FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmesa_FTNT
Staff
Staff
Description
This article provides instruction on how to verify the status of Port-based 802.1X Authentication applied to one of the ports of FortiSwitch.
This applies to a FortiSwitch managed by FortiGate setup.


Scope
Fortigate Firmware 6.0.6
Fortiswitch Firmware 3.6.10


Solution
Step 1:

Login to FortiGate and  verify that the connections from the FortiGate to the FortiSwitch units are up.

#exec switch-controller get-conn-status
Managed-devices in current vdom root:
STACK-NAME: FortiSwitch-Stack-internal7
SWITCH-ID        VERSION    STATUS           ADDRESS         JOIN-TIME                   NAME
FS108D3W15****** v3.6.10    Authorized/Up    169.254.1.2     Fri Sep 13 12:36:24 2019    -
Step 2:

Check the port  802.1x status.
Access the FortiSwitch from the FortiGate using ssh or Telnet.

Output of successful Authentication
#FS108D3W15****** # diagnose  switch 802-1x status port2
   port2 : Mode: port-based (mac-by-pass disable)
           Link: Link up
           Port State: authorized (  )
           Dynamic Authorized Vlan : 0
           EAP pass-through mode : Enable
           Native Vlan : 32
           Allowed Vlan list: 32
           Untagged Vlan list:
           Guest Vlan : 34        Guest Auth Delay :120
           Auth-Fail Vlan : 34

           Sessions info:
           54:e1:ad:4a:2d:6b     Type=802.1x,PEAP,state=AUTHENTICATED,etime=0,eap_cnt=10 params:reAuth=600
Output of Failed Authentication
#FS108D3W15****** # diagnose  switch 802-1x status port2
   port2 : Mode: port-based (mac-by-pass disable)
           Link: Link up
           Port State: unauthorized (  )
           Dynamic Authorized Vlan : 0
           EAP pass-through mode : Enable
           Native Vlan : 32
           Allowed Vlan list: 32
           Untagged Vlan list:
           Guest Vlan : 34        Guest Auth Delay :120
           Auth-Fail Vlan : 34

           Sessions info:
           54:e1:ad:4a:2d:6b     Type=802.1x,IDENTITY,state=HELD,etime=0,eap_cnt=5 params:reAuth=600
The same output will show up using  the following command in the Fortigate
#diagnose  switch-controller dump 802-1X-status FS108D3W15****** port2
Step 3:

Check the Port vlan assignment from the FortiSwitch.
After a failure (wrong password supplied), port2 is removed from Vlan32("LALanSecure") and its replaced by Vlan34("LAGuest")

#FS108D3W15****** # diagnose  switch vlan list 32

  VlanId  Ports
  ______  ___________________________________________________
  32      port10

#FS108D3W15****** # diagnose  switch vlan list 34


  VlanId  Ports
  ______  ___________________________________________________
  34      port1 port2 port10
After a success, port2 is moved to Vlan 32("LALanSecure") and removed from Vlan34("LAGuest")
#FS108D3W15****** # diagnose  switch vlan list 32

  VlanId  Ports
  ______  ___________________________________________________
  32      port2 port10

#FS108D3W15****** # diagnose  switch vlan list 34

  VlanId  Ports
  ______  ___________________________________________________
  34      port1 port10
Check the Event viewer of the Windows server to further investigate the root cause of the Failed authentication for 802.1x connections.
Under the Server Roles, check the output of the Network Policy and Access Services.

Below is a successful output of 802.1x connection from the PC:





Contributors