Skip to main content
taylorm
Staff
taylorm
Staff
March 27, 2026

Technical Tip: Enabling 802.1X on virtual switches within a software switch using explicit intra-switch policy

  • March 27, 2026
  • 0 replies
  • 545 views
Description
This article describes how to configure 802.1x on virtual switches within a software switch.
 
In earlier FortiOS versions, 802.1X authentication was not supported on virtual switches when they were added as members of a software switch.

Starting in FortiOS v7.4.10 and later (including v7.6.5), this limitation has been removed. It is now possible to enable 802.1X authentication on virtual switches within a software switch, provided that the software switch is configured with an intra-switch-policy explicit.

This enhancement enables secure user authentication, dynamic VLAN assignment, and policy-based traffic control within software switch environments.
Scope
FortiOS v7.4.10 and later.
FortiOS v7.6.5 and later.
Solution
A software switch aggregates multiple interfaces into a single logical Layer 2 domain. Traffic between its members is governed by the intra-switch-policy setting:

Implicit (default):
Traffic between members is allowed automatically without requiring firewall policies.
 
Explicit:
Traffic between members requires firewall policies and is processed by the session table.

To support 802.1X authentication with dynamic VLAN assignment, the software switch must be configured in explicit mode, allowing traffic enforcement through firewall policies.
 
This feature is useful in deployments where multiple access interfaces need centralized authentication and segmentation, such as:
  • FortiAP Ethernet downlink ports (e.g., IP phone + workstation).
  • FortiSwitch ports connected to a FortiGate.
  • Branch environments require identity-based VLAN assignment.

Example scenario:
A user connects a device to a FortiAP or FortiSwitch port. The port is part of a virtual switch. The virtual switch is part of a software switch. 802.1X authenticates the user via RADIUS. The user is assigned a VLAN dynamically.
 
Step 1: Create a virtual switch.
 
config system virtual-switch     edit "trust"         set physical-switch "sw0"         config port             edit "port5"             next         end     next     edit "vlan0200"         set physical-switch "sw0"     next end
 
Step 2: Create a software switch with an explicit intra-switch policy.
 
config system switch-interface     edit "SW-switch"         set vdom "vdom1"         set member "port3" "trust" "vlan0200"         set intra-switch-policy explicit     next end

Note:
The intra-switch-policy setting must be defined during creation and cannot be modified afterward.

Step 3: Configure the software switch interface
 
config system interface     edit "SW-switch"         set vdom "vdom1"         set ip 6.6.6.1 255.255.255.0         set allowaccess ping https ssh snmp         set type switch     next end
 
Step 4: Enable 802.1X on the virtual switch.
 
config system interface     edit "trust"         set type hard-switch         set security-mode 802.1X         set security-8021x-mode dynamic-vlan         set security-groups "group_radius"     next end
 
Check authentication logs: Log & Report -> Event Log -> User.
 
Verify VLAN assignment:
 
diagnose sys 802-1x status
 
Related article:
    Terms & ConditionsAccessibility statement