Fortinet white logo
Fortinet white logo

CLI Reference

config switch-controller security-policy 802-1X

config switch-controller security-policy 802-1X

Configure 802.1x MAC Authentication Bypass (MAB) policies.

config switch-controller security-policy 802-1X
    Description: Configure 802.1x MAC Authentication Bypass (MAB) policies.
    edit <name>
        set allow-mac-move [disable|enable]
        set auth-fail-vlan [disable|enable]
        set auth-fail-vlan-id {string}
        set auth-order [dot1x-mab|mab-dot1x|...]
        set auth-priority [legacy|dot1x-mab|...]
        set authserver-timeout-period {integer}
        set authserver-timeout-tagged [disable|lldp-voice|...]
        set authserver-timeout-tagged-vlanid {string}
        set authserver-timeout-vlan [disable|enable]
        set authserver-timeout-vlanid {string}
        set client-limit {integer}
        set dacl [disable|enable]
        set eap-auto-untagged-vlans [disable|enable]
        set eap-egress-tagged [disable|enable]
        set eap-passthru [disable|enable]
        set framevid-apply [disable|enable]
        set guest-auth-delay {integer}
        set guest-vlan [disable|enable]
        set guest-vlan-id {string}
        set mac-auth-bypass [disable|enable]
        set open-auth [disable|enable]
        set policy-type {option}
        set radius-timeout-overwrite [disable|enable]
        set security-mode [802.1X|802.1X-mac-based]
        set user-group <name1>, <name2>, ...
    next
end

config switch-controller security-policy 802-1X

Parameter

Description

Type

Size

Default

allow-mac-move *

Enable/disable MAC move (default = enable).

option

-

enable

Option

Description

disable

Disable MAC move.

enable

Enable MAC move.

auth-fail-vlan

Enable to allow limited access to clients that cannot authenticate.

option

-

disable

Option

Description

disable

Disable authentication fail VLAN on this interface.

enable

Enable authentication fail VLAN on this interface.

auth-fail-vlan-id

VLAN ID on which authentication failed.

string

Maximum length: 15

auth-order

Configure authentication order.

option

-

mab-dot1x

Option

Description

dot1x-mab

Use EAP 1X authentication first then MAB.

mab-dot1x

Use MAB authentication first then EAP 1X.

mab

Use MAB authentication only.

auth-priority

Configure authentication priority.

option

-

legacy

Option

Description

legacy

EAP 1X authentication has a higher priority than MAB with the legacy implementation.

dot1x-mab

EAP 1X authentication has a higher priority than MAB.

mab-dot1x

MAB authentication has a higher priority than EAP 1X.

authserver-timeout-period

Authentication server timeout period (3 - 15 sec, default = 3).

integer

Minimum value: 3 Maximum value: 15

3

authserver-timeout-tagged

Configure timeout option for the tagged VLAN which allows limited access when the authentication server is unavailable.

option

-

disable

Option

Description

disable

Disable authentication server timeout on this interface.

lldp-voice

LLDP voice timeout for the tagged VLAN on this interface.

static

Static timeout for the tagged VLAN on this interface.

authserver-timeout-tagged-vlanid

Tagged VLAN name for which the timeout option is applied to (only one VLAN ID).

string

Maximum length: 15

authserver-timeout-vlan

Enable/disable the authentication server timeout VLAN to allow limited access when RADIUS is unavailable.

option

-

disable

Option

Description

disable

Disable authentication server timeout VLAN on this interface.

enable

Enable authentication server timeout VLAN on this interface.

authserver-timeout-vlanid

Authentication server timeout VLAN name.

string

Maximum length: 15

client-limit *

Configure the maximum number of endpoint devices this FortiGate unit will accept while configured in MAC mode.

integer

Minimum value: 2 Maximum value: 20

20

dacl

Enable/disable dynamic access control list on this interface.

option

-

disable

Option

Description

disable

Disable dynamic access control list on this interface.

enable

Enable dynamic access control on this interface.

eap-auto-untagged-vlans

Enable/disable automatic inclusion of untagged VLANs.

option

-

enable

Option

Description

disable

Disable automatic inclusion of untagged VLANs.

enable

Enable automatic inclusion of untagged VLANs.

eap-egress-tagged *

Enable/disable egress frame tag (default = disable).

option

-

disable

Option

Description

disable

Disable egress frame tag.

enable

Enable egress frame tag.

eap-passthru

Enable/disable EAP pass-through mode, allowing protocols (such as LLDP) to pass through ports for more flexible authentication.

option

-

enable

Option

Description

disable

Disable EAP pass-through mode on this interface.

enable

Enable EAP pass-through mode on this interface.

framevid-apply

Enable/disable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

option

-

enable

Option

Description

disable

Disable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

enable

Enable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

guest-auth-delay

Guest authentication delay (1 - 900 sec, default = 30).

integer

Minimum value: 1 Maximum value: 900

30

guest-vlan

Enable the guest VLAN feature to allow limited access to non-802.1X-compliant clients.

option

-

disable

Option

Description

disable

Disable guest VLAN on this interface.

enable

Enable guest VLAN on this interface.

guest-vlan-id

Guest VLAN name.

string

Maximum length: 15

mac-auth-bypass

Enable/disable MAB for this policy.

option

-

disable

Option

Description

disable

Disable MAB.

enable

Enable MAB.

name

Policy name.

string

Maximum length: 31

open-auth

Enable/disable open authentication for this policy.

option

-

disable

Option

Description

disable

Disable open authentication.

enable

Enable open authentication.

policy-type

Policy type.

option

-

802.1X

Option

Description

802.1X

802.1X security policy.

radius-timeout-overwrite

Enable to override the global RADIUS session timeout.

option

-

disable

Option

Description

disable

Override the global RADIUS session timeout.

enable

Use the global RADIUS session timeout.

security-mode

Port or MAC based 802.1X security mode.

option

-

802.1X

Option

Description

802.1X

802.1X port based authentication.

802.1X-mac-based

802.1X MAC based authentication.

user-group <name>

Name of user-group to assign to this MAC Authentication Bypass (MAB) policy.

Group name.

string

Maximum length: 79

* This parameter may not exist in some models.

config switch-controller security-policy 802-1X

config switch-controller security-policy 802-1X

Configure 802.1x MAC Authentication Bypass (MAB) policies.

config switch-controller security-policy 802-1X
    Description: Configure 802.1x MAC Authentication Bypass (MAB) policies.
    edit <name>
        set allow-mac-move [disable|enable]
        set auth-fail-vlan [disable|enable]
        set auth-fail-vlan-id {string}
        set auth-order [dot1x-mab|mab-dot1x|...]
        set auth-priority [legacy|dot1x-mab|...]
        set authserver-timeout-period {integer}
        set authserver-timeout-tagged [disable|lldp-voice|...]
        set authserver-timeout-tagged-vlanid {string}
        set authserver-timeout-vlan [disable|enable]
        set authserver-timeout-vlanid {string}
        set client-limit {integer}
        set dacl [disable|enable]
        set eap-auto-untagged-vlans [disable|enable]
        set eap-egress-tagged [disable|enable]
        set eap-passthru [disable|enable]
        set framevid-apply [disable|enable]
        set guest-auth-delay {integer}
        set guest-vlan [disable|enable]
        set guest-vlan-id {string}
        set mac-auth-bypass [disable|enable]
        set open-auth [disable|enable]
        set policy-type {option}
        set radius-timeout-overwrite [disable|enable]
        set security-mode [802.1X|802.1X-mac-based]
        set user-group <name1>, <name2>, ...
    next
end

config switch-controller security-policy 802-1X

Parameter

Description

Type

Size

Default

allow-mac-move *

Enable/disable MAC move (default = enable).

option

-

enable

Option

Description

disable

Disable MAC move.

enable

Enable MAC move.

auth-fail-vlan

Enable to allow limited access to clients that cannot authenticate.

option

-

disable

Option

Description

disable

Disable authentication fail VLAN on this interface.

enable

Enable authentication fail VLAN on this interface.

auth-fail-vlan-id

VLAN ID on which authentication failed.

string

Maximum length: 15

auth-order

Configure authentication order.

option

-

mab-dot1x

Option

Description

dot1x-mab

Use EAP 1X authentication first then MAB.

mab-dot1x

Use MAB authentication first then EAP 1X.

mab

Use MAB authentication only.

auth-priority

Configure authentication priority.

option

-

legacy

Option

Description

legacy

EAP 1X authentication has a higher priority than MAB with the legacy implementation.

dot1x-mab

EAP 1X authentication has a higher priority than MAB.

mab-dot1x

MAB authentication has a higher priority than EAP 1X.

authserver-timeout-period

Authentication server timeout period (3 - 15 sec, default = 3).

integer

Minimum value: 3 Maximum value: 15

3

authserver-timeout-tagged

Configure timeout option for the tagged VLAN which allows limited access when the authentication server is unavailable.

option

-

disable

Option

Description

disable

Disable authentication server timeout on this interface.

lldp-voice

LLDP voice timeout for the tagged VLAN on this interface.

static

Static timeout for the tagged VLAN on this interface.

authserver-timeout-tagged-vlanid

Tagged VLAN name for which the timeout option is applied to (only one VLAN ID).

string

Maximum length: 15

authserver-timeout-vlan

Enable/disable the authentication server timeout VLAN to allow limited access when RADIUS is unavailable.

option

-

disable

Option

Description

disable

Disable authentication server timeout VLAN on this interface.

enable

Enable authentication server timeout VLAN on this interface.

authserver-timeout-vlanid

Authentication server timeout VLAN name.

string

Maximum length: 15

client-limit *

Configure the maximum number of endpoint devices this FortiGate unit will accept while configured in MAC mode.

integer

Minimum value: 2 Maximum value: 20

20

dacl

Enable/disable dynamic access control list on this interface.

option

-

disable

Option

Description

disable

Disable dynamic access control list on this interface.

enable

Enable dynamic access control on this interface.

eap-auto-untagged-vlans

Enable/disable automatic inclusion of untagged VLANs.

option

-

enable

Option

Description

disable

Disable automatic inclusion of untagged VLANs.

enable

Enable automatic inclusion of untagged VLANs.

eap-egress-tagged *

Enable/disable egress frame tag (default = disable).

option

-

disable

Option

Description

disable

Disable egress frame tag.

enable

Enable egress frame tag.

eap-passthru

Enable/disable EAP pass-through mode, allowing protocols (such as LLDP) to pass through ports for more flexible authentication.

option

-

enable

Option

Description

disable

Disable EAP pass-through mode on this interface.

enable

Enable EAP pass-through mode on this interface.

framevid-apply

Enable/disable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

option

-

enable

Option

Description

disable

Disable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

enable

Enable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

guest-auth-delay

Guest authentication delay (1 - 900 sec, default = 30).

integer

Minimum value: 1 Maximum value: 900

30

guest-vlan

Enable the guest VLAN feature to allow limited access to non-802.1X-compliant clients.

option

-

disable

Option

Description

disable

Disable guest VLAN on this interface.

enable

Enable guest VLAN on this interface.

guest-vlan-id

Guest VLAN name.

string

Maximum length: 15

mac-auth-bypass

Enable/disable MAB for this policy.

option

-

disable

Option

Description

disable

Disable MAB.

enable

Enable MAB.

name

Policy name.

string

Maximum length: 31

open-auth

Enable/disable open authentication for this policy.

option

-

disable

Option

Description

disable

Disable open authentication.

enable

Enable open authentication.

policy-type

Policy type.

option

-

802.1X

Option

Description

802.1X

802.1X security policy.

radius-timeout-overwrite

Enable to override the global RADIUS session timeout.

option

-

disable

Option

Description

disable

Override the global RADIUS session timeout.

enable

Use the global RADIUS session timeout.

security-mode

Port or MAC based 802.1X security mode.

option

-

802.1X

Option

Description

802.1X

802.1X port based authentication.

802.1X-mac-based

802.1X MAC based authentication.

user-group <name>

Name of user-group to assign to this MAC Authentication Bypass (MAB) policy.

Group name.

string

Maximum length: 79

* This parameter may not exist in some models.