Enable/disable dynamic access control list on this interface.

option

-

disable

Option

Description

disable

Disable dynamic access control list on this interface.

enable

Enable dynamic access control on this interface.

eap-auto-untagged-vlans

Enable/disable automatic inclusion of untagged VLANs.

option

-

enable

Option

Description

disable

Disable automatic inclusion of untagged VLANs.

enable

Enable automatic inclusion of untagged VLANs.

eap-passthru

Enable/disable EAP pass-through mode, allowing protocols (such as LLDP) to pass through ports for more flexible authentication.

option

-

enable

Option

Description

disable

Disable EAP pass-through mode on this interface.

enable

Enable EAP pass-through mode on this interface.

framevid-apply

Enable/disable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

option

-

enable

Option

Description

disable

Disable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

enable

Enable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

guest-auth-delay

Guest authentication delay.

integer

Minimum value: 1 Maximum value: 900

30

guest-vlan

Enable the guest VLAN feature to allow limited access to non-802.1X-compliant clients.

option

-

disable

Option

Description

disable

Disable guest VLAN on this interface.

enable

Enable guest VLAN on this interface.

guest-vlan-id

Guest VLAN name.

string

Maximum length: 15

mac-auth-bypass

Enable/disable MAB for this policy.

option

-

disable

Option

Description

disable

Disable MAB.

enable

Enable MAB.

name

Policy name.

string

Maximum length: 31

open-auth

Enable/disable open authentication for this policy.

option

-

disable

Option

Description

disable

Disable open authentication.

enable

Enable open authentication.

policy-type

Policy type.

option

-

802.1X

Option

Description

802.1X

802.1X security policy.

radius-timeout-overwrite

Enable to override the global RADIUS session timeout.

option

-

disable

Option

Description

disable

Override the global RADIUS session timeout.

enable

Use the global RADIUS session timeout.

security-mode

Port or MAC based 802.1X security mode.

option

-

802.1X

Option

Description

802.1X

802.1X port based authentication.

802.1X-mac-based

802.1X MAC based authentication.

user-group <name>

Name of user-group to assign to this MAC Authentication Bypass (MAB) policy.

Group name.

string

Maximum length: 79