Troubleshooting Tip: Unable to Set Learning Limit on 802.1X FortiSwitch Port with Configuration Sync Error

Description

This article describes a scenario where configuration synchronization fails on a FortiSwitch port when both learning limit and 802.1X are configured.

Scope

FortiSwitch 1XX series v7.6.

Solution

Symptoms: Configuration for 802.1X is not applied to the FortiSwitch port, and a configuration synchronization error is observed.

Example output from FortiGate:

FortiGate# execute switch-controller get-sync-status all
Managed-devices in current vdom root:
FortiLink interface : fortilink
SWITCH-ID (SERIAL) STATUS CONFIG MAC-SYNC HTTP-UPGRADE
FSWS124 (S124FFTFXXXXXXXX) Up Error - -
[1]
command: https://10.10.10.8:443/api/v2/cmdb/switch/interface/port8
payload: { "json": { "discard-mode": "none", "port-security": { "port-security-mode": "802.1X", "guest-auth-delay": 30 } } }
result : {
"http_method":"PUT",
"status":"error",
"http_status":400,
"vdom":"root",
"path":"switch",
"name":"interface",
"mkey":"port11",
"cmdb-index":"768",
"cmdb-checksum":"1239083008832181308",
"serial":"S124FFTFXXXXXXXX",
"version":"v7.4.7",
"build":914
}

Reasoning:

This behavior is observed on FortiSwitch models based on Marvell chipsets.

The issue occurs when learning limit and 802.1X (port-based mode) are configured simultaneously on the same FortiSwitch port.

Example configuration:

config switch-controller managed-switch
    edit "FSWS124"
        set sn "S124FFTFXXXXXXXX"
            edit "port8"
                set vlan "_default"
                set port-security-policy "802-1X-policy-default"
                set learning-limit 11
            next
        end

Resolution:

Part A: How to clear a configuration sync error.

Remove both port-security-policy and learning-limit from the affected port to clear the synchronization error:

FortiGate# config switch-controller managed-switch
    edit "FSWS124"
        set sn "S124FFTFXXXXXXXX"
            edit "port8"
                set vlan "_default"
                unset port-security-policy
                unset learning-limit
            next
        end

Part B: How to apply Client Limiting with 802.1X.

To enforce a limit on authenticated devices when using 802.1X, use MAC-based 802.1X with MAB instead of port-based mode.

1. Do not configure learning-limit.

2. Configure MAC-based 802.1X with MAB:

config switch-controller security-policy 802-1X
    edit "802-1X-policy-default"
        set security-mode 802.1X-mac-based
        set mac-auth-bypass enable
    next
end

3. Use client-limit for device control.

This option becomes available when MAC-based 802.1X is enabled.

Note: This option (client-limit) is available directly on FortiSwitch and not configurable from FortiGate.

Verification on FortiSwitch:

FSWS124# show full switch interface port8
config switch interface
    edit "port8"
        set native-vlan 1
            config port-security
                set client-limit 20
                set port-security-mode 802.1X-mac-based
            end
        next
    end

4. Default and range for client-limit:

• Default value: 20.

• Supported range: 2 to 20.

Summary:

• Learning limit is not supported with port-based 802.1X on affected FortiSwitch models.

• Configuration synchronization fails when both features are enabled together.

• MAC-based 802.1X with client-limit provides an alternative method to control the number of connected devices.