Description

This article provides instruction on how to verify the status of Port-based 802.1X Authentication applied to one of the ports of FortiSwitch.
This applies to a FortiSwitch managed by FortiGate setup.

Scope

Fortigate Firmware 6.0.6
Fortiswitch Firmware 3.6.10

Solution
Step 1:

Login to FortiGate and verify that the connections from the FortiGate to the FortiSwitch units are up.

exec switch-controller get-conn-status

Managed-devices in current vdom root:
STACK-NAME: FortiSwitch-Stack-internal7
SWITCH-ID VERSION STATUS ADDRESS JOIN-TIME NAME
FS108D3W15****** v3.6.10 Authorized/Up 169.254.1.2 Fri Sep 13 12:36:24 2019 -

Step 2:

Check the port  802.1x status.
Access the FortiSwitch from the FortiGate using SSH or Telnet.

Output of successful authentication:

diagnose switch 802-1x status port2
   port2 : Mode: port-based (mac-by-pass disable)
           Link: Link up
           Port State: authorized (  )
           Dynamic Authorized Vlan : 0
           EAP pass-through mode : Enable
           Native Vlan : 32
           Allowed Vlan list: 32
           Untagged Vlan list:
           Guest Vlan : 34        Guest Auth Delay :120
           Auth-Fail Vlan : 34

           Sessions info:
           54:e1:ad:4a:2d:6b     Type=802.1x,PEAP,state=AUTHENTICATED,etime=0,eap_cnt=10 params:reAuth=600

Here reAuth indicates the time required for clients to reauthenticate when connected to FSW port that is configured with 802.1x policy.

Output of failed authentication:

diagnose switch 802-1x status port2
   port2 : Mode: port-based (mac-by-pass disable)
           Link: Link up
           Port State: unauthorized (  )
           Dynamic Authorized Vlan : 0
           EAP pass-through mode : Enable
           Native Vlan : 32
           Allowed Vlan list: 32
           Untagged Vlan list:
           Guest Vlan : 34        Guest Auth Delay :120
           Auth-Fail Vlan : 34

           Sessions info:
           54:e1:ad:4a:2d:6b     Type=802.1x,IDENTITY,state=HELD,etime=0,eap_cnt=5 params:reAuth=600

The same output will show after using the following command in the FortiGate:

diagnose switch-controller dump 802-1X-status FS108D3W15****** port2

Step 3:

Check the Port vlan assignment from the FortiSwitch.
After a failure (wrong password supplied), port2 is removed from Vlan32('LALanSecure') and its replaced by Vlan34('LAGuest').

diagnose  switch vlan list 32

  VlanId  Ports
  ______  ___________________________________________________
  32      port10

diagnose  switch vlan list 34

  VlanId  Ports
  ______  ___________________________________________________
  34      port1 port2 port10

After a success, port2 is moved to Vlan 32('LALanSecure') and removed from Vlan34('LAGuest').

diagnose  switch vlan list 32

  VlanId  Ports
  ______  ___________________________________________________
  32      port2 port10

diagnose  switch vlan list 34

  VlanId  Ports
  ______  ___________________________________________________
  34      port1 port10

Check the event viewer of the Windows server to further investigate the root cause of the Failed authentication for 802.1x connections.
Under the Server Roles, check the output of the Network Policy and Access Services.

Below is a successful output of 802.1x connection from the PC: