| Configure FortiGate management interface as EAP-Supplicant: In the CLI, configure the necessary commands as below: configure system interface edit mgmt set eap-supplicant enable <----- Enable EAP.
set eap-method peap <----- EAP type, used Protected EAP here
set eap-identity "user3" <----- Username as per the radius server identity database.
set eap-password ENC xxxxxxx <----- Password. next Configure FortiSwitch RADIUS settings with FortiAuthenticator: In the FortiSwitch GUI, go to System -> Authentication -> RADIUS -> +Add Server. - Add the name of the server.
- Configure IP address and RADIUS authentication port.
- Test connectivity and user authentication to make sure that all the config is correct.
- If there is a need to add a secondary server, add the necessary details as mentioned in the above steps.
- Select Save.
Configure a user in the FortiSwitch RADIUS. In the FortiSwitch GUI, go to System -> User -> Definition -> +Add user. - Enter the username, which should match the one in the RADIUS server.
- Enter the type of the user - use 'RADIUS'.
- Choose the RADIUS server configured in the previous step.
- Select Save.
Configure the FortiSwitch user group: In the FortiSwitch GUI, go to System -> User -> Group -> +Add Group. - Name the User Group.
- Add the user created earlier: 'User3' is available there.
- Choose the correct RADIUS to authenticate 'User3'.
- Select Save.
Configure FortiSwitch ports: In FortiSwitch GUI, go to Switch -> Interfaces -> Choose the port which is connected to the Firewall's management interfaces and edit it. - Enable Port Security and choose the security mode '802.1x' or '802.1x and MAC-Based' to enable MAC address bypass (MAB).
- In security group select the group which was created earlier
- Select Save.
RADIUS configuration in FortiAuthenticator: - Create the first FortiSwitch as a RADIUS client.
Go to Authentication -> Radius Service -> Clients and select 'Create New'. Add the necessary info from the following: 
- Create a local user to authenticate with:
Go to Authentication -> User Management -> Local users and select 'Create New'. Add the necessary information as follows: 
Optional:
Create a remote user in cases where an external directory is used to authenticate users. For example: in a Windows server active directory, used as the example in this article, local users which are stored in FortiAuthenticator are only used here as a database method. Create a RADIUS policy to authenticate and authorize the user. Go to Authentication -> RADIUS Service -> Policy and select Create New: 
For more details, see Creating the RADIUS client and policy on the FortiAuthenticator. Test outputs and debug outputs: - Start debug commands on the Firewall:
diagnose debug application eap_supp 255 diagnose debug enable - To show the status of the EAP supplicant (before authorization):
FG7# diagnose test application eap_supp 2
Interface: mgmt
status:Unauthorized
method: PEAP
identity: user3
ca_cert:
client_cert:
private_key:
last_eapol_src=00:00:00:00:00:00 - Restart the EAP process to trigger the auth request:
diagnose test application eap_supp 99 - Debug outputs:
2026-02-17 06:58:55 EAPOL: Received EAP-Packet frame
2026-02-17 06:58:55 EAPOL: SUPP_BE entering state REQUEST <----- Request sent.
2026-02-17 06:58:55 EAPOL: getSuppRsp
2026-02-17 06:58:55 EAP: EAP entering state RECEIVED
2026-02-17 06:58:55 EAP: Received EAP-Request id=41 method=25 vendor=0 vendorMethod=0
2026-02-17 06:58:55 EAP: EAP entering state METHOD
2026-02-17 06:58:55 SSL: Received packet(len=107) - Flags 0x00
2026-02-17 06:58:55 EAP-PEAP: received 101 bytes encrypted data for Phase 2
2026-02-17 06:58:55 EAP-PEAP: received Phase 2: code=1 identifier=41 length=51
2026-02-17 06:58:55 EAP-PEAP: Phase 2 Request: type=26
2026-02-17 06:58:55 EAP-MSCHAPV2: RX identifier 41 mschapv2_id 40
2026-02-17 06:58:55 EAP-MSCHAPV2: Received success
2026-02-17 06:58:55 EAP-MSCHAPV2: Success message - hexdump_ascii(len=0):
2026-02-17 06:58:55 EAP-MSCHAPV2: Authentication succeeded <-----
2026-02-17 06:58:55 EAP-PEAP: Encrypting Phase 2 data - hexdump(len=6):
2026-02-17 06:58:55 EAPOL: Received EAP-Packet frame
2026-02-17 06:58:55 EAPOL: SUPP_BE entering state REQUEST
2026-02-17 06:58:55 EAPOL: getSuppRsp
2026-02-17 06:58:55 EAP: EAP entering state RECEIVED
2026-02-17 06:58:55 EAP: Received EAP-Success
2026-02-17 06:58:55 EAP: Status notification: completion (param=success) <----- Authorization completed.
2026-02-17 06:58:55 EAP: EAP entering state SUCCESS
2026-02-17 06:58:55 CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
2026-02-17 06:58:55 EAPOL: SUPP_PAE entering state AUTHENTICATED
2026-02-17 06:58:55 EAPOL: SUPP_BE entering state RECEIVE
2026-02-17 06:58:55 EAPOL: SUPP_BE entering state SUCCESS
2026-02-17 06:58:55 EAPOL: SUPP_BE entering state IDLE
- Interface status after Authorization:
Interface: mgmt
status:Authorized
method: PEAP
identity: user3
ca_cert:
client_cert:
private_key:
last_eapol_src=90:6c:ac:61:df:52 <----- FortiSwitch port3 mac address.
On the switch: diagnose debug application wired -1 diagnose debug application fnbamd -1 diagnose debug enable Go to Monitor -> 802.1x -> Sessions. 
The virtual MAC of the cluster is used to authenticate with Port3 (connected to the active unit). Once a failover occurs, it will be mapped to port1 as shown below: FG-3 # diagnose test application eap_supp 2
Interface: mgmt
status:Authorized
method: PEAP
identity: user3
ca_cert:
client_cert:
private_key:
last_eapol_src=90:6c:ac:61:df:50 <----- FortiSwitch Port1 mac address. 
Note: allow-mac-move under the port-security config on both interfaces is disabled by default, though FortiSwitch does not allow mac-move. In this situation, the virtual MAC is expected to move between the ports to authorize the FortiGate HA in the event of a failover. ISW(port1) # config switch interface edit "port1" config port-security set allow-mac-move enable ISW(port1) # config switch interface edit "port3" config port-security set allow-mac-move enable Related articles: | 
