Created on
12-14-2020
02:24 AM
Edited on
08-08-2025
08:15 AM
By
Stephen_G
Description
This article describes how to configure 802.1x authentication on a managed FortiSwitch.
Scope
FortiSwitch.
Solution
Configuration example: v6.0.3 and managed v6.0.2.
From GUI.
config firewall policy
edit 1
set srcintf "MCLAG" <----- This is the FortiLink interface in the example.
set dstintf "port1" <----- This is the LAN interface where the RADIUS server is.
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "RADIUS"
set nat enable
end
Verify the config from CLI:
FortiGate.
FGT # show user radius
config user radius
edit "FCT"
set server "10.33.165.61"
set secret ENC H00GGt2qjDdIX4IuNyLM3Yj3kHr41qZ0zR5dyqQabYEANROYf1E2qmsev3NSG1GjC14TlXLah5f5NtlPlms9N3QighfenoKNK9pCccVtxkqnTLua5dBuUVJb2GMFsz44jYh/WPg6m0yZMrk+0knVDQJDgLkOP6vT4OvZ+dmi30tXUJ1cAg3EBPLAFdVktncex0NSQQ==
set nas-ip 10.33.154.24
next
end
FGT # show user group FCT
config user group
edit "FCT"
set member "FCT"
next
end
FGT # show switch-controller security-policy FCT
config switch-controller security-policy 802-1X
edit "FCT"
set user-group "FCT"
set mac-auth-bypass disable
set open-auth disable
set eap-passthru enable
set guest-vlan disable
set guest-auth-delay 20
set auth-fail-vlan disable
set radius-timeout-overwrite disable
next
end
FGT # show switch-controller managed-switch S248EXXXX
config ports
edit "port1"
set poe-capable 1
set vlan "vsw.MCLAG"
set untagged-vlans "qtn.MCLAG"
set port-security-policy "FCT" --> Make sure the policy is configured to allow the RADIUS service.
FGT # show firewall policy 1
config firewall policy
edit 1
set name "all"
set uuid 7106aed8-febd-51e8-8dd0-417720452421
set srcintf "MCLAG"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "RADIUS"
set fsso disable
set nat enable
next
end
Verify if the config is pushed to FortiSwitch:
SSH into the switch from the FortiGate:
FGT# execute ssh admin@<switchip>
switch # show user radius
config user radius
edit "FCT"
set nas-ip 10.33.154.24
set radius-port 0
set secret ENC pEyknaQHimLcfLt2p/kdj7hTC8Q0mnSDgMA9odIQgzHRXEgulaob+NV9kO07qUxHBg1WbQK4iVQfvEtkx6VLl0qwiehzL8o1d4lIDXDgYAvaA/HEjL2gEV6atns2xos5HKulJjXrAEWixCQzECudHrv0ufhK0ffKQqVZWg4x2PdbSJx/
set server "10.33.165.61"
next
end
switch # show user group
config user group
edit "FCT"
set member "FCT"
next
switch # show switch interface port1
config switch interface
edit "port1"
set untagged-vlans 4093
set security-groups "FCT"
set snmp-index 1
config port-security
set auth-fail-vlan disable
set eap-passthru enable
set framevid-apply enable
set guest-auth-delay 30
set guest-vlan disable
set mac-auth-bypass disable
set open-auth disable
set port-security-mode 802.1X
set radius-timeout-overwrite disable
set auth-fail-vlanid 200
set guest-vlanid 100
end
next
end
Now, connect a client to the switch port and attempt to perform 802.1x authentication.
Windows client supplicant settings example:
Before troubleshooting, it is important to understand the Authentication request process:
Step | Sender | Receiver | Message/Frame | Protocol | Purpose / Notes |
---|---|---|---|---|---|
0 | Supplicant | Authenticator | Link up | L2 | Physical link established; uncontrolled port always open for EAPOL only. |
1 (opt) | Supplicant | Authenticator | EAPOL-Start | EAPOL | Prompt authenticator to begin 802.1X exchange. Optional. |
2 | Authenticator | Supplicant | EAP-Request/Identity | EAPOL (EAP) | Ask client for identity (username/NAI). If no Start seen, authenticator may initiate this. |
3 | Supplicant | Authenticator | EAP-Response/Identity | EAPOL (EAP) | Provide identity. Port is still unauthorized. |
4 | Authenticator | Authentication Server | Access-Request (EAP-Response/Identity) | RADIUS | Encapsulate client’s EAP response into RADIUS. Includes NAS info (port, MAC, SSID). |
5 | Authentication Server | Authenticator | Access-Challenge (EAP-Request …) | RADIUS | Instruct next EAP method step (e.g., EAP-TLS handshake, PEAP start). |
6 | Authenticator | Supplicant | EAP-Request (method-specific) | EAPOL (EAP) | Relay challenge/handshake to client. |
7 | Supplicant | Authenticator | EAP-Response (method-specific) | EAPOL (EAP) | Provide method data (certs, proofs, inner auth, etc.). |
8 | Authenticator | Authentication Server | Access-Request (EAP-Response …) | RADIUS | Keep relaying until method completes. Multiple 5–8 cycles occur. |
9a (success) | Authentication Server | Authenticator | Access-Accept + EAP-Success | RADIUS | Success; may include attributes (VLAN, ACLs, dACL, QoS, session-timeout.) |
If authentication fails, collect the logs below in separate files and open a TAC ticket. Mention the MAC address from the testing device.
First debug:
switch # diagnose debug application eap -1
switch # diagnose debug application fnbamd -1
switch # diagnose debug console time enable
switch # diagnose debug enable
Connect the client, and once auth fails, stop the debug:
switch # diagnose debug disable
switch # diagnose debug reset
Run this command after the debug finishes:
switch # diagnose switch 802-1x status
Second debug:
switch # diagnose debug disable
switch # diagnose debug reset
switch # diagnose debug application wiredap -1
switch # diagnose debug console time enable
switch # diagnose debug enable
Connect the client, and once auth fails, stop the debug.
switch # diagnose debug disable
switch # diagnose debug reset
Run this command after the debug finishes.
switch # diagnose switch 802-1x status
Third debug:
Run this command after finishing the second debug:
switch # diagnose debug report
Generate 3 separate text files, one per debug, using PuTTY: Technical Tip: How to create a log file of a session using PuTTY.
Related articles:
Bug# 601547 fixed in 6.2.4 FortiOS and later versions FortiOS - Release Notes Version 6.2.4.
Technical Tip: 802.1x port-based vs MAC-based authentication
Technical Tip: How to create a log file of a session using PuTTY
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.