FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sagha
Staff
Staff
Article Id 191147
Description
This article describes the necessary configuration to allow the 802.1x authentication on the Fortigate’s hardware switch using the FortiAuthenticator as an external radius server.

Solution
On the Fortigate.
# config system interface
    edit "802.1x"                                      <----- The hardware switch.
        set vdom "root"
        set ip 10.1.1.2 255.255.255.0
        set allowaccess ping https ssh http capwap
        set type hard-switch
        set security-mode 802.1X
        set security-groups "802.1x"                   <----- The remote radius group.
        set device-identification enable
        set role lan
        set snmp-index 13
    next
end

# config user radius
    edit "FAC_RADUIS"
        set server "192.168.1.99"
        set auth-type ms_chap_v2
        set password-renewal enable
    end

# config user group
    edit  802.1x
        set member "FAC_RADUIS"
    end
On the Fortiauthenticator.

1) Configure the user group under Authentication -> User Management -> Local Users / Remote Users pointing to an external authentication server (LDAP or another Radius).






2) Create the user group that will contain the user database (pointing to a remote user group).




3) Configure the radius client along with the EAP type.





More details about the EAP types that can be used.





Note: The feature is available on units that support a hardware switch, integrated switch fabric.

The same cannot be applied to the units where an interface is configured as type software switch and not as hardware switch.
In order to check which device support the feature on a specific firmware, one can check the platform matrix of that specific firmware to confirm.


In the above link, 802.1x feature will be supported on FortiGate-60E with firmware 6.2.3 as it supports hardware switch, However, it will not be supported for example on a FortiGate-500 with firmware 6.2.3 as there is no built in hardware switch.

Contributors