Description802.1X Failure: Delay in getting IP from auth-fail-VLAN
ScopeFortiSwitch models supporting v3.6 and above
SolutionConsider the following configuration for 802.1X authentication:
config switch-controller 802-1X-settings
set link-down-auth set-unauth
set reauth-period 60
set max-reauth-attempt 3
end
config switch-controller security-policy 802-1X
edit "802-1X-policy-default"
set security-mode 802.1X
set user-group "8021x"
set mac-auth-bypass disable
set eap-passthru enable
set guest-vlan disable
set guest-auth-delay 120
set auth-fail-vlan enable
set auth-fail-vlan-id [vlanid>
set radius-timeout-overwrite disable
next
When 802.1X authentication will fail the client will get IP after 5 minutes (approximately).
Solution
Try the following changes:
1.) In the “config switch-controller 802-1X-settings” make the following change:
2.) In the “config switch-controller security-policy 802-1X” make the following change:
set guest-vlan enable
set guest-vlanid <vlanid> -----> same as auth-fail-vlan
set guest-auth-delay 60
max-reauth-attempt: If 802.1x authentication fails, this setting caps the number of reattempts that the system will initiate. Ranges from 0 to 15 where "0" translates to forever. Default value is 3.
guest-auth-delay: Time when an authorization fails after the guest is applied. In seconds ranging from 60 to 900. Default is 120.
The result of this change is that when 802.1X authentication fails the client will get IP within 2 minutes (approximately).
