sachitdas_FTNT
Description
This article explains steps to configure 802.1x authentication on a managed FortiSwitch.

Useful Links.


- https://docs.fortinet.com/product/fortiswitch/6.4
- Page#129 https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/daae6d6f-d2a0-11ea-96b9-005056...
- Bug# 601547 fixed in 6.2.4 FOS and later versions https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/a9d7edcd-6328-11ea-9384-005056...

Solution
Config example: FGT 6.0.3 and managed FSW 6.0.2.

From GUI.

1) Create radius server.

Authentication method can be set as default, NAS IP is the IP address of the FortiGate interface which is added as radius client on radius server and this interface IP will be used to communicate with radius server.





2) Create user group and map the radius server.




3) Create 802.1x profile.
If MAC address based authentication is configured, then select security mode as 'MAC-based' and enable 'MAC authentication bypass'.
If 802.1x EAP authentication for clients is used, then select security mode as 'Port-based' and no need to enable 'MAC authentication bypass'.





4) Map the profile to the switchport.




5) Create a policy from CLI to allow radius service.
Incoming interface as FortiLink interface and outgoing interface where the radius server is connected.
For eg:
# config firewall policy
        edit 1
        set srcintf "MCLAG"    <----- This is the FortiLink interface in the example.
        set dstintf "port1"    <----- This is the LAN interface where radius server is.
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "RADIUS"
        set nat enable
end
Verify the config from CLI :-

FortiGate.
FGT # show user radius
# config user radius

    edit "FCT"
        set server "10.33.165.61"
        set secret ENC H00GGt2qjDdIX4IuNyLM3Yj3kHr41qZ0zR5dyqQabYEANROYf1E2qmsev3NSG1GjC14TlXLah5f5NtlPlms9N3QighfenoKNK9pCccVtxkqnTLua5dBuUVJb2GMFsz44jYh/WPg6m0yZMrk+0knVDQJDgLkOP6vT4OvZ+dmi30tXUJ1cAg3EBPLAFdVktncex0NSQQ==
        set nas-ip 10.33.154.24
    next
end

FGT # show user group FCT
# config user group

    edit "FCT"
        set member "FCT"
    next
end

FGT # show switch-controller security-policy FCT
# config switch-controller security-policy 802-1X

    edit "FCT"
        set user-group "FCT"
        set mac-auth-bypass disable
        set open-auth disable
        set eap-passthru enable
        set guest-vlan disable
        set guest-auth-delay 20
        set auth-fail-vlan disable
        set radius-timeout-overwrite disable
    next
end

FGT # show switch-controller managed-switch S248EXXXX

.
.
.

        # config ports
            edit "port1"
                set poe-capable 1
                set vlan "vsw.MCLAG"
                set untagged-vlans "qtn.MCLAG"
                set port-security-policy "FCT"
Make sure policy is configured to allow radius service.
FGT # show firewall policy 1
# config firewall policy
    edit 1
        set name "all"
        set uuid 7106aed8-febd-51e8-8dd0-417720452421
        set srcintf "MCLAG"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "RADIUS"
        set fsso disable
        set nat enable
    next
end
Verify if the config is pushed to FortiSwitch:-

SSH into the switch from the FortiGate:

FGT# execute ssh admin@<switchip>

switch # show user radius
# config user radius
    edit "FCT"
        set nas-ip 10.33.154.24
        set radius-port 0
        set secret ENC pEyknaQHimLcfLt2p/kdj7hTC8Q0mnSDgMA9odIQgzHRXEgulaob+NV9kO07qUxHBg1WbQK4iVQfvEtkx6VLl0qwiehzL8o1d4lIDXDgYAvaA/HEjL2gEV6atns2xos5HKulJjXrAEWixCQzECudHrv0ufhK0ffKQqVZWg4x2PdbSJx/
        set server "10.33.165.61"
    next
end

switch # show user group
# config user group

    edit "FCT"
            set member "FCT"
    next

switch # show switch interface port1
# config switch interface

    edit "port1"
        set untagged-vlans 4093
            set security-groups "FCT"
        set snmp-index 1
            # config port-security
                set auth-fail-vlan disable
                set eap-passthru enable
                set framevid-apply enable
                set guest-auth-delay 30
                set guest-vlan disable
                set mac-auth-bypass disable
                set open-auth disable
                set port-security-mode 802.1X
                set radius-timeout-overwrite disable
                set auth-fail-vlanid 200
                set guest-vlanid 100
            end
    next
end
Now connect a client to the switchport and try performing 802.1x authentication.
- Windows client supplicant settings example:-

Note that below settings are just an example, manage the settings as per the requirement.

In below screenshots, eap-peap is used with 'validate server certificate' unchecked and 'automatically use my windows login name' unchecked.
On Windows machine Run - 'services.msc' and start 'Wired AutoConfig' service.
Then:-







Troubleshooting Steps.
If auth fails, please collect below logs and open a TAC ticket.

1) Start below debug on FSW and then connect the client.
switch # diagnose debug application fnbamd -1
switch # diagnose debug enable

.
Connect the client and once auth fails, stop the debug.
.
switch # diagnose debug disable
switch # diagnose debug reset

2) switch # diagnose switch 802-1x status
3) switch# diag debug report
4) Check for log on radius server side as well.
5) FortiGate configuration.
6) A network diagram.


Related Articles

Technical Tip: 802.1X authentication failure on managed FortiSwitch upon Certificate refresh or auto...

Technical Tip: 802.1x port-based vs MAC-based authentication

Contributors