MAC-based 802.1X authentication (En)

# config firewall policy
    edit <policy_ID>
        set srcintf “fortilink-interface”
        set dstintf “outbound-interface-to-RadiusSVR”
        set srcaddr “all”
        set dstaddr “all”
        set action accept
        set schedule “always”
        set service “RADIUS”
        set nat enable
    next
end

2) Designate a RADIUS server and create a user group.

# config user radius
      edit “Radius1″
         set server “172.18.60.203″
         set secret ENC 1dddddd
     next
end
# config user group
     edit “Radius-Grp1″
        set member “Radius1″
     next
end

From GUI.

- On the FortiGate, go to User & Device -> RADIUS Servers.
- Edit an existing server, or create a new one.
- If necessary, add a Name for the server.
- Set the IP/Name to 172.18.60.203 and Secret to 1dddddd .
- Configure other fields as necessary.
- Select ‘OK’.
- Go to User & Device -> User Groups.
- Create a new group, and add the RADIUS server to the Remote Groups list.
- Select ‘OK’.

# config switch-controller security-policy 802-1X
    edit “802-1X-policy-default”
        set security-mode 802.1X-mac-based
        set user-group “Radius-Grp1″
        set mac-auth-bypass disable
        set open-auth disable
        set eap-passthru enable
        set guest-vlan disable
        set auth-fail-vlan disable
        set framevid-apply enable
        set radius-timeout-overwrite disable
    next
end

Configure the guest VLAN, authentication fail VLAN, and other parameters as needed.

From GUI.

- Go to Wi-Fi & Switch Controller -> FortiSwitch Security Policies.
- Use the default 802-1X-policy-default, or create a new security policy.
- Use the RADIUS server group in the policy.
- Set the Security mode to MAC-based.
- Configure other fields as necessary.
- Select ‘OK’.

4) Apply the security policy to the ports of the managed FortiSwitches.

# config switch-controller  managed-switch
    edit S248EPTF1800XXXX
        # config ports
            edit “port6″      
                set port-security-policy “802-1X-policy-default”
            next
        end
    next
end

On the FortiSwitch, check the configuration.

# config switch interface
    edit “port6″
        set allowed-vlans 4093
        set untagged-vlans 4093
        set security-groups “Radius-Grp1″             
        set snmp-index 6
        # config port-security
            set auth-fail-vlan disable
            set eap-passthru enable
            set framevid-apply enable
            set guest-auth-delay 30
            set guest-vlan disable
            set mac-auth-bypass disable
            set open-auth disable
            set port-security-mode 802.1X-mac-based
            set radius-timeout-overwrite disable
            set auth-fail-vlanid 200
            set guest-vlanid 100
        end
    next
end

From GUI.

- On the FortiGate, go to WiFi & Switch Controller -> FortiSwitch VLANs.
- Configure the VLAN interfaces that are applied on FortiSwitch.
- On FortiGate, these switch VLAN interfaces are treated as layer-3 interfaces and are available to be applied by firewall policy and other security controls in FortiOS. This means that security boundary is extended to FortiSwitch.

Results.

Execute 802.1X authentication on a user unit.