MAC-based 802.1X authentication

MAC-based 802.1X authentication

This example show how to configure MAC-based 802.1X authentication to managed FortiSwitch ports when using FortiLink. Managed FortiSwitch devices will authenticate and record the MAC addresses of user devices. If there is a hub after the FortiSwitch that connects multiple user devices, each device can access the network after passing authentication.

Prerequisites:

  • The certificates and authentication protocol supported by the supplicant software and RADIUS server are compatible.
  • The managed FortiSwitches using FortiLink act as authenticators.

Create a firewall policy to allow the RADIUS authentication related traffic from the Fortilink interface to the outbound interface on the FortiGate:

config firewall policy edit 0 set srcintf “fortilink-interface” set dstintf “outbound-interface-to-RadiusSVR”

set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “RADIUS” set nat enable

next

end

Designate a RADIUS server and create a user group:

Using the CLI:

config user radius edit “Radius1” set server “172.18.60.203” set secret ENC 1dddddd

next

end config user group edit “Radius-Grp1” set member “Radius1”

next

end

Using the GUI:

  1. On the FortiGate, go to User& Device > RADIUS Servers.
  2. Edit an existing server, or create a new one.
  3. If necessary, add a Name for the server.
  4. Set the IP/Name to 18.60.203 and Secret to 1dddddd .
  5. Configure other fields as necessary.
  6. Click OK.
  7. Go to User& Device > UserGroups.
  8. Create a new group, and add the RADIUS server to the Remote Groups
  9. Click OK.

Use the new user group in a security policy:

Using the CLI:

config switch-controller security-policy 802-1X edit “802-1X-policy-default” set security-mode 802.1X-mac-based set user-group “Radius-Grp1” set mac-auth-bypass disable set open-auth disable set eap-passthru enable set guest-vlan disable set auth-fail-vlan disable set framevid-apply enable set radius-timeout-overwrite disable

next

end

Configure the guest VLAN, authentication fail VLAN, and other parameters as needed.

Using the GUI:

  1. Go to WiFi & Switch Controller> FortiSwitch Security Policies 2. Use the default 802-1X-policy-default, or create a new security policy.
  2. Use the RADIUS server group in the policy.
  3. Set the Security mode to MAC-based.
  4. Configure other fields as necessary.
  5. Click OK.

Apply the security policy to the ports of the managed FortiSwitches:

Using the CLI:

config switch-controller managed-switch edit S248EPTF1800XXXX config ports edit “port6” set port-security-policy “802-1X-policy-default” next

end

next

end

On the FortiSwitch, check the configuration:

config switch interface edit “port6” set allowed-vlans 4093 set untagged-vlans 4093 set security-groups “Radius-Grp1”

set snmp-index 6 config port-security set auth-fail-vlan disable set eap-passthru enable set framevid-apply enable set guest-auth-delay 30 set guest-vlan disable set mac-auth-bypass disable set open-auth disable set port-security-mode 802.1X-mac-based set radius-timeout-overwrite disable set auth-fail-vlanid 200 set guest-vlanid 100

end

next

end

Using the GUI:

  1. On the FortiGate, go to WiFi & Switch Controller> FortiSwitch VLANs.
  2. Configure the VLAN interfaces that are applied on FortiSwitch.

On FortiGate, these switch VLAN interfaces are treated as layer-3 interfaces and are available to be applied by firewall policy and other security controls in FortiOS. This means that security boundary is extended to FortiSwitch.

Execute 802.1X authentication on a user device:

On Linux, run wpa_supplicant:

wpa_supplicant -c /etc/wpa_supplicant/local_supplicant.conf -D wired -i eth2 -dd
On the FortiGate, view the status of the 802.1X authentication:

diagnose switch-controller switch-info 802.1X Managed Switch : S248EPTF1800XXXX

 
port6 : Mode: mac-based (mac-by-pass disable) Link: Link up —–> MAC-based
Port State: authorized: ( )

passed. Otherwise, shown failed

EAP pass-through mode : Enable

Native Vlan : 1

Allowed Vlan list: 1,4093 Untagged Vlan list: 1,4093 Guest VLAN :

Auth-Fail Vlan :

—–> Showing authorized means auth
                                 Switch sessions 1/240,    Local port sessions:1/20

Client    MAC          Type    Vlan Dynamic-Vlan

00:0c:29:d4:4f:3c     802.1x      1      0            —–> User device of auth

passed can access the network. Its MAC address is recored, while other User Devices under same FSW ports still not allowed to access.

Sessions info:

00:0c:29:d4:4f:3c    Type=802.1x,MD5,state=AUTHENTICATED,etime=6,eap_cnt=3

params:reAuth=3600

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.