Description
This article provides instruction on how to verify the status of Port-based 802.1X Authentication applied to one of the ports of FortiSwitch.
This applies to a FortiSwitch managed by FortiGate setup.
Scope
Fortigate Firmware 6.0.6
Fortiswitch Firmware 3.6.10
Solution
Step 1:
Login to FortiGate and verify that the connections from the FortiGate to the FortiSwitch units are up.
exec switch-controller get-conn-status
Managed-devices in current vdom root:
STACK-NAME: FortiSwitch-Stack-internal7
SWITCH-ID VERSION STATUS ADDRESS JOIN-TIME NAME
FS108D3W15****** v3.6.10 Authorized/Up 169.254.1.2 Fri Sep 13 12:36:24 2019 -
Step 2:
Check the port 802.1x status.
Access the FortiSwitch from the FortiGate using SSH or Telnet.
Output of successful authentication:
diagnose switch 802-1x status port2
port2 : Mode: port-based (mac-by-pass disable)
Link: Link up
Port State: authorized ( )
Dynamic Authorized Vlan : 0
EAP pass-through mode : Enable
Native Vlan : 32
Allowed Vlan list: 32
Untagged Vlan list:
Guest Vlan : 34 Guest Auth Delay :120
Auth-Fail Vlan : 34
Sessions info:
54:e1:ad:4a:2d:6b Type=802.1x,PEAP,state=AUTHENTICATED,etime=0,eap_cnt=10 params:reAuth=600
Here reAuth indicates the time required for clients to reauthenticate when connected to FSW port that is configured with 802.1x policy.
Output of failed authentication:
diagnose switch 802-1x status port2
port2 : Mode: port-based (mac-by-pass disable)
Link: Link up
Port State: unauthorized ( )
Dynamic Authorized Vlan : 0
EAP pass-through mode : Enable
Native Vlan : 32
Allowed Vlan list: 32
Untagged Vlan list:
Guest Vlan : 34 Guest Auth Delay :120
Auth-Fail Vlan : 34
Sessions info:
54:e1:ad:4a:2d:6b Type=802.1x,IDENTITY,state=HELD,etime=0,eap_cnt=5 params:reAuth=600
The same output will show after using the following command in the FortiGate:
diagnose switch-controller dump 802-1X-status FS108D3W15****** port2
Step 3:
Check the Port vlan assignment from the FortiSwitch.
After a failure (wrong password supplied), port2 is removed from Vlan32('LALanSecure') and its replaced by Vlan34('LAGuest').
diagnose switch vlan list 32
VlanId Ports
______ ___________________________________________________
32 port10
diagnose switch vlan list 34
VlanId Ports
______ ___________________________________________________
34 port1 port2 port10
After a success, port2 is moved to Vlan 32('LALanSecure') and removed from Vlan34('LAGuest').
diagnose switch vlan list 32
VlanId Ports
______ ___________________________________________________
32 port2 port10
diagnose switch vlan list 34
VlanId Ports
______ ___________________________________________________
34 port1 port10
Check the event viewer of the Windows server to further investigate the root cause of the Failed authentication for 802.1x connections.
Under the Server Roles, check the output of the Network Policy and Access Services.
Below is a successful output of 802.1x connection from the PC:
