Description
This article describes how to configure 802.1x authentication on a managed FortiSwitch.
Scope
FortiSwitch.
Solution
Configuration example: v6.0.3 and managed v6.0.2.
From GUI.
- Create a RADIUS server. The authentication method can be set as default, NAS IP is the IP address of the FortiGate interface which is added as a RADIUS client on the radius server and this interface IP will be used to communicate with the RADIUS server.
- Create a user group and map the RADIUS server.
- Create an 802.1x profile. If MAC address-based authentication is configured, then select security mode as 'MAC-based' and enable 'MAC authentication bypass'.
If 802.1x EAP authentication for clients is used, then select security mode as 'Port-based', and no need to enable 'MAC authentication bypass'.
- Map the profile to the switch port.
- Create a policy from CLI to allow radius service. The incoming interface is the FortiLink interface and the outgoing interface is where the radius server is connected.
config firewall policy
edit 1
set srcintf "MCLAG" <----- This is the FortiLink interface in the example.
set dstintf "port1" <----- This is the LAN interface where the RADIUS server is.
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "RADIUS"
set nat enable
end
Verify the config from CLI :
FortiGate.
FGT # show user radius
config user radius
edit "FCT"
set server "10.33.165.61"
set secret ENC H00GGt2qjDdIX4IuNyLM3Yj3kHr41qZ0zR5dyqQabYEANROYf1E2qmsev3NSG1GjC14TlXLah5f5NtlPlms9N3QighfenoKNK9pCccVtxkqnTLua5dBuUVJb2GMFsz44jYh/WPg6m0yZMrk+0knVDQJDgLkOP6vT4OvZ+dmi30tXUJ1cAg3EBPLAFdVktncex0NSQQ==
set nas-ip 10.33.154.24
next
end
FGT # show user group FCT
config user group
edit "FCT"
set member "FCT"
next
end
FGT # show switch-controller security-policy FCT
config switch-controller security-policy 802-1X
edit "FCT"
set user-group "FCT"
set mac-auth-bypass disable
set open-auth disable
set eap-passthru enable
set guest-vlan disable
set guest-auth-delay 20
set auth-fail-vlan disable
set radius-timeout-overwrite disable
next
end
FGT # show switch-controller managed-switch S248EXXXX
config ports
edit "port1"
set poe-capable 1
set vlan "vsw.MCLAG"
set untagged-vlans "qtn.MCLAG"
set port-security-policy "FCT" --> Make sure the policy is configured to allow the RADIUS service.
FGT # show firewall policy 1
config firewall policy
edit 1
set name "all"
set uuid 7106aed8-febd-51e8-8dd0-417720452421
set srcintf "MCLAG"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "RADIUS"
set fsso disable
set nat enable
next
end
Verify if the config is pushed to FortiSwitch:
SSH into the switch from the FortiGate:
FGT# execute ssh admin@<switchip>
switch # show user radius
config user radius
edit "FCT"
set nas-ip 10.33.154.24
set radius-port 0
set secret ENC pEyknaQHimLcfLt2p/kdj7hTC8Q0mnSDgMA9odIQgzHRXEgulaob+NV9kO07qUxHBg1WbQK4iVQfvEtkx6VLl0qwiehzL8o1d4lIDXDgYAvaA/HEjL2gEV6atns2xos5HKulJjXrAEWixCQzECudHrv0ufhK0ffKQqVZWg4x2PdbSJx/
set server "10.33.165.61"
next
end
switch # show user group
config user group
edit "FCT"
set member "FCT"
next
switch # show switch interface port1
config switch interface
edit "port1"
set untagged-vlans 4093
set security-groups "FCT"
set snmp-index 1
config port-security
set auth-fail-vlan disable
set eap-passthru enable
set framevid-apply enable
set guest-auth-delay 30
set guest-vlan disable
set mac-auth-bypass disable
set open-auth disable
set port-security-mode 802.1X
set radius-timeout-overwrite disable
set auth-fail-vlanid 200
set guest-vlanid 100
end
next
end
Now connect a client to the switchport and try performing 802.1x authentication.
Windows client supplicant settings example:
Note: The below settings are just an example, manage the settings as per the requirement.
In the below screenshots, eap-peap is used with 'validate server certificate' unchecked and 'automatically use my Windows login name' unchecked.
On a Windows machine, run - 'services.msc' and start the 'Wired AutoConfig' service.
On a Windows machine, run - 'services.msc' and start the 'Wired AutoConfig' service.
Then:
Troubleshooting:
If auth fails, collect the below logs in separate files and open a TAC ticket.
First debug:
- Start the below debug on the FortSwitch unit and then connect the client.
switch # diagnose debug application eap -1
switch # diagnose debug application fnbamd -1
switch # diagnose debug console time enable
switch # diagnose debug enable
-
Connect the client and once auth fails, stop the debug:
switch # diagnose debug disable
switch # diagnose debug reset -
Run this command after the debug finishes:
switch # diagnose switch 802-1x status
Second debug:
- Start below debugs on a FortiSwitch unit and then connect the client.
switch # diagnose debug disable
switch # diagnose debug reset
switch # diagnose debug application wiredap -1
switch # diagnose debug console time enable
switch # diagnose debug enable
-
Connect the client and once auth fails, stop the debug.
switch # diagnose debug disable
switch # diagnose debug reset -
Run this command after the debug finishes.
switch # diagnose switch 802-1x status
Useful Links:
FortiSwitch
Page number 129 https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/daae6d6f-d2a0-11ea-96b9-005056...
Bug# 601547 fixed in 6.2.4 FortiOS and later versions FortiOS - Release Notes Version 6.2.4.
Related articles:
Technical Tip: 802.1x port-based vs MAC-based authentication
