Technical Tip: How to use FortiSwitch to authenticate users with 802.1x using FortiGate local database

There may be a situation where there is no dedicated RADIUS server but it is still necessary to use 802.1X authentication with EAP

As an 802.1X authentication server, FortiSwitch supports EAP-PEAP, EAP-TTLS, EAP-TLS, and EAP-MD5.

• Create a local user on FortiGate under User&Authentication -> User Definition:

• Create a local user group on FortiGate which has all 802.1x users Under User Authentication -> User Groups:

• Create a FortiSwitch Port Policy under WiFi&Switch Controler -> FortiSwitch Port Policies and make sure EAP-pass-through is disabled and select the local group in the User groups:

• Assigned this Port Policy to a FortiSwitch port under WiFi&Switch Controler -> FortiSwitch Port:

• On the Windows clients make sure the Wired auto-config service is running:

• Set the NIC setting to authenticate with PEAP and make sure User or computer authentication is chosen as an authentication method:

• Uncheck Server Identity check if the server CA cert is not installed on client computer:

• Once connected to the FortiSwitch port a pop up to enter the username and password should appear:

After entering the correct username and password, it should be connected to the assigned VLAN. It is possible to confirm the same by running the command: 

dia switch-controller switch-info 802.1X<----- This shows the assigned VLAN and authentication method:

If this does not work, open a ticket with Fortinet TAC:

https://support.fortinet.com/welcome/#/