This recipe follows on from the general introductory video, Managing FortiSwitch from FortiGate, which uses the FortiLink protocol.
Using 802.1X with VLAN Switch interfaces on the FortiGate secures the network at the switch port by requesting a connecting user to authenticate. In most deployments the user database will be external to the FortiGate.
This example uses FortiAuthenticator for the RADIUS authentication server, however the example is generic enough to be adapted to any authentication server supported by the FortiGate and the EAP protocol. Also this example can be adapted for other products which make use of 802.1X, such as wireless access points.
In this example we will configure EAP-TTLS.
There are three elements to be configured:
- The supplicant, which identifies the client, in this case a Ubuntu host.
- The authenticator, which translates EAP to RADIUS messages, and vice-versa. This is the FortiGate switch controller.
- The authentication server, which processes the RADIUS messages. This is the FortiAuthenticator.
The topology is as shown:Image may be NSFW.
Clik here to view.
1. Configuring a CA |
|
| In this example we configure EAP-TTLS which requires, as a minimum, server certificate validation. To do this we use FortiAuthenticator, we create a CA root, self signed, and a service certificate for the authentication server. The supplicant requires access to the CA certificate in order to validate the server authentication. | |
|
On FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs and create a new Local CA. Enter a Certificate ID and Name (CN). Leave all other settings default. This creates a root CA certificate that is self signed. This certificate must be copied to the supplicant. |
Image may be NSFW. Clik here to view.  |
|
Go to Certificate Management > End Entities > Local Services and create a new service. Enter a Certificate ID, Issuer (your local CA), and Name (CN). Leave all other settings default. This creates a certificate for the authentication server. |
Image may be NSFW. Clik here to view.  |
2. Configuring RADIUS authentication |
|
| The FortiAuthenticator will be the RADIUS sever and the FortiGate the RADIUS client. | |
|
On the FortiAuthenticator, go to Authentication > RADIUS Service > Clients and create a new client. Enter the Name, Client name/IP, and shared Secret. For Realms, use the local user realm and set EAP types to use EAP-TTLS. |
Image may be NSFW. Clik here to view.  |
|
Go to Authentication > User Management > Local Users and create a local user and password. This is your user account for 802.1X authentication. |
Image may be NSFW. Clik here to view.  |
| Go to Authentication > RADIUS Service > EAP and select the local CA and local service certificates for the server’s authentication. | Image may be NSFW. Clik here to view.  |
| On the FortiGate, go to User & Device > RADIUS Servers and create a new server connection. Enter Name, Primary Server IP/Name, and Primary Server Secret. | Image may be NSFW. Clik here to view.  |
|
Go to WiFi & Switch Controller > VLANs Modify your VLAN and change the admission control authentication method to RADIUS, and select you RADIUS server. (This example follows on from the local user configuration, given in the video.) |
Image may be NSFW. Clik here to view.  |
|
Test the RADIUS configuration from the the FortiGate CLI:
|
|
3. Configure the supplicant and test |
|
| We will configure the 802.1X supplicant settings on the wired interface of our Ubuntu host. Use the settings in the following screenshot to test your connection. | |
| Edit your wired connection and select 802.1X security. Chose Tunneled TLS (TTLS), your CA certificate, MSCAPv2 for Inner authentication, and the Username. | Image may be NSFW. Clik here to view.  |
4. Results |
|
| Check FortiAuthenticator’s log messages, look for 802.1x authentication successful. | Image may be NSFW. Clik here to view.  |
| Using ifconfig, you should see that you have been allocated an address from the DHCP server. | Image may be NSFW. Clik here to view.  |
| If this does not work, check again the RADIUS client works using the testauth command. If that is ok, check your certificates, paying attention to the valid from date and time. | |
The post 802.1X with VLAN Switch interfaces on a FortiGate appeared first on Fortinet Cookbook.