Port-based 802.1X authentication
This example show how to configure Port-based 802.1X authentication to managed FortiSwitch ports when using FortiLink. Managed FortiSwitch devices will authenticate user devices per each FortiSwitch port. If there is a hub after the FortiSwitch that connects multiple user devices to the same port, they can all access the network after authentication, which is not recommended from a security perspective.
Prerequisites:
l The certificates and authentication protocol supported by the supplicant software and RADIUS server are compatible. l The managed FortiSwitches using FortiLink act as authenticators.
Create a firewall policy to allow the RADIUS authentication related traffic from the Fortilink interface to the outbound interface on the FortiGate:
config firewall policy edit 0 set srcintf “fortilink-interface” set dstintf “outbound-interface-to-RadiusSVR”
set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “RADIUS” set nat enable
next
end
Designate a RADIUS server and create a user group:
Using the CLI:
config user radius edit “Radius1”
set server “172.18.60.203” set secret ENC 1dddddd
next
end config user group edit “Radius-Grp1” set member “Radius1”
next
end
Using the GUI:
- On the FortiGate, go to User& Device > RADIUS Servers.
- Edit an existing server, or create a new one.
- If necessary, add a Name for the server.
- Set the IP/Name to 18.60.203 and Secret to 1dddddd .
- Configure other fields as necessary.
- Click OK.
- Go to User& Device > UserGroups.
- Create a new group, and add the RADIUS server to the Remote Groups
- Click OK.
Use the new user group in a security policy:
Using the CLI:
config switch-controller security-policy 802-1X edit “802-1X-policy-default” set security-mode 802.1X set user-group “Radius-Grp1” set mac-auth-bypass disable set open-auth disable set eap-passthru enable set guest-vlan disable set auth-fail-vlan disable set framevid-apply enable set radius-timeout-overwrite disable
next
end
Configure the guest VLAN, authentication fail VLAN, and other parameters as needed.
Using the GUI:
- Go to WiFi & Switch Controller> FortiSwitch Security Policies 2. Use the default 802-1X-policy-default, or create a new security policy.
- Use the RADIUS server group in the policy.
- Set the Security mode to Port-based.
- Configure other fields as necessary.
- Click OK.
Apply the security policy to the ports of the managed FortiSwitches:
Using the CLI:
config switch-controller managed-switch edit S248EPTF1800XXXX config ports edit “port6” set port-security-policy “802-1X-policy-default”
next
end
next
end
Using the GUI:
- On the FortiGate, go to WiFi & Switch Controller> FortiSwitch VLANs.
- Configure the VLAN interfaces that are applied on FortiSwitch.
On FortiGate, these switch VLAN interfaces are treated as layer-3 interfaces and are available to be applied by firewall policy and other security controls in FortiOS. This means that security boundary is extended to FortiSwitch.
Execute 802.1X authentication on a user device:
On Linux, run wpa_supplicant:
wpa_supplicant -c /etc/wpa_supplicant/local_supplicant.conf -D wired -i eth2 -dd On the FortiGate, view the status of the 802.1X authentication:
diagnose switch-controller switch-info 802.1X Managed Switch : S248EPTF18001384
port6 : Mode: port-based (mac-by-pass disable)
Link: Link up
Port State: authorized: ( )
Dynamic Authorized Vlan : 0
EAP pass-through mode : Enable
Native Vlan : 1
Allowed Vlan list: 1,4093 Untagged Vlan list: 4093 Guest VLAN :
Auth-Fail Vlan :
Sessions info:
00:0c:29:d4:4f:3c Type=802.1x,MD5,state=AUTHENTICATED,etime=0,eap_cnt=6
params:reAuth=3600