802.1X with VLAN Switch interfaces on a FortiGate

This recipe follows on from the general introductory video, Managing FortiSwitch from FortiGate, which uses the FortiLink protocol.

Using 802.1X with VLAN Switch interfaces on the FortiGate secures the network at the switch port by requesting a connecting user to authenticate. In most deployments the user database will be external to the FortiGate.

This example uses FortiAuthenticator for the RADIUS authentication server, however the example is generic enough to be adapted to any authentication server supported by the FortiGate and the EAP protocol. Also this example can be adapted for other products which make use of 802.1X, such as wireless access points.

In this example we will configure EAP-TTLS.

There are three elements to be configured:

The supplicant, which identifies the client, in this case a Ubuntu host.
The authenticator, which translates EAP to RADIUS messages, and vice-versa. This is the FortiGate switch controller.
The authentication server, which processes the RADIUS messages. This is the FortiAuthenticator.

The topology is as shown:

1. Configuring a CA
In this example we configure EAP-TTLS which requires, as a minimum, server certificate validation. To do this we use FortiAuthenticator, we create a CA root, self signed, and a service certificate for the authentication server. The supplicant requires access to the CA certificate in order to validate the server authentication.
On FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs and create a new Local CA. Enter a Certificate ID and Name (CN). Leave all other settings default. This creates a root CA certificate that is self signed. This certificate must be copied to the supplicant.
Go to Certificate Management > End Entities > Local Services and create a new service. Enter a Certificate ID, Issuer (your local CA), and Name (CN). Leave all other settings default. This creates a certificate for the authentication server.
2. Configuring RADIUS authentication
The FortiAuthenticator will be the RADIUS sever and the FortiGate the RADIUS client.
On the FortiAuthenticator, go to Authentication > RADIUS Service > Clients and create a new client. Enter the Name, Client name/IP, and shared Secret. For Realms, use the local user realm and set EAP types to use EAP-TTLS.
Go to Authentication > User Management > Local Users and create a local user and password. This is your user account for 802.1X authentication.
Go to Authentication > RADIUS Service > EAP and select the local CA and local service certificates for the server’s authentication.
On the FortiGate, go to User & Device > RADIUS Servers and create a new server connection. Enter Name, Primary Server IP/Name, and Primary Server Secret.
Go to WiFi & Switch Controller > VLANs Modify your VLAN and change the admission control authentication method to RADIUS, and select you RADIUS server. (This example follows on from the local user configuration, given in the video.)
Test the RADIUS configuration from the the FortiGate CLI: `# diagnose test authserver radius myRADIUS mschap2 mike@local mypassword authenticate 'mike@local' against 'mschap2' succeeded, server=primary assigned_rad_session_id=790684157 session_timeout=0 secs idle_timeout=0 secs!`
3. Configure the supplicant and test
We will configure the 802.1X supplicant settings on the wired interface of our Ubuntu host. Use the settings in the following screenshot to test your connection.
Edit your wired connection and select 802.1X security. Chose Tunneled TLS (TTLS), your CA certificate, MSCAPv2 for Inner authentication, and the Username.
4. Results
Check FortiAuthenticator’s log messages, look for 802.1x authentication successful.
Using ifconfig, you should see that you have been allocated an address from the DHCP server.
If this does not work, check again the RADIUS client works using the testauth command. If that is ok, check your certificates, paying attention to the valid from date and time.