MAC-based 802.1X authentication

Leave a reply

MAC-based 802.1X authentication

This example show how to configure MAC-based 802.1X authentication to managed FortiSwitch ports when using FortiLink. Managed FortiSwitch devices will authenticate and record the MAC addresses of user devices. If there is a hub after the FortiSwitch that connects multiple user devices, each device can access the network after passing authentication.

Prerequisites:

  • The certificates and authentication protocol supported by the supplicant software and RADIUS server are compatible.
  • The managed FortiSwitches using FortiLink act as authenticators.

Create a firewall policy to allow the RADIUS authentication related traffic from the Fortilink interface to the outbound interface on the FortiGate:

config firewall policy edit 0 set srcintf “fortilink-interface” set dstintf “outbound-interface-to-RadiusSVR”

set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “RADIUS” set nat enable

next

end

Designate a RADIUS server and create a user group:

Using the CLI:

config user radius edit “Radius1” set server “172.18.60.203” set secret ENC 1dddddd

next

end config user group edit “Radius-Grp1” set member “Radius1”

next

end

Using the GUI:

  1. On the FortiGate, go to User& Device > RADIUS Servers.
  2. Edit an existing server, or create a new one.
  3. If necessary, add a Name for the server.
  4. Set the IP/Name to 18.60.203 and Secret to 1dddddd .
  5. Configure other fields as necessary.
  6. Click OK.
  7. Go to User& Device > UserGroups.
  8. Create a new group, and add the RADIUS server to the Remote Groups
  9. Click OK.

Use the new user group in a security policy:

Using the CLI:

config switch-controller security-policy 802-1X edit “802-1X-policy-default” set security-mode 802.1X-mac-based set user-group “Radius-Grp1” set mac-auth-bypass disable set open-auth disable set eap-passthru enable set guest-vlan disable set auth-fail-vlan disable set framevid-apply enable set radius-timeout-overwrite disable

next

end

Configure the guest VLAN, authentication fail VLAN, and other parameters as needed.

Using the GUI:

  1. Go to WiFi & Switch Controller> FortiSwitch Security Policies 2. Use the default 802-1X-policy-default, or create a new security policy.
  2. Use the RADIUS server group in the policy.
  3. Set the Security mode to MAC-based.
  4. Configure other fields as necessary.
  5. Click OK.

Apply the security policy to the ports of the managed FortiSwitches:

Using the CLI:

config switch-controller managed-switch edit S248EPTF1800XXXX config ports edit “port6” set port-security-policy “802-1X-policy-default” next

end

next

end

On the FortiSwitch, check the configuration:

config switch interface edit “port6” set allowed-vlans 4093 set untagged-vlans 4093 set security-groups “Radius-Grp1”

set snmp-index 6 config port-security set auth-fail-vlan disable set eap-passthru enable set framevid-apply enable set guest-auth-delay 30 set guest-vlan disable set mac-auth-bypass disable set open-auth disable set port-security-mode 802.1X-mac-based set radius-timeout-overwrite disable set auth-fail-vlanid 200 set guest-vlanid 100

end

next

end

Using the GUI:

  1. On the FortiGate, go to WiFi & Switch Controller> FortiSwitch VLANs.
  2. Configure the VLAN interfaces that are applied on FortiSwitch.

On FortiGate, these switch VLAN interfaces are treated as layer-3 interfaces and are available to be applied by firewall policy and other security controls in FortiOS. This means that security boundary is extended to FortiSwitch.

Execute 802.1X authentication on a user device:

On Linux, run wpa_supplicant:

wpa_supplicant -c /etc/wpa_supplicant/local_supplicant.conf -D wired -i eth2 -dd
On the FortiGate, view the status of the 802.1X authentication:

diagnose switch-controller switch-info 802.1X Managed Switch : S248EPTF1800XXXX

  
port6 : Mode: mac-based (mac-by-pass disable) Link: Link up —–> MAC-based
Port State: authorized: ( )

passed. Otherwise, shown failed

EAP pass-through mode : Enable

Native Vlan : 1

Allowed Vlan list: 1,4093 Untagged Vlan list: 1,4093 Guest VLAN :

Auth-Fail Vlan :

 —–> Showing authorized means auth
                                 Switch sessions 1/240,    Local port sessions:1/20

Client    MAC          Type    Vlan Dynamic-Vlan

00:0c:29:d4:4f:3c     802.1x      1      0            —–> User device of auth

passed can access the network. Its MAC address is recored, while other User Devices under same FSW ports still not allowed to access.

Sessions info:

00:0c:29:d4:4f:3c    Type=802.1x,MD5,state=AUTHENTICATED,etime=6,eap_cnt=3

params:reAuth=3600


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.