Skip to main content
net_eng
net_eng
New Member
February 23, 2026
Question

FortiSwitch 802.1X setup with APs and Phones

  • February 23, 2026
  • 4 replies
  • 322 views

Hello,

 

We have FortiSwitch user ports configured with 802.1X authentication, using a Microsoft NPS server as the RADIUS server.

 

We now need to ensure that IP phone ports and access point (AP) ports are also protected with 802.1X, so that if a device other than an AP or IP phone is connected, it must authenticate.

 

I tried creating a dynamic port policy with the following logic:

 

* The first three rules match APs based on vendor and device type, and assign them a VLAN policy without 802.1X.

* The last rule assigns our 802.1X policy to any device that does not match the previous rules.

 

However, when I connect a PC to these switch ports, it somehow receives the native VLAN configured in the VLAN policy used for the AP rules. This happens even though the PC does not appear as a matched device for those AP rules.

 

Does anyone know why this might be happening?

 

Or can you suggest another way to bypass 802.1X only for IP phones and APs without using MAB(without having to manually add each MAC address) ?

4 replies

Stephen_G
Moderator
Stephen_G
Moderator
February 25, 2026

Hello net_eng,

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

If anybody else has any info or advice, please feel free to contribute!

Regards,
Stephen_G - Fortinet Community Team
Stephen_G
Moderator
Stephen_G
Moderator
February 27, 2026

Hello,

 

We are still looking for an answer to your question.

 

We will come back to you ASAP.

Stephen_G - Fortinet Community Team
riteshpv
Staff
riteshpv
Staff
March 5, 2026

Hi,

It appears that DPP is being used, and when the condition matches, the 802.1X profile is applied. In this case, the profile should be mapped to devices such as PCs.

  1. Verify whether the PC matches the policy. This can be checked from the GUI or by running the following command on the FortiGate:

diagnose switch-controller mac-device dynamic

  1. If the PC matches the policy, verify whether the 802.1X configuration has been pushed to the FortiSwitch. This can be checked directly on the FortiSwitch using the following command:

show switch interface  edit "port5" set native-vlan 4093 set allowed-vlans 1,10,20,30,40,50,60,70,80,90,4092 set untagged-vlans 4093 set security-groups "RADIUS_SERVER" set snmp-index 5 config port-security set auth-fail-vlan enable set auth-fail-vlanid 50 set auth-order MAB-dot1x set auth-priority legacy set authserver-timeout-period 3 set authserver-timeout-tagged disable set authserver-timeout-vlan disable set client-limit 20 set dacl disable set eap-auto-untagged-vlans enable set eap-passthru enable set framevid-apply enable set guest-auth-delay 30 set guest-vlan enable set guest-vlanid 50 set mab-eapol-request 3 set mac-auth-bypass enable set open-auth disable set port-security-mode 802.1X-mac-based <---------------------- set quarantine-vlan enable set radius-timeout-overwrite disable set authserver-timeout-vlanid 300 end next

  1. If the configuration is not being pushed to the FortiSwitch, further investigation will be required to determine the cause. In that case, please open a TAC ticket and include the FortiSwitch serial number for further analysis.

Regards,
Ritesh P V

Adolfo_Z_H
Staff
Adolfo_Z_H
Staff
March 5, 2026

if your are not intended to Mix Device detection, LLDP or 802.11X on the port to determine vlan association for a devices, it is better to configure Security Policies and just push vlan VSA to requiered devices using MAB or EAP supplicant.

 

 

Adolfo_Z_H
Staff
Adolfo_Z_H
Staff
March 5, 2026

just remembered a CX opened a ticket past week with same issue, resolved by using this article

 

https://community.fortinet.com/t5/FortiSwitch/Technical-Tip-Dynamic-Port-Policies-configuration-with-FortiLink/ta-p/423625

 

 

Terms & ConditionsAccessibility statement