802.1x Port Authentication - Default Timeout

Hi, FortiOS 5.0 and 5.2 do not support 802.1X on wired ports. It is supported for WPA/WPA2-Enterprise, but not on the 90D according to the Handbook and the CLI Reference.

Correct and what do you mean by re-key? Are you using this for WEP or WPA? How the rekey process takes places it' s going to be determine by the protocol being used.

set auth timeout 1

has nothing todo with re-key btw.

802.1X should be supported. I have it both in GUI and CLI on my 60D: FW01 (internal) # set security-mode none No security option. captive-portal Captive portal authentication. 802.1X 802.1X port-based authentication.

First off, thank you both for responding. Now for the first response. 802.1x Port authentication is supported on the 90D. We are currently testing this in production and is working on both Windows Servers and Wyse Thin Clients. The reason for this question, is related to the amount of time the LAN connected device is allowed to remain on the network in an " idle" state, prior to being forced to re-authenticate. Based on testing we are performing, we see the LAN connected devices being forced to re-authenticate every hour. I am trying to determine where this is controlled in the configuration and determine what the time-out range is. We need to extend this period to eight hours or more in case there is a WAN failure, so the Thin Clients can continue to access the local application server. Now for the second response. In Cisco speak this is related to the " dot1x timeout re-authperiod " in seconds. This is well documented on the Cisco side and clear to understand, but when trying to identify the equivalent commands on the Fotinet side it is elusive. In terms of the " Re-Key" that is something I have heard from Cisco TAC as well as engineers, but I am not going to argue that point. I would assume they are talking about how the password is encrypted when the re-authentication period expires and using the EAP supplicant on the LAN attached device. I would simply like to locate a document on the Fortinet site that talks about NAC authentication, specifically how it is implemented on LAN ports and clearly identify all command line configuration options. Once again thanks for your response. George,

Posts: 2215 Score: 53 Joined: 7/3/2007 From: Gothenburg - Sweden RE: 802.1x Port Authentication - Def... (in reply to Tank) Reply Forward New Messages 802.1X should be supported. I have it both in GUI and CLI on my 60D: FW01 (internal) # set security-mode none No security option. captive-portal Captive portal authentication. 802.1X 802.1X port-based authentication.

What version ? what mode ( fips or none )? It' s difenetely not in my 60D 5.2.1. Is a option that needs a global setting? Op, what your looking for is like the cisco " dot1x re-authentication" cmd or something similar. I know the fortiswitch supports 802.1x and believe they have that options in the fortiswitch, maybe some one with a fortiswitch might chime in.

Hi Emnoc, Right now Im using 5.2.1, but it has been available since 5.0.

100D does have it as well, not on individual ports but on hard-switch interfaces and likely only on the internal switch in switch mode.

Good point, I had checked on a fortigate in port interface mode

Hello Everyone, When we were initially evaluating new Fortinet replacements we evaluated the 100D which is a true hardware switch and my recommendation, but unfortunately management had other ideas (If you know what I mean :) ) and the decision was made to go with the 90D. Of course the 90d becomes a software switch when you start breaking up the ports, but not a big concern since we are not developing rockets at retail locations. To make a long story short, we wanted to preserve the existing subnets and rather than breaking them up, we created a " Layer 2" VDOM for one of the main subnets, not a problem so far. Next, we wanted to enable NAC (802.1x) on selected ports and that' s when the bottom fell out. After research and conversations with Fortinet we learned they did not support NAC on Layer 2 ports. Now the good news. After additional discussions we learned that we were not the only company requesting this functionality and discovered there was a custom version of firmware for the 90D that would support NAC on a Layer 2 port. We have confirmed this is fully functional and working, but I am still trying to identify the elusive " idle time-out" range and how to modify. At the present time we are running FWF90D Custom firmware version: v5.0,build3816 (GA). This is a build from 5.0.9. It is my understanding that this custom build is slated to be included in the upcoming 5.2.x, but I do not have a confirmed date.

Hi Tank, Do you have way to change timeout to 8 hours on Wyse Thin Clients ? FGT only de-auth when it received EAPOL logoff or link down.