Description
This article describes how to configure 802.1x authentication on a managed FortiSwitch.
Scope
FortiSwitch.
Solution
Configuration example: v6.0.3 and managed v6.0.2.
From GUI.
- Create a RADIUS server. The authentication method can be set as default, NAS IP is the IP address of the FortiGate interface which is added as a RADIUS client on the radius server and this interface IP will be used to communicate with the RADIUS server.
- Create a user group and map the RADIUS server.
- Create an 802.1x profile. If MAC address-based authentication is configured, then select security mode as 'MAC-based' and enable 'MAC authentication bypass'.
If 802.1x EAP authentication for clients is used, then select security mode as 'Port-based', and no need to enable 'MAC authentication bypass'.
- Map the profile to the switch port.
- Create a policy from CLI to allow RADIUS service. The incoming interface is the FortiLink interface and the outgoing interface is where the RADIUS server is connected.
config firewall policy
edit 1
set srcintf "MCLAG" <----- This is the FortiLink interface in the example.
set dstintf "port1" <----- This is the LAN interface where the RADIUS server is.
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "RADIUS"
set nat enable
end
Verify the config from CLI:
FortiGate.
FGT # show user radius
config user radius
edit "FCT"
set server "10.33.165.61"
set secret ENC H00GGt2qjDdIX4IuNyLM3Yj3kHr41qZ0zR5dyqQabYEANROYf1E2qmsev3NSG1GjC14TlXLah5f5NtlPlms9N3QighfenoKNK9pCccVtxkqnTLua5dBuUVJb2GMFsz44jYh/WPg6m0yZMrk+0knVDQJDgLkOP6vT4OvZ+dmi30tXUJ1cAg3EBPLAFdVktncex0NSQQ==
set nas-ip 10.33.154.24
next
end
FGT # show user group FCT
config user group
edit "FCT"
set member "FCT"
next
end
FGT # show switch-controller security-policy FCT
config switch-controller security-policy 802-1X
edit "FCT"
set user-group "FCT"
set mac-auth-bypass disable
set open-auth disable
set eap-passthru enable
set guest-vlan disable
set guest-auth-delay 20
set auth-fail-vlan disable
set radius-timeout-overwrite disable
next
end
FGT # show switch-controller managed-switch S248EXXXX
config ports
edit "port1"
set poe-capable 1
set vlan "vsw.MCLAG"
set untagged-vlans "qtn.MCLAG"
set port-security-policy "FCT" --> Make sure the policy is configured to allow the RADIUS service.
FGT # show firewall policy 1
config firewall policy
edit 1
set name "all"
set uuid 7106aed8-febd-51e8-8dd0-417720452421
set srcintf "MCLAG"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "RADIUS"
set fsso disable
set nat enable
next
end
Verify if the config is pushed to FortiSwitch:
SSH into the switch from the FortiGate:
FGT# execute ssh admin@<switchip>
switch # show user radius
config user radius
edit "FCT"
set nas-ip 10.33.154.24
set radius-port 0
set secret ENC pEyknaQHimLcfLt2p/kdj7hTC8Q0mnSDgMA9odIQgzHRXEgulaob+NV9kO07qUxHBg1WbQK4iVQfvEtkx6VLl0qwiehzL8o1d4lIDXDgYAvaA/HEjL2gEV6atns2xos5HKulJjXrAEWixCQzECudHrv0ufhK0ffKQqVZWg4x2PdbSJx/
set server "10.33.165.61"
next
end
switch # show user group
config user group
edit "FCT"
set member "FCT"
next
switch # show switch interface port1
config switch interface
edit "port1"
set untagged-vlans 4093
set security-groups "FCT"
set snmp-index 1
config port-security
set auth-fail-vlan disable
set eap-passthru enable
set framevid-apply enable
set guest-auth-delay 30
set guest-vlan disable
set mac-auth-bypass disable
set open-auth disable
set port-security-mode 802.1X
set radius-timeout-overwrite disable
set auth-fail-vlanid 200
set guest-vlanid 100
end
next
end
Now, connect a client to the switch port and attempt to perform 802.1x authentication.
Windows client supplicant settings example:
Note: The settings below are just an example; manage the settings as per the requirement.
In the screenshots below, eap-peap is used with 'validate server certificate' unchecked and 'automatically use my Windows login name' unchecked.
On a Windows machine, run 'services.msc' and start the 'Wired AutoConfig' service.
On a Windows machine, run 'services.msc' and start the 'Wired AutoConfig' service.
Then, go to Control Panel -> Network and Internet -> Network and Sharing Center -> Select the network adapter.
Troubleshooting:
Before troubleshooting, it is important to understand the Authentication request process:
- Supplicant: end host (client).
- Authenticator: Switch .
- Authentication Server: RADIUS server (e.g., FortiAuthenticator, ISE, ClearPass, FreeRADIUS, Duo).
| Step | Sender | Receiver | Message/Frame | Protocol | Purpose / Notes |
|---|---|---|---|---|---|
| 0 | Supplicant | Authenticator | Link up | L2 | Physical link established; uncontrolled port always open for EAPOL only. |
| 1 (opt) | Supplicant | Authenticator | EAPOL-Start | EAPOL | Prompt authenticator to begin 802.1X exchange. Optional. |
| 2 | Authenticator | Supplicant | EAP-Request/Identity | EAPOL (EAP) | Ask client for identity (username/NAI). If no Start seen, authenticator may initiate this. |
| 3 | Supplicant | Authenticator | EAP-Response/Identity | EAPOL (EAP) | Provide identity. Port is still unauthorized. |
| 4 | Authenticator | Authentication Server | Access-Request (EAP-Response/Identity) | RADIUS | Encapsulate client’s EAP response into RADIUS. Includes NAS info (port, MAC, SSID). |
| 5 | Authentication Server | Authenticator | Access-Challenge (EAP-Request …) | RADIUS | Instruct next EAP method step (e.g., EAP-TLS handshake, PEAP start). |
| 6 | Authenticator | Supplicant | EAP-Request (method-specific) | EAPOL (EAP) | Relay challenge/handshake to client. |
| 7 | Supplicant | Authenticator | EAP-Response (method-specific) | EAPOL (EAP) | Provide method data (certs, proofs, inner auth, etc.). |
| 8 | Authenticator | Authentication Server | Access-Request (EAP-Response …) | RADIUS | Keep relaying until method completes. Multiple 5–8 cycles occur. |
| 9a (success) | Authentication Server | Authenticator | Access-Accept + EAP-Success | RADIUS | Success; may include attributes (VLAN, ACLs, dACL, QoS, session-timeout.) |
If authentication fails, collect the logs below in separate files and open a TAC ticket. Mention the MAC address from the testing device.
First debug:
- Start the debug below on the FortSwitch unit, and then connect the client.
switch # diagnose debug application eap -1
switch # diagnose debug application fnbamd -1
switch # diagnose debug console time enable
switch # diagnose debug enable
-
Connect the client, and once auth fails, stop the debug:
switch # diagnose debug disable
switch # diagnose debug reset -
Run this command after the debug finishes:
switch # diagnose switch 802-1x status
Second debug:
- Start below debugs on a FortiSwitch unit and then connect the client.
switch # diagnose debug disable
switch # diagnose debug reset
switch # diagnose debug application wiredap -1
switch # diagnose debug console time enable
switch # diagnose debug enable
-
Connect the client, and once auth fails, stop the debug.
switch # diagnose debug disable
switch # diagnose debug reset -
Run this command after the debug finishes.
switch # diagnose switch 802-1x status
Third debug:
Run this command after finishing the second debug:
switch # diagnose debug report
Generate 3 separate text files, one per debug, using PuTTY: Technical Tip: How to create a log file of a session using PuTTY.
Related articles:
Bug# 601547 fixed in 6.2.4 FortiOS and later versions FortiOS - Release Notes Version 6.2.4.
Technical Tip: 802.1x port-based vs MAC-based authentication
Technical Tip: How to create a log file of a session using PuTTY
