Help
FortiSwitch
FortiSwitch: secure, simple and scalable Ethernet solutions
sachitdas_FTNT
Staff
Staff

Created on ‎03-26-2025 08:00 AM

Article Id 384705

Technical Tip: FortiSwitch 802.1x authentication behaviour when multiple authentication radius servers are configured

Description This article describes how FortiSwitch behaves when multiple RADIUS servers are configured.
Scope FortiSwitch 7.x and above.
Solution

For configuration steps for RADIUS Authentication on FortiSwitch, see Troubleshooting Tip: Configure and troubleshoot 802.1x authentication on a Managed FortiSwitch.

 

FortiSwitch Configuration:

 

The following is the configuration required on FortiSwitch for 802.1X authentication using RADIUS servers.

 

  1. Configuring RADIUS Servers.

 

FortiSwitch# sh user radius

config user radius

    edit "FortiGuest-1_156"

        set nas-ip 10.37.165.67

        set secret <radius-secret>

        set server "10.36.196.156"

    next

    edit "FortiGuest-1_164"

        set nas-ip 10.37.165.67

        set secret <radius-secret>

        set server "10.36.196.164"

    next

end

 

  1. Creating a User Group.

 

FortiSwitch# sh user group

config user group

    edit "Fguest"

        set member "FortiGuest-1_156" "FortiGuest-1_164"

    next

end

 

  1. Configuring Port Security on Port7.

 

FortiSwitch# sh switch interface port7

config switch interface

    edit "port7"

        set native-vlan 20

        set allowed-vlans 4093

        set untagged-vlans 4093

        set security-groups "Fguest"

        config port-security

            set allow-mac-move-from disable

            set auth-fail-vlan disable

            set authserver-timeout-period 3

            set authserver-timeout-vlan disable

            set dacl disable

            set eap-auto-untagged-vlans enable

            set eap-egress-tagged enable

            set eap-passthru enable

            set framevid-apply enable

            set guest-auth-delay 30

            set guest-vlan disable

            set mab-eapol-request 3

            set mac-auth-bypass disable

            set open-auth disable

            set port-security-mode 802.1X

            set quarantine-vlan enable

            set radius-timeout-overwrite disable

            set auth-fail-vlanid 200

            set authserver-timeout-vlanid 300

            set guest-vlanid 100

        end

    next

end

 

RADIUS Request Flow:

 

When an 802.1X client connects to port7, FortiSwitch follows this authentication process:

  1. FortiSwitch Sends RADIUS Request to Servers
    • The FortiSwitch first sends a RADIUS request to 10.36.196.156.
    • If there is no response, it sends the request to 10.36.196.164.
  2. RADIUS Response Handling
    • Both servers will respond with a RADIUS Challenge.
    • The FortiSwitch will prioritize the RADIUS server that responds first with a RADIUS Challenge, making it the default server for all subsequent RADIUS transactions.
  3. Failover Scenarios
    • If 10.36.196.156 is unreachable, FortiSwitch will authenticate via 10.36.196.164.
    • Important: If 10.36.196.156 sends a RADIUS Reject, FortiSwitch will not fail over to 10.36.196.164.

 

Conclusion:

 

This setup ensures that FortiSwitch properly handles 802.1X authentication requests using multiple RADIUS servers, with a primary-preferred and failover mechanism. However, failover does not occur if the primary server explicitly rejects authentication.
485
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.