802.1X with VLAN Switch interfaces on a FortiGate


This recipe follows on from the general introductory video, Managing FortiSwitch from FortiGate, which uses the FortiLink protocol.

NOTE: This recipe is specific to FortiOS 5.4. For the most recent FortiSwitch (standalone and managed) administration guides, see https://docs.fortinet.com/fortiswitch/admin-guides.

Using 802.1X with VLAN Switch interfaces on the FortiGate secures the network at the switch port by requesting a connecting user to authenticate. In most deployments the user database will be external to the FortiGate.

This example uses FortiAuthenticator for the RADIUS authentication server, however the example is generic enough to be adapted to any authentication server supported by the FortiGate and the EAP protocol. Also this example can be adapted for other products which make use of 802.1X, such as wireless access points.

In this example we will configure EAP-TTLS.

There are three elements to be configured:

  • The supplicant, which identifies the client, in this case a Ubuntu host.
  • The authenticator, which translates EAP to RADIUS messages, and vice-versa. This is the FortiGate switch controller.
  • The authentication server, which processes the RADIUS messages. This is the FortiAuthenticator.

The topology is as shown:flink-802_1X-ext

1. Configuring a CA

In this example we configure EAP-TTLS which requires, as a minimum, server certificate validation. To do this we use FortiAuthenticator, we create a CA root, self signed, and a service certificate for the authentication server. The supplicant requires access to the CA certificate in order to validate the server authentication.

On FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs and create a new Local CA. Enter a Certificate ID and Name (CN). Leave all other settings default.

This creates a root CA certificate that is self signed. This certificate must be copied to the supplicant.


Go to Certificate Management > End Entities > Local Services and create a new service. Enter a Certificate ID, Issuer (your local CA), and Name (CN). Leave all other settings default.

This creates a certificate for the authentication server.


2. Configuring RADIUS authentication

The FortiAuthenticator will be the RADIUS sever and the FortiGate the RADIUS client.

On the FortiAuthenticator, go to Authentication > RADIUS Service > Clients and create a new client. Enter the Name, Client name/IP, and shared Secret. For Realms, use the local user realm and set EAP types to use EAP-TTLS.


Go to Authentication > User Management > Local Users and create a local user and password.

This is your user account for 802.1X authentication.

Go to Authentication > RADIUS Service > EAP and select the local CA and local service certificates for the server’s authentication. eap-cert
On the FortiGate, go to User & Device > RADIUS Servers and create a new server connection. Enter Name, Primary Server IP/Name, and Primary Server Secret. fgt_radius

Go to WiFi & Switch Controller > VLANs

Modify your VLAN and change the admission control authentication method to RADIUS, and select you RADIUS server.

(This example follows on from the local user configuration, given in the video.)


Test the RADIUS configuration from the the FortiGate CLI:

# diagnose test authserver radius myRADIUS mschap2 mike@local mypassword authenticate 'mike@local' against 'mschap2' succeeded, server=primary assigned_rad_session_id=790684157 session_timeout=0 secs idle_timeout=0 secs!

3. Configure the supplicant and test

We will configure the 802.1X supplicant settings on the wired interface of our Ubuntu host. Use the settings in the following screenshot to test your connection.
Edit your wired connection and select 802.1X security. Chose Tunneled TLS (TTLS), your CA certificate, MSCAPv2 for Inner authentication, and the Username. supplicant-settings

4. Results

Check FortiAuthenticator’s log messages, look for 802.1x authentication successful. log-message
Using ifconfig, you should see that you have been allocated an address from the DHCP server. ifconfig
If this does not work, check again the RADIUS client works using the testauth command. If that is ok, check your certificates, paying attention to the valid from date and time.




Michael Strickland

Product Manager at Fortinet
Michael Strickland

Latest posts by Michael Strickland (see all)