FortiSwitch
FortiSwitch: secure, simple and scalable Ethernet solutions
sachitdas_FTNT
Article Id 194605

Description

 

This article describes how to configure 802.1x authentication on a managed FortiSwitch.

 

Scope

 

FortiSwitch.

 

Solution

 

Configuration example: v6.0.3 and managed v6.0.2.
From GUI.

 

  1. Create a RADIUS server. The authentication method can be set as default, NAS IP is the IP address of the FortiGate interface which is added as a RADIUS client on the radius server and this interface IP will be used to communicate with the RADIUS server.
                                                                    
 
  1. Create a user group and map the RADIUS server.
                                                      
 
  1. Create an 802.1x profile. If MAC address-based authentication is configured, then select security mode as 'MAC-based' and enable 'MAC authentication bypass'.
    If 802.1x EAP authentication for clients is used, then select security mode as 'Port-based', and no need to enable 'MAC authentication bypass'.
 
 
  1. Map the profile to the switch port.
                                                                     
 
  1. Create a policy from CLI to allow RADIUS service. The incoming interface is the FortiLink interface and the outgoing interface is where the RADIUS server is connected.

config firewall policy
    edit 1
        set srcintf "MCLAG"    <----- This is the FortiLink interface in the example.
        set dstintf "port1"    <----- This is the LAN interface where the RADIUS server is.
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "RADIUS"
        set nat enable
end

 

Verify the config from CLI:

FortiGate.


FGT # show user radius
config user radius
    edit "FCT"
        set server "10.33.165.61"
        set secret ENC H00GGt2qjDdIX4IuNyLM3Yj3kHr41qZ0zR5dyqQabYEANROYf1E2qmsev3NSG1GjC14TlXLah5f5NtlPlms9N3QighfenoKNK9pCccVtxkqnTLua5dBuUVJb2GMFsz44jYh/WPg6m0yZMrk+0knVDQJDgLkOP6vT4OvZ+dmi30tXUJ1cAg3EBPLAFdVktncex0NSQQ==
        set nas-ip 10.33.154.24
    next
end

FGT # show user group FCT
config user group
    edit "FCT"
        set member "FCT"
    next
end

FGT # show switch-controller security-policy FCT
config switch-controller security-policy 802-1X
    edit "FCT"
        set user-group "FCT"
        set mac-auth-bypass disable
        set open-auth disable
        set eap-passthru enable
        set guest-vlan disable
        set guest-auth-delay 20
        set auth-fail-vlan disable
        set radius-timeout-overwrite disable
    next
end

FGT # show switch-controller managed-switch S248EXXXX
config ports
    edit "port1"
        set poe-capable 1
        set vlan "vsw.MCLAG"
        set untagged-vlans "qtn.MCLAG"
        set port-security-policy "FCT" --> Make sure the policy is configured to allow the RADIUS service.


FGT # show firewall policy 1
config firewall policy
    edit 1
        set name "all"
        set uuid 7106aed8-febd-51e8-8dd0-417720452421
        set srcintf "MCLAG"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "RADIUS"
        set fsso disable
        set nat enable
    next
end

 

Verify if the config is pushed to FortiSwitch:
SSH into the switch from the FortiGate:

 

FGT# execute ssh admin@<switchip>
switch # show user radius
config user radius
    edit "FCT"
        set nas-ip 10.33.154.24
        set radius-port 0
        set secret ENC pEyknaQHimLcfLt2p/kdj7hTC8Q0mnSDgMA9odIQgzHRXEgulaob+NV9kO07qUxHBg1WbQK4iVQfvEtkx6VLl0qwiehzL8o1d4lIDXDgYAvaA/HEjL2gEV6atns2xos5HKulJjXrAEWixCQzECudHrv0ufhK0ffKQqVZWg4x2PdbSJx/
        set server "10.33.165.61"
    next
end

switch # show user group
config user group
    edit "FCT"
        set member "FCT"
    next

switch # show switch interface port1
config switch interface
    edit "port1"
        set untagged-vlans 4093
        set security-groups "FCT"
        set snmp-index 1
            config port-security
                set auth-fail-vlan disable
                set eap-passthru enable
                set framevid-apply enable
                set guest-auth-delay 30
                set guest-vlan disable
                set mac-auth-bypass disable
                set open-auth disable
                set port-security-mode 802.1X
                set radius-timeout-overwrite disable
                set auth-fail-vlanid 200
                set guest-vlanid 100
            end
    next
end

 

Now, connect a client to the switch port and attempt to perform 802.1x authentication.

Windows client supplicant settings example: 

Note: The settings below are just an example; manage the settings as per the requirement.
 
In the screenshots below, eap-peap is used with 'validate server certificate' unchecked and 'automatically use my Windows login name' unchecked.
On a Windows machine, run 'services.msc' and start the 'Wired AutoConfig' service.

Then, go to Control Panel -> Network and Internet -> Network and Sharing Center -> Select the network adapter.
 
 
 
 
Troubleshooting:

Before troubleshooting, it is important to understand the Authentication request process:  

  • Supplicant: end host (client).
  • Authenticator: Switch .
  • Authentication Server: RADIUS server (e.g., FortiAuthenticator, ISE, ClearPass, FreeRADIUS, Duo).

 

Step                   Sender Receiver Message/Frame Protocol Purpose / Notes
0 Supplicant Authenticator Link up L2 Physical link established; uncontrolled port always open for EAPOL only.
1 (opt) Supplicant Authenticator EAPOL-Start EAPOL Prompt authenticator to begin 802.1X exchange. Optional.
2 Authenticator Supplicant EAP-Request/Identity EAPOL (EAP) Ask client for identity (username/NAI). If no Start seen, authenticator may initiate this.
3 Supplicant Authenticator EAP-Response/Identity EAPOL (EAP) Provide identity. Port is still unauthorized.
4 Authenticator Authentication Server Access-Request (EAP-Response/Identity) RADIUS Encapsulate client’s EAP response into RADIUS. Includes NAS info (port, MAC, SSID).
5 Authentication Server Authenticator Access-Challenge (EAP-Request …) RADIUS Instruct next EAP method step (e.g., EAP-TLS handshake, PEAP start).
6 Authenticator Supplicant EAP-Request (method-specific) EAPOL (EAP) Relay challenge/handshake to client.
7 Supplicant Authenticator EAP-Response (method-specific) EAPOL (EAP) Provide method data (certs, proofs, inner auth, etc.).
8 Authenticator Authentication Server Access-Request (EAP-Response …) RADIUS Keep relaying until method completes. Multiple 5–8 cycles occur.
9a (success) Authentication Server Authenticator Access-Accept + EAP-Success RADIUS Success; may include attributes (VLAN, ACLs, dACL, QoS, session-timeout.)

 

If authentication fails, collect the logs below in separate files and open a TAC ticket. Mention the MAC address from the testing device.

 

First debug:

  1. Start the debug below on the FortSwitch unit, and then connect the client.

switch # diagnose debug application eap -1

switch # diagnose debug application fnbamd -1

switch # diagnose debug console time enable

switch # diagnose debug enable

 

  1. Connect the client, and once auth fails, stop the debug:

    switch # diagnose debug disable
    switch # diagnose debug reset

  2. Run this command after the debug finishes:

    switch # diagnose switch 802-1x status

     

Second debug:

  1. Start below debugs on a FortiSwitch unit and then connect the client.

 

switch # diagnose debug disable

switch # diagnose debug reset

switch # diagnose debug application wiredap -1

switch # diagnose debug console time enable

switch # diagnose debug enable

 

  1. Connect the client, and once auth fails, stop the debug.

    switch # diagnose debug disable
    switch # diagnose debug reset

     

  2. Run this command after the debug finishes.

    switch # diagnose switch 802-1x status

 

Third debug:

Run this command after finishing the second debug:

 

switch # diagnose debug report

 

Generate 3 separate text files, one per debug, using PuTTY: Technical Tip: How to create a log file of a session using PuTTY.

 

Related articles:

FortiSwitch

Bug# 601547 fixed in 6.2.4 FortiOS and later versions FortiOS - Release Notes Version 6.2.4.

Technical Tip: 802.1X authentication failure on managed FortiSwitch upon Certificate refresh or auto...

Technical Tip: 802.1x port-based vs MAC-based authentication

Technical Tip: How to create a log file of a session using PuTTY