Port-based 802.1X authentication

This example show how to configure Port-based 802.1X authentication to managed FortiSwitch ports when using FortiLink. Managed FortiSwitch devices will authenticate user devices per each FortiSwitch port. If there is a hub after the FortiSwitch that connects multiple user devices to the same port, they can all access the network after authentication, which is not recommended from a security perspective.

Prerequisites:

l The certificates and authentication protocol supported by the supplicant software and RADIUS server are compatible. l The managed FortiSwitches using FortiLink act as authenticators.

Create a firewall policy to allow the RADIUS authentication related traffic from the Fortilink interface to the outbound interface on the FortiGate:

config firewall policy edit 0 set srcintf “fortilink-interface” set dstintf “outbound-interface-to-RadiusSVR”

set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “RADIUS” set nat enable

next

end

Designate a RADIUS server and create a user group:

Using the CLI:

config user radius edit “Radius1”

set server “172.18.60.203” set secret ENC 1dddddd

next

end config user group edit “Radius-Grp1” set member “Radius1”

next

end

Using the GUI:

1. On the FortiGate, go to User& Device > RADIUS Servers.
2. Edit an existing server, or create a new one.
3. If necessary, add a Name for the server.
4. Set the IP/Name to 18.60.203 and Secret to 1dddddd .
5. Configure other fields as necessary.
6. Click OK.
7. Go to User& Device > UserGroups.
8. Create a new group, and add the RADIUS server to the Remote Groups
9. Click OK.

Use the new user group in a security policy:

Using the CLI:

config switch-controller security-policy 802-1X edit “802-1X-policy-default” set security-mode 802.1X set user-group “Radius-Grp1” set mac-auth-bypass disable set open-auth disable set eap-passthru enable set guest-vlan disable set auth-fail-vlan disable set framevid-apply enable set radius-timeout-overwrite disable

next

end

Configure the guest VLAN, authentication fail VLAN, and other parameters as needed.

Using the GUI:

1. Go to WiFi & Switch Controller> FortiSwitch Security Policies 2. Use the default 802-1X-policy-default, or create a new security policy.
2. Use the RADIUS server group in the policy.
3. Set the Security mode to Port-based.
4. Configure other fields as necessary.
5. Click OK.

Apply the security policy to the ports of the managed FortiSwitches:

Using the CLI:

config switch-controller managed-switch edit S248EPTF1800XXXX config ports edit “port6” set port-security-policy “802-1X-policy-default”

next

end

next

end

Using the GUI:

1. On the FortiGate, go to WiFi & Switch Controller> FortiSwitch VLANs.
2. Configure the VLAN interfaces that are applied on FortiSwitch.

On FortiGate, these switch VLAN interfaces are treated as layer-3 interfaces and are available to be applied by firewall policy and other security controls in FortiOS. This means that security boundary is extended to FortiSwitch.

Execute 802.1X authentication on a user device:

On Linux, run wpa_supplicant:

wpa_supplicant -c /etc/wpa_supplicant/local_supplicant.conf -D wired -i eth2 -dd On the FortiGate, view the status of the 802.1X authentication:

diagnose switch-controller switch-info 802.1X Managed Switch : S248EPTF18001384

port6 : Mode: port-based (mac-by-pass disable)

Link: Link up

Port State: authorized: ( )

Dynamic Authorized Vlan : 0

EAP pass-through mode : Enable

Native Vlan : 1

Allowed Vlan list: 1,4093 Untagged Vlan list: 4093 Guest VLAN :

Auth-Fail Vlan :

Sessions info:

00:0c:29:d4:4f:3c    Type=802.1x,MD5,state=AUTHENTICATED,etime=0,eap_cnt=6

params:reAuth=3600

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!