802.1x for FortiOS
A, client side. how to enable 802.1x on win 7.
To enable 802.1X on a wired network
You must be logged on as an administrator
to perform these steps.
To complete this procedure, you must first
enable the Wired AutoConfig service, which is turned off by default.
-
Click the Start button
, and then, in the Search box, type services.msc, and then press ENTER.
If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
-
In the Services dialog box, click the Standard tab, right-click Wired AutoConfig, and then click Start.
-
Open Network Connections by clicking the Start button
-
Right-click the connection that you want to enable 802.1X authentication for, and then click Properties.
-
Click the Authentication tab, and then select the Enable IEEE 802.1X authentication check box.
-
In the Choose a network authentication method list, click the method you want to use.[Note] I am using PEAP which works with FortiOS.
7. PEAP setting.
7.1-Uncheck "validate server certificate"
7.2- EAP-MSCHAP v2 (Config: don't use windows logon)
7.3-Enable fast reconnect
8. Additional setting:
8.1 specify auth method: user authentication
8.2 save credential (jkxxx/qa6xxxxx)
B, FortiOS side:
config system interface
edit "switch"
set vdom "root"
set ip 3.2.4.111 255.255.255.0
set allowaccess ping https ssh snmp http telnet fgfm auto-ipsec
set type physical
set security-mode 802.1X
set security-groups "remote_auth"
next
end
#802_1x # d debug application fnbamd 255
_1x #
802_1x # fnbamd_fsm.c[1395] handle_req-Rcvd auth req 5636109 for host/jkxxx-Win7 in remote_auth opt=256 prot=4
fnbamd_radius.c[971] fnbamd_radius_auth_send-Sent radius req to 172.18.9.28: code=1 id=16 len=173 user="host/jkxxx-Win7" using MS-CHAPv2
fnbamd_auth.c[582] auth_tac_plus_start-Didn't find tac_plus servers (0)
fnbamd_auth.c[323] ldap_start-Didn't find ldap servers (0)
fnbamd_auth.c[1843] fnbamd_auth_handle_radius_result-->Result for radius svr 172.18.9.28(0) is 1
fnbamd_comm.c[146] fnbamd_comm_send_result-Sending result 1 for req 5636109
fnbamd_fsm.c[1395] handle_req-Rcvd auth req 5636110 for jkxxx in remote_auth opt=256 prot=4
fnbamd_radius.c[971] fnbamd_radius_auth_send-Sent radius req to 172.18.9.28: code=1 id=17 len=163 user="jkxxx" using MS-CHAPv2
fnbamd_auth.c[582] auth_tac_plus_start-Didn't find tac_plus servers (0)
fnbamd_auth.c[323] ldap_start-Didn't find ldap servers (0)
fnbamd_auth.c[1843] fnbamd_auth_handle_radius_result-->Result for radius svr 172.18.9.28(0) is 0
fnbamd_auth.c[1867] fnbamd_auth_handle_radius_result-Skipping group matching
fnbamd_comm.c[146] fnbamd_comm_send_result-Sending result 0 for req 5636110
config system interface
edit "switch"
set vdom "root"
set ip 3.2.4.111 255.255.255.0
set allowaccess ping https ssh snmp http telnet fgfm auto-ipsec
set type physical
set security-mode 802.1X
set security-groups "remote_auth"
next
end
#802_1x # d debug application fnbamd 255
_1x #
802_1x # fnbamd_fsm.c[1395] handle_req-Rcvd auth req 5636109 for host/jkxxx-Win7 in remote_auth opt=256 prot=4
fnbamd_radius.c[971] fnbamd_radius_auth_send-Sent radius req to 172.18.9.28: code=1 id=16 len=173 user="host/jkxxx-Win7" using MS-CHAPv2
fnbamd_auth.c[582] auth_tac_plus_start-Didn't find tac_plus servers (0)
fnbamd_auth.c[323] ldap_start-Didn't find ldap servers (0)
fnbamd_auth.c[1843] fnbamd_auth_handle_radius_result-->Result for radius svr 172.18.9.28(0) is 1
fnbamd_comm.c[146] fnbamd_comm_send_result-Sending result 1 for req 5636109
fnbamd_fsm.c[1395] handle_req-Rcvd auth req 5636110 for jkxxx in remote_auth opt=256 prot=4
fnbamd_radius.c[971] fnbamd_radius_auth_send-Sent radius req to 172.18.9.28: code=1 id=17 len=163 user="jkxxx" using MS-CHAPv2
fnbamd_auth.c[582] auth_tac_plus_start-Didn't find tac_plus servers (0)
fnbamd_auth.c[323] ldap_start-Didn't find ldap servers (0)
fnbamd_auth.c[1843] fnbamd_auth_handle_radius_result-->Result for radius svr 172.18.9.28(0) is 0
fnbamd_auth.c[1867] fnbamd_auth_handle_radius_result-Skipping group matching
fnbamd_comm.c[146] fnbamd_comm_send_result-Sending result 0 for req 5636110
