Based on the provided exhibit and Fortinet's official documentation for FortiOS and FortiSwitch, particularly the NSE 7 - LAN Edge 7.0 materials and the FortiSwitch Administration Guide, the behavior of the FortiSwitch security policy can be analyzed as follows:
The exhibit shows a FortiSwitch security policy configured with the following key settings:
Security mode:Port-based
User groups:FAC-Lab-User (a wired user group)
Guest VLAN:Set to "onboarding"
Guest authentication delay:30 seconds
Authentication fail VLAN:Set to "quarantine"
MAC authentication bypass:Disabled
EAP pass-through:Enabled
Override RADIUS timeout:Disabled
Analysis of the Scenario:
The question specifies that a device that does not support 802.1X authentication is connected to a port using this Port-Security security policy. Since the device does not support 802.1X, it cannot perform the standard 802.1X authentication process. The FortiSwitch will then evaluate alternative configurations to determine the port's behavior:
Guest VLAN Configuration:The Guest VLAN is set to "onboarding." According to Fortinet documentation, when a device fails to authenticate via 802.1X (e.g., due to lack of support), and a Guest VLAN is configured, the FortiSwitch assigns the port to the specified Guest VLAN after the guest authentication delay period (30 seconds in this case). The "onboarding" VLAN is typically used to place unauthenticated devices in a restricted network segment where they can be redirected to a captive portal or other onboarding process.
Authentication Fail VLAN:The Authentication Fail VLAN is set to "quarantine," which would apply if authentication fails after an attempt. However, since the device does not support 802.1X, no authentication attempt is made, and this setting does not trigger unless an authentication process is initiated and fails.
MAC Authentication Bypass:This option is disabled, so the FortiSwitch will not attempt to authenticate the device using its MAC address as the username and password.
EAP Pass-Through:This is enabled, allowing EAP frames to pass through to an external RADIUS server, but it is irrelevant here since the device does not support 802.1X.
Port Shutdown:There is no indication in the configuration or Fortinet documentation that the port will be shut down for a device that does not support 802.1X when a Guest VLAN is configured.
Conclusion:
When a device does not support 802.1X authentication and the security policy is set to Port-based with a Guest VLAN configured (set to "onboarding"), the FortiSwitch assigns the port to the Guest VLAN (onboarding) after the guest authentication delay (30 seconds). This behavior is consistent with Fortinet's design for handling unauthenticated devices in a secure network environment, as outlined in the FortiSwitch Port Security and VLAN assignment sections of the official documentation.
Why not the other options?
B. FortiSwitch shuts down the port:This action would occur only if the port security policy is configured to shut down the port upon authentication failure or violation (e.g., with a limit on MAC addresses), which is not indicated in this configuration.
C. FortiSwitch assigns the port to the quarantine VLAN:The quarantine VLAN is configured as the Authentication Fail VLAN, which applies only after an unsuccessful authentication attempt. Since no 802.1X authentication is attempted due to the device's lack of support, this does not apply.
D. FortiSwitch authenticates the device using the device MAC address as username and password:This requires MAC authentication bypass to be enabled, which it is not in this configuration.
Source Verification:
The answer is verified through the FortiSwitch Administration Guide (FortiOS 7.0) and NSE 7 - LAN Edge 7.0 training materials, specifically the sections on Port Security, 802.1X, and VLAN assignment for unauthenticated devices.
Submit