9.2.3.10. Fortinet
9.2.3.10.1. FortiSwitch 124F
Firmware: v7.2.3-build434
Administration Portal > ON CMDB > Network Devices Brand/Model: Fortinet/Generic
9.2.3.10.1.1. FortiLink
In this case, the configuration detailed in this document will be based on a use case in which the switch will be configured through FortiLink.
This Switch will be managed by a FortiGate connected to the Switch through FortiLink.
Please note that due to the use of FortiLink, some of the settings will need to be done on the FortiGate and others on the FortiSwitch.
Fortilink hyperlink: Fortilink.
9.2.3.10.1.2. VLAN Definition
In FortiGate, to be able to assign VLANs dynamically through RADIUS, it is necessary to define the VLANs as follows:
Set the VLAN’s IP address.
config system interface edit <vlan name> set vdom root set vlanid <1-4094> set color <1-32> set interface <FortiLink-enabled interface> set switch-controller-dhcp-snooping enable end
Set the VLAN’s IP address.
config system interface edit <vlan name> set ip <IP address> <Network mask> end
(Extra) If we need to create a DHCP Server for the VLANS:
Example:
config system dhcp server edit <dhcp-server-number> set dns-service default set default-gateway 10.10.11.254 set netmask 255.255.255.0 set interface <vlan name> config ip-range edit 1 set start-ip 10.10.11.1 set end-ip 10.10.11.200 next end next end
9.2.3.10.1.3. RADIUS Configuration
9.2.3.10.1.3.1. RADIUS
Configure Radius Server:
config user radius edit " opennac" set server <OpenNAC IP> set secret <Radius-Shared-Key> set acct-interim-interval 60 set radius-coa enable config accounting-server edit 1 set status enable set server <OpenNAC IP> set secret <Radius-Shared-Key> set port 1812 next end next end
Configure User Group:
config user group edit "opennac-grp" set member "opennac" next end
9.2.3.10.1.3.2. Firewall Policies
In order for the fortilink switches to be able to communicate with the radius server and perform the authentications, it will be necessary to create a policy in the FortiGate to allow the traffic.
To do this, in FortiGate:
config firewall policy edit <policy number> set srcintf "fortilink-interface" set dstintf "outbound-interface-to-RadiusSVR" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "RADIUS" set nat disable next end
This policy is orientative and subject to modifications if a higher level of security is required. RADIUS communication (1812/1813 UDP) between the switches and the radius server must always be respected.
9.2.3.10.1.4. Dot1x Configuration
To configure the 802.1x functionality, we must configure a Policy and add to the authenticating interfaces:
Security Policy:
config switch-controller security-policy 802-1X edit "802-1X-policy-default" set security-mode 802.1X set user-group "opennac-Grp1" set mac-auth-bypass disable set open-auth disable set eap-passthru enable set eap-auto-untagged-vlans enable set guest-vlan disable set guest-auth-delay 30 set auth-fail-vlan disable set framevid-apply enable set radius-timeout-overwrite disable set policy-type 802.1X set authserver-timeout-vlan disable next end
Apply Policy to Interface:
config switch-controller managed-switch edit <FORTILINK-SWITCH-ID> config ports edit "portN" set port-security-policy "802-1X-policy-default" next end next end
9.2.3.10.1.4.1. MAC-Address Bypass (MAB)
To enable the MAC-Authentication functionality (used to perform MAB):
config switch-controller security-policy 802-1X edit "802-1X-policy-default" set mac-auth-bypass enable next end
9.2.3.10.1.5. Dot1x Features
9.2.3.10.1.5.1. Default VLAN
The default VLAN will be the one that will be assigned in case of defining the default VLAN in the OpenNAC policy.
Create FortiSwich VLAN on FortiGate as seen in section 3.
Define the native VLAN for port in FortiSwitch configuration.
config switch interface edit portN set native-vlan <VLAN-ID> end
9.2.3.10.1.5.2. Critical VLAN
The critical VLAN will be the one in which the connections will be established in case the radius servers are not available for authorization.
config switch-controller security-policy 802-1X edit "802-1X-policy-default" set authserver-timeout-vlan enable set authserver-timeout-vlanid <VLAN-NAME> next end
9.2.3.10.1.5.3. Reject VLAN
The Reject VLAN will be the one in which the connections will be established in case the radius servers are refuse the authentication of de device (Access-Reject).
config switch-controller security-policy 802-1X edit "802-1X-policy-default" set auth-fail-vlan enable set auth-fail-vlan-id <VLAN-NAME> next end
9.2.3.10.1.5.4. Re-Auth Period
To configure the reauthentication period we must perform the following configuration in FortiSwitch:
Set Switch Default Config:
config switch global config port-security set mab-reauth enable set reauth-period <0-1440 minutes> end
Additionally, if we want to define a reauthentication period for a certain session and assign it through OpenNAC, we must apply the following configuration on the FortiSwitch:
config switch interface edit <port> config port-security set radius-timeout-overwrite enable end end
And use the following Extra Radius Param (Session-Timeout) in the OpenNAC policy (Value in seconds):
9.2.3.10.1.6. Security Profiles (ACLs)
This configuration must be set on the FortiSwitch.
To enable DACL on an interface:
config switch interface edit <interface_name> config port-security set dacl enable end next end
9.2.3.10.1.6.1. Static Security Profile
Static security profiles are those where from openNAC we will define which ACL (previously created on the network device) we want to apply to the connection that is established.
To define an ACL on the switch, example:
config switch acl 802-1X edit 1 config access-list-entry edit 1 config action set count enable end config classifier set ether-type 0x0800 set service "DHCP" end set description "Allow DHCP Traffic" next edit 2 config action set count enable end config classifier set dst-ip-prefix 10.200.5.20 255.255.255.255 set ether-type 0x0800 set service "ALL" end set description "Allow All Traffic To Captive ETH1" next edit 3 config action set count enable set drop enable end config classifier set ether-type 0x0800 set service "ALL" end set description "Deny Any Any" next end set description "Dead End ACL - Filter ID" set filter-id "dead_end" next end
9.2.3.10.1.6.2. Dynamic Security Profile
The dynamic security profiles are those in which from openNAC we will send an ACL not previously defined in the network device.
For more information on how to build the ACL, see the following link:
Fortinet Dynamic ACL: Fortinet Dynamic ACL.
9.2.3.10.1.7. TogglePort
9.2.3.10.1.7.1. Firewall Policy
Since the FortiSwitch may be behind a FortiGate, it will be necessary to create a policy that allows the OpenNAC server to make connections against the FortiSwitch.
To do this we must create a firewall policy that allows it:
config firewall policy edit <policy number> set srcintf "outbound-interface-to-RadiusSVR" set dstintf "fortilink-interface" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat disable next end
This policy is orientative and subject to modifications if a higher level of security is required. SNMP or CoA communication (161 or 3799 UDP) between the radius and the switches server must always be respected depending of the TogglePort type.
9.2.3.10.1.7.2. CoA
In order to perform the policy reevaluation through CoA, it will be necessary to activate this functionality and define de clients with their shared-key:
config user radius edit " opennac" set radius-coa enable next end
Enable radius-acct in Fortigate to security -policy:
config switch-controller security-policy local-access
edit default
append internal-allowaccess radius-acct
end
Warning
IMPORTANT! CoA and Disconnect messages MUST be send from the IP registered in the sitches as a RADIUS server, if the packet is sent from an unregistered IP, the TogglePort will fail.
9.2.3.10.1.8. NetConf & NetBackup
We can apply remote configuration and get a configuration backup from the opennac administration portal.
9.2.3.10.1.9. Troubleshooting & Monitoring
Show configuration:
show full-configuration
Display authenticated users:
diagnose switch-controller switch-info 802.1X
Display applied Dynamic ACLs:
diagnose switch 802-1x status-dacl port1
Test RADIUS Auth:
diagnose test authserver radius <radius server_name> <authentication scheme><username> <password>
Debug Radius authentication:
diagnose debug enable diagnose debug application fnbamd 255
Debug Radius CoA:
diagnose user radius coadiagnose debug enable diagnose debug application radius_das 255