Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    8.0.0
    8.0.0
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.16
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.17
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.0.0
    5.6.0
    5.4.0
    5.2.0
    5.0.0

    config switch-controller security-policy 802-1X

    config switch-controller security-policy 802-1X

    Configure 802.1x MAC Authentication Bypass (MAB) policies.

    config switch-controller security-policy 802-1X
    Description: Configure 802.1x MAC Authentication Bypass (MAB) policies.
    edit <name>
        set allow-mac-move [disable|enable]
        set auth-fail-vlan [disable|enable]
        set auth-fail-vlan-id {string}
        set auth-order [dot1x-mab|mab-dot1x|...]
        set auth-priority [legacy|dot1x-mab|...]
        set authserver-timeout-period {integer}
        set authserver-timeout-tagged [disable|lldp-voice|...]
        set authserver-timeout-tagged-vlanid {string}
        set authserver-timeout-vlan [disable|enable]
        set authserver-timeout-vlanid {string}
        set client-limit {integer}
        set dacl [disable|enable]
        set eap-auto-untagged-vlans [disable|enable]
        set eap-egress-tagged [disable|enable]
        set eap-passthru [disable|enable]
        set framevid-apply [disable|enable]
        set guest-auth-delay {integer}
        set guest-vlan [disable|enable]
        set guest-vlan-id {string}
        set mac-auth-bypass [disable|enable]
        set open-auth [disable|enable]
        set policy-type {option}
        set radius-timeout-overwrite [disable|enable]
        set security-mode [802.1X|802.1X-mac-based]
        set user-group <name1>, <name2>, ...
    next
end

    config switch-controller security-policy 802-1X

    Parameter

    Description

    Type

    Size

    Default

    allow-mac-move *

    Enable/disable MAC move (default = enable).

    option

    -

    enable

    Option

    Description

    disable

    Disable MAC move.

    enable

    Enable MAC move.

    auth-fail-vlan

    Enable to allow limited access to clients that cannot authenticate.

    option

    -

    disable

    Option

    Description

    disable

    Disable authentication fail VLAN on this interface.

    enable

    Enable authentication fail VLAN on this interface.

    auth-fail-vlan-id

    VLAN ID on which authentication failed.

    string

    Maximum length: 15

    auth-order

    Configure authentication order.

    option

    -

    mab-dot1x

    Option

    Description

    dot1x-mab

    Use EAP 1X authentication first then MAB.

    mab-dot1x

    Use MAB authentication first then EAP 1X.

    mab

    Use MAB authentication only.

    auth-priority

    Configure authentication priority.

    option

    -

    legacy

    Option

    Description

    legacy

    EAP 1X authentication has a higher priority than MAB with the legacy implementation.

    dot1x-mab

    EAP 1X authentication has a higher priority than MAB.

    mab-dot1x

    MAB authentication has a higher priority than EAP 1X.

    authserver-timeout-period

    Authentication server timeout period (3 - 15 sec, default = 3).

    integer

    Minimum value: 3 Maximum value: 15

    3

    authserver-timeout-tagged

    Configure timeout option for the tagged VLAN which allows limited access when the authentication server is unavailable.

    option

    -

    disable

    Option

    Description

    disable

    Disable authentication server timeout on this interface.

    lldp-voice

    LLDP voice timeout for the tagged VLAN on this interface.

    static

    Static timeout for the tagged VLAN on this interface.

    authserver-timeout-tagged-vlanid

    Tagged VLAN name for which the timeout option is applied to (only one VLAN ID).

    string

    Maximum length: 15

    authserver-timeout-vlan

    Enable/disable the authentication server timeout VLAN to allow limited access when RADIUS is unavailable.

    option

    -

    disable

    Option

    Description

    disable

    Disable authentication server timeout VLAN on this interface.

    enable

    Enable authentication server timeout VLAN on this interface.

    authserver-timeout-vlanid

    Authentication server timeout VLAN name.

    string

    Maximum length: 15

    client-limit *

    Configure the maximum number of endpoint devices this FortiGate unit will accept while configured in MAC mode.

    integer

    Minimum value: 2 Maximum value: 20

    20

    dacl

    Enable/disable dynamic access control list on this interface.

    option

    -

    disable

    Option

    Description

    disable

    Disable dynamic access control list on this interface.

    enable

    Enable dynamic access control on this interface.

    eap-auto-untagged-vlans

    Enable/disable automatic inclusion of untagged VLANs.

    option

    -

    enable

    Option

    Description

    disable

    Disable automatic inclusion of untagged VLANs.

    enable

    Enable automatic inclusion of untagged VLANs.

    eap-egress-tagged *

    Enable/disable egress frame tag (default = disable).

    option

    -

    disable

    Option

    Description

    disable

    Disable egress frame tag.

    enable

    Enable egress frame tag.

    eap-passthru

    Enable/disable EAP pass-through mode, allowing protocols (such as LLDP) to pass through ports for more flexible authentication.

    option

    -

    enable

    Option

    Description

    disable

    Disable EAP pass-through mode on this interface.

    enable

    Enable EAP pass-through mode on this interface.

    framevid-apply

    Enable/disable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

    option

    -

    enable

    Option

    Description

    disable

    Disable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

    enable

    Enable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

    guest-auth-delay

    Guest authentication delay (1 - 900 sec, default = 30).

    integer

    Minimum value: 1 Maximum value: 900

    30

    guest-vlan

    Enable the guest VLAN feature to allow limited access to non-802.1X-compliant clients.

    option

    -

    disable

    Option

    Description

    disable

    Disable guest VLAN on this interface.

    enable

    Enable guest VLAN on this interface.

    guest-vlan-id

    Guest VLAN name.

    string

    Maximum length: 15

    mac-auth-bypass

    Enable/disable MAB for this policy.

    option

    -

    disable

    Option

    Description

    disable

    Disable MAB.

    enable

    Enable MAB.

    name

    Policy name.

    string

    Maximum length: 31

    open-auth

    Enable/disable open authentication for this policy.

    option

    -

    disable

    Option

    Description

    disable

    Disable open authentication.

    enable

    Enable open authentication.

    policy-type

    Policy type.

    option

    -

    802.1X

    Option

    Description

    802.1X

    802.1X security policy.

    radius-timeout-overwrite

    Enable to override the global RADIUS session timeout.

    option

    -

    disable

    Option

    Description

    disable

    Override the global RADIUS session timeout.

    enable

    Use the global RADIUS session timeout.

    security-mode

    Port or MAC based 802.1X security mode.

    option

    -

    802.1X

    Option

    Description

    802.1X

    802.1X port based authentication.

    802.1X-mac-based

    802.1X MAC based authentication.

    user-group <name>

    Name of user-group to assign to this MAC Authentication Bypass (MAB) policy.

    Group name.

    string

    Maximum length: 79

    * This parameter may not exist in some models.

    Previous
    Next

    config switch-controller security-policy 802-1X

    config switch-controller security-policy 802-1X

    Configure 802.1x MAC Authentication Bypass (MAB) policies.

    config switch-controller security-policy 802-1X
    Description: Configure 802.1x MAC Authentication Bypass (MAB) policies.
    edit <name>
        set allow-mac-move [disable|enable]
        set auth-fail-vlan [disable|enable]
        set auth-fail-vlan-id {string}
        set auth-order [dot1x-mab|mab-dot1x|...]
        set auth-priority [legacy|dot1x-mab|...]
        set authserver-timeout-period {integer}
        set authserver-timeout-tagged [disable|lldp-voice|...]
        set authserver-timeout-tagged-vlanid {string}
        set authserver-timeout-vlan [disable|enable]
        set authserver-timeout-vlanid {string}
        set client-limit {integer}
        set dacl [disable|enable]
        set eap-auto-untagged-vlans [disable|enable]
        set eap-egress-tagged [disable|enable]
        set eap-passthru [disable|enable]
        set framevid-apply [disable|enable]
        set guest-auth-delay {integer}
        set guest-vlan [disable|enable]
        set guest-vlan-id {string}
        set mac-auth-bypass [disable|enable]
        set open-auth [disable|enable]
        set policy-type {option}
        set radius-timeout-overwrite [disable|enable]
        set security-mode [802.1X|802.1X-mac-based]
        set user-group <name1>, <name2>, ...
    next
end

    config switch-controller security-policy 802-1X

    Parameter

    Description

    Type

    Size

    Default

    allow-mac-move *

    Enable/disable MAC move (default = enable).

    option

    -

    enable

    Option

    Description

    disable

    Disable MAC move.

    enable

    Enable MAC move.

    auth-fail-vlan

    Enable to allow limited access to clients that cannot authenticate.

    option

    -

    disable

    Option

    Description

    disable

    Disable authentication fail VLAN on this interface.

    enable

    Enable authentication fail VLAN on this interface.

    auth-fail-vlan-id

    VLAN ID on which authentication failed.

    string

    Maximum length: 15

    auth-order

    Configure authentication order.

    option

    -

    mab-dot1x

    Option

    Description

    dot1x-mab

    Use EAP 1X authentication first then MAB.

    mab-dot1x

    Use MAB authentication first then EAP 1X.

    mab

    Use MAB authentication only.

    auth-priority

    Configure authentication priority.

    option

    -

    legacy

    Option

    Description

    legacy

    EAP 1X authentication has a higher priority than MAB with the legacy implementation.

    dot1x-mab

    EAP 1X authentication has a higher priority than MAB.

    mab-dot1x

    MAB authentication has a higher priority than EAP 1X.

    authserver-timeout-period

    Authentication server timeout period (3 - 15 sec, default = 3).

    integer

    Minimum value: 3 Maximum value: 15

    3

    authserver-timeout-tagged

    Configure timeout option for the tagged VLAN which allows limited access when the authentication server is unavailable.

    option

    -

    disable

    Option

    Description

    disable

    Disable authentication server timeout on this interface.

    lldp-voice

    LLDP voice timeout for the tagged VLAN on this interface.

    static

    Static timeout for the tagged VLAN on this interface.

    authserver-timeout-tagged-vlanid

    Tagged VLAN name for which the timeout option is applied to (only one VLAN ID).

    string

    Maximum length: 15

    authserver-timeout-vlan

    Enable/disable the authentication server timeout VLAN to allow limited access when RADIUS is unavailable.

    option

    -

    disable

    Option

    Description

    disable

    Disable authentication server timeout VLAN on this interface.

    enable

    Enable authentication server timeout VLAN on this interface.

    authserver-timeout-vlanid

    Authentication server timeout VLAN name.

    string

    Maximum length: 15

    client-limit *

    Configure the maximum number of endpoint devices this FortiGate unit will accept while configured in MAC mode.

    integer

    Minimum value: 2 Maximum value: 20

    20

    dacl

    Enable/disable dynamic access control list on this interface.

    option

    -

    disable

    Option

    Description

    disable

    Disable dynamic access control list on this interface.

    enable

    Enable dynamic access control on this interface.

    eap-auto-untagged-vlans

    Enable/disable automatic inclusion of untagged VLANs.

    option

    -

    enable

    Option

    Description

    disable

    Disable automatic inclusion of untagged VLANs.

    enable

    Enable automatic inclusion of untagged VLANs.

    eap-egress-tagged *

    Enable/disable egress frame tag (default = disable).

    option

    -

    disable

    Option

    Description

    disable

    Disable egress frame tag.

    enable

    Enable egress frame tag.

    eap-passthru

    Enable/disable EAP pass-through mode, allowing protocols (such as LLDP) to pass through ports for more flexible authentication.

    option

    -

    enable

    Option

    Description

    disable

    Disable EAP pass-through mode on this interface.

    enable

    Enable EAP pass-through mode on this interface.

    framevid-apply

    Enable/disable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

    option

    -

    enable

    Option

    Description

    disable

    Disable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

    enable

    Enable the capability to apply the EAP/MAB frame VLAN to the port native VLAN.

    guest-auth-delay

    Guest authentication delay (1 - 900 sec, default = 30).

    integer

    Minimum value: 1 Maximum value: 900

    30

    guest-vlan

    Enable the guest VLAN feature to allow limited access to non-802.1X-compliant clients.

    option

    -

    disable

    Option

    Description

    disable

    Disable guest VLAN on this interface.

    enable

    Enable guest VLAN on this interface.

    guest-vlan-id

    Guest VLAN name.

    string

    Maximum length: 15

    mac-auth-bypass

    Enable/disable MAB for this policy.

    option

    -

    disable

    Option

    Description

    disable

    Disable MAB.

    enable

    Enable MAB.

    name

    Policy name.

    string

    Maximum length: 31

    open-auth

    Enable/disable open authentication for this policy.

    option

    -

    disable

    Option

    Description

    disable

    Disable open authentication.

    enable

    Enable open authentication.

    policy-type

    Policy type.

    option

    -

    802.1X

    Option

    Description

    802.1X

    802.1X security policy.

    radius-timeout-overwrite

    Enable to override the global RADIUS session timeout.

    option

    -

    disable

    Option

    Description

    disable

    Override the global RADIUS session timeout.

    enable

    Use the global RADIUS session timeout.

    security-mode

    Port or MAC based 802.1X security mode.

    option

    -

    802.1X

    Option

    Description

    802.1X

    802.1X port based authentication.

    802.1X-mac-based

    802.1X MAC based authentication.

    user-group <name>

    Name of user-group to assign to this MAC Authentication Bypass (MAB) policy.

    Group name.

    string

    Maximum length: 79

    * This parameter may not exist in some models.

    Previous
    Next