# config firewall policyVerify the config from CLI :-
edit 1
set srcintf "MCLAG" <----- This is the FortiLink interface in the example.
set dstintf "port1" <----- This is the LAN interface where radius server is.
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "RADIUS"
set nat enable
end
FGT # show user radiusMake sure policy is configured to allow radius service.
# config user radius
edit "FCT"
set server "10.33.165.61"
set secret ENC H00GGt2qjDdIX4IuNyLM3Yj3kHr41qZ0zR5dyqQabYEANROYf1E2qmsev3NSG1GjC14TlXLah5f5NtlPlms9N3QighfenoKNK9pCccVtxkqnTLua5dBuUVJb2GMFsz44jYh/WPg6m0yZMrk+0knVDQJDgLkOP6vT4OvZ+dmi30tXUJ1cAg3EBPLAFdVktncex0NSQQ==
set nas-ip 10.33.154.24
next
end
FGT # show user group FCT
# config user group
edit "FCT"
set member "FCT"
next
end
FGT # show switch-controller security-policy FCT
# config switch-controller security-policy 802-1X
edit "FCT"
set user-group "FCT"
set mac-auth-bypass disable
set open-auth disable
set eap-passthru enable
set guest-vlan disable
set guest-auth-delay 20
set auth-fail-vlan disable
set radius-timeout-overwrite disable
next
end
FGT # show switch-controller managed-switch S248EXXXX
.
.
.
# config ports
edit "port1"
set poe-capable 1
set vlan "vsw.MCLAG"
set untagged-vlans "qtn.MCLAG"
set port-security-policy "FCT"
FGT # show firewall policy 1Verify if the config is pushed to FortiSwitch:-
# config firewall policy
edit 1
set name "all"
set uuid 7106aed8-febd-51e8-8dd0-417720452421
set srcintf "MCLAG"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "RADIUS"
set fsso disable
set nat enable
next
end
FGT# execute ssh admin@<switchip>Now connect a client to the switchport and try performing 802.1x authentication.
switch # show user radius
# config user radius
edit "FCT"
set nas-ip 10.33.154.24
set radius-port 0
set secret ENC pEyknaQHimLcfLt2p/kdj7hTC8Q0mnSDgMA9odIQgzHRXEgulaob+NV9kO07qUxHBg1WbQK4iVQfvEtkx6VLl0qwiehzL8o1d4lIDXDgYAvaA/HEjL2gEV6atns2xos5HKulJjXrAEWixCQzECudHrv0ufhK0ffKQqVZWg4x2PdbSJx/
set server "10.33.165.61"
next
end
switch # show user group
# config user group
edit "FCT"
set member "FCT"
next
switch # show switch interface port1
# config switch interface
edit "port1"
set untagged-vlans 4093
set security-groups "FCT"
set snmp-index 1
# config port-security
set auth-fail-vlan disable
set eap-passthru enable
set framevid-apply enable
set guest-auth-delay 30
set guest-vlan disable
set mac-auth-bypass disable
set open-auth disable
set port-security-mode 802.1X
set radius-timeout-overwrite disable
set auth-fail-vlanid 200
set guest-vlanid 100
end
next
end
switch # diagnose debug application fnbamd -1Connect the client and once auth fails, stop the debug.
switch # diagnose debug enable
.
.2) switch # diagnose switch 802-1x status
switch # diagnose debug disable
switch # diagnose debug reset
Related Articles
Technical Tip: 802.1x port-based vs MAC-based authentication
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.