Troubleshooting Tip: 802.1X Failure, Delay in getting IP from auth-fail-VLAN
Description
This article describes how to configure 802.1X Failure if there is a delay in getting the IP from auth-fail-VLAN.
Scope
FortiSwitch.
Solution
The following configuration can be used for 802.1X authentication:
config switch-controller 802-1X-settings
set link-down-auth set-unauth
set reauth-period 60
set max-reauth-attempt 3
end
config switch-controller security-policy 802-1X
edit "802-1X-policy-default"
set security-mode 802.1X
set user-group "8021x"
set mac-auth-bypass disable
set eap-passthru enable
set guest-vlan disable
set guest-auth-delay 120
set auth-fail-vlan enable
set auth-fail-vlan-id [vlanid>
set radius-timeout-overwrite disable
next
set link-down-auth set-unauth
set reauth-period 60
set max-reauth-attempt 3
end
config switch-controller security-policy 802-1X
edit "802-1X-policy-default"
set security-mode 802.1X
set user-group "8021x"
set mac-auth-bypass disable
set eap-passthru enable
set guest-vlan disable
set guest-auth-delay 120
set auth-fail-vlan enable
set auth-fail-vlan-id [vlanid>
set radius-timeout-overwrite disable
next
end
When 802.1X authentication fails, the client will get the IP after 5 minutes (approximately).
Try the following changes:
Try the following changes:
- Make the following change under 'config switch-controller 802-1X-settings':
set max-reauth-attempt 2
- Make the following change under 'config switch-controller security-policy 802-1X':
set guest-vlan enable
set guest-vlanid <vlanid> <----- The same as auth-fail-vlan.
set guest-auth-delay 60
- max-reauth-attempt: This setting caps the number of reattempts that the system will initiate. Ranges from 0 to 15 where '0' translates to forever. The default value is 3.
- guest-auth-delay: Time when an authorization fails after the guest is applied. Default is 120.
The result of this change is that when 802.1X authentication fails, the client will get an IP within 2 minutes (approximately).