FortiSwitch port security policy

The features listed here are valuable in endpoint authorization and access-control within a retail/enterprise LAN environment. In a FortiLink setup, you can configure these capabilities from the FortiGate while endpoints are connected to switch ports.

In FortiLink mode, you must manually create a firewall policy to allow RADIUS traffic for 802.1x authentication from the FortiSwitch (for example, from the FortiLink interface) to the RADIUS server through the FortiGate.

End devices fall into two supported categories: one that supports 8021.X client and one that does not.

Before the Managed Release 5.6.0, only the following configuration was supported per VLAN:

  • 802.1X

With Managed Release 5.6.0, additional port security features are available:

  • Move 802.1X control from VLAN to port
    • Previously, only one VLAN could be assigned to one port.  With both tagged and untagged VLANs allowed in 5.4.x, this is no longer suitable and will be migrated to the switch port.
    • Automatic configuration migration is supported.
  • Support for client-less devices using mac-auth-bypass (MAB)
    • For devices that are incapable of supporting EAPoL/EAP, FortiSwitch will conduct the authentication on behalf of the device. A maximum of three concurrent MAB devices per port can exist.
  • Multiple secured endpoints on single port
    • Enforcement is per MAC address
  • Dynamic VLAN assignment
    • RADIUS-assigned VLANs
  • Guest VLAN configuration
    • With authentication timeout
  • RADIUS configuration
    • Set secret keys for primary and secondary servers.
  • User configuration
    • Use a RADIUS server to authenticate users.
  • Additional timers and modes
    • Re-authentication period
    • Maximum re-authentication attempts
    • Link down to un-authenticate

In the following commands, "*" indicates the default setting.

Configure the 802.1X settings for a virtual domain

To configure the 802.1X security policy for a virtual domain, use the following commands:

config switch-controller 802-1X-settings

set reauth-period < int >

set max-reauth-attempt < int >

set link-down-auth < *set-unauth | no-action >

end

 

Option Description
set link-down-auth If a link is down, this command determines the authentication state. Choosing set-auth sets the interface to unauthenticated when a link is down, and reauthentication is needed. Choosing no-auth means that the interface does not need to be reauthenticated when a link is down.
set reauth-period This command sets how often reauthentication is needed. The range is 1-1440 minutes. The default is 60 minutes. Setting the value to 0 minutes disables reauthenticaion.
set max-reauth-attempt This command sets the maximum number of reauthentication attempts. The range is 1-15. the default is 3. Setting the value to 0 disables reauthentication.

Override the virtual domain settings

You can override the virtual domain settings for the 802.1X security policy.

Using the FortiGate GUI

To override the 802.1X settings for a virtual domain:

  1. Go to WiFi & Switch Controller > Managed FortiSwitch.
  2. Click on a FortiSwitch faceplate and click Edit.
  3. In the Edit Managed FortiSwitch page, move the Override 802-1X settings slider to the right.
  4. In the Reauthentication Interval field, enter the number of minutes before reauthentication is required. The maximum interval is 1,440 minutes. Setting the value to 0 minutes disables reauthentiction.
  5. In the Max Reauthentication Attempts field, enter the maximum times that reauthentication is attempted. The maximum number of attempts is 15. Setting the value to 0 disables reauthentication.
  6. Select Deauthenticate or None for the link down action. Selecting Deauthenticate sets the interface to unauthenticated when a link is down, and reauthentication is needed. Selecting None means that the interface does not need to be reauthenticated when a link is down.
  7. Click OK.
Using the FortiGate CLI

To override the 802.1X settings for a virtual domain, use the following commands:

config switch-controller managed-switch

edit < switch >

config 802-1X-settings

set local-override [ enable | *disable ]

set reauth-period < int >                  // visible if override enabled

set max-reauth-attempt < int >             // visible if override enabled

set link-down-auth < *set-unauth | no-action >   // visible if override enabled

end

next

end

 

For a description of the options, see Configure the 802.1X settings for a virtual domain.

Define an 802.1X security policy

You can define multiple 802.1X security policies.

Using the FortiGate GUI

To create an 802.1X security policy:

  1. Go to WiFi & Switch Controller > FortiSwitch Security Policies.
  2. Click Create New.
  3. Enter a name for the new FortiSwitch security policy.
  4. For the security mode, select Port-based or MAC-based.
  5. Click + to select which user groups will have access.
  6. Enable or disable guest VLANs on this interface to allow restricted access for some users.
  7. Enter the number of seconds for authentication delay for guest VLANs. The range is 60-900 seconds.
  8. Enable or disable authentication fail VLAN on this interface to allow restricted access for users who fail to access the guest VLAN.
  9. Enable or disable MAC authentication bypass (MAB) on this interface.
  10. Enable or disable EAP pass-through mode on this interface.
  11. Enable or disable whether the session timeout for the RADIUS server will overwrite the local timeout.
  12. Click OK.
Using the FortiGate CLI

To create an 802.1X security policy, use the following commands:

config switch-controller security-policy 802-1X

edit "<policy.name>"

set security-mode {802.1X | 802.1X-mac-based)

set user-group <*group_name | Guest-group | SSO_Guest_Users>

set mac-auth-bypass [enable | *disable]

set eap-passthru [enable | disable]

set guest-vlan [enable | *disable]

set guest-vlan-id "guest-VLAN-name"

set guest-auth-delay <integer>

set auth-fail-vlan  [enable | *disable]

set auth-fail-vlan-id "auth-fail-VLAN-name"

set radius-timeout-overwrite [enable | *disable]

set policy-type 802.1X

end

end

 

Option Description
set security-mode You can restrict access with 802.1X port-based authentication or with 802.1X MAC-based authentication.
set user-group You can set a specific group name, Guest-group, or SSO_Guest_Users to have access.
set mac-auth-bypass You can enable or disable MAB on this interface.
set eap-passthrough You can enable or disable EAP pass-through mode on this interface.
set guest-vlan You can enable or disable guest VLANs on this interface to allow restricted access for some users.
set guest-vlan-id "guest-VLAN-name" You can specify the name of the guest VLAN.
set guest-auth-delay You can set the authentication delay for guest VLANs on this interface. The range is 60-900 seconds.
set auth-fail-vlan You can enable or disable authentication fail VLAN on this interface to allow restricted access for users who fail to access the guest VLAN.
set auth-fail-vlan-id "auth-fail-VLAN-name" You can specify the name of the authentication fail VLAN
set radius-timeout-overwrite You can enable or disable whether the session timeout for the RADIUS server will overwrite the local timeout.
set policy-type 802.1X You can set the policy type to the 802.1X security policy.

Apply an 802.1X security policy to a FortiSwitch port

You can apply a different 802.1X security policy to each FortiSwitch port.

Using the FortiGate GUI

To apply an 802.1X security policy to a managed FortiSwitch port:

  1. Go to WiFi & Switch Controller > FortiSwitch Ports.
  2. Click the + next to a FortiSwitch.
  3. In the Security Policy column for a port, click + to select a security policy.
  4. Click OK to apply the security policy to that port.
Using the FortiGate CLI

To apply an 802.1X security policy to a managed FortiSwitch port, use the following commands:

config switch-controller managed-switch

edit <managed-switch>

config ports

edit <port>

set port-security-policy <802.1X-policy>

next

end

next

end