Skip to main content
js2
Staff
js2
Staff
April 29, 2025

Technical Tip: RADIUS authentication with MAC binding

  • April 29, 2025
  • 0 replies
  • 946 views
Description This article describes how to bind a MAC address with a RADIUS policy in FortiAuthenticator.
Scope FortiAuthenticator.
Solution

Step 1: Configure MAC address and define the username.

 

MAC device.PNG

 

Step 2: Create a group for the MAC device. Make sure to select MAC while creating the group.

 

group mapping.PNG

 

Step 3: Configure the RADIUS policy. In device authorization, enable verifying the MAC address in authentication requests and refer to the authorized group.

 

authorized group.PNG

 

In this example, it is integrated with FortiGate, and a user-based policy is configured with the RADIUS group. 

 

Solution:

RADIUS debug output from FortiAuthenticator:

 

Case 1: user wilber with group2 and MAC New1:

 

2025-04-29T07:04:43.295662-07:00 FortiAuthenticator radiusd[1770]: (8) Received Access-Request Id 138 from 10.38.9.85:1551 to 10.38.9.45:1812 length 173
2025-04-29T07:04:43.295700-07:00 FortiAuthenticator radiusd[1770]: (8) User-Password = <<< secret >>>
2025-04-29T07:04:43.295717-07:00 FortiAuthenticator radiusd[1770]: (8) User-Name = "wilber"
2025-04-29T07:04:43.295729-07:00 FortiAuthenticator radiusd[1770]: (8) NAS-Identifier = "boson-kvm85"
2025-04-29T07:04:43.295754-07:00 FortiAuthenticator radiusd[1770]: (8) Framed-IP-Address = 10.38.0.3
2025-04-29T07:04:43.295769-07:00 FortiAuthenticator radiusd[1770]: (8) NAS-Port = 1
2025-04-29T07:04:43.295782-07:00 FortiAuthenticator radiusd[1770]: (8) NAS-Port-Type = Virtual
2025-04-29T07:04:43.295794-07:00 FortiAuthenticator radiusd[1770]: (8) Called-Station-Id = "00-62-6F-73-55-01"
2025-04-29T07:04:43.295805-07:00 FortiAuthenticator radiusd[1770]: (8) Calling-Station-Id = "00-78-65-6E-73-01"
2025-04-29T07:04:43.295816-07:00 FortiAuthenticator radiusd[1770]: (8) Acct-Session-Id = "000007ef0db6f003"
2025-04-29T07:04:43.295827-07:00 FortiAuthenticator radiusd[1770]: (8) Connect-Info = "web-auth"
2025-04-29T07:04:43.296082-07:00 FortiAuthenticator radiusd[1770]: (8) Fortinet-Vdom-Name = "root"
2025-04-29T07:04:43.296109-07:00 FortiAuthenticator radiusd[1770]: (8) Message-Authenticator = 0xaafa48bb32be5a155263e75517cb21d4
2025-04-29T07:04:43.296129-07:00 FortiAuthenticator radiusd[1770]: (8) # Executing section authorize from file /usr/etc/raddb/sites-enabled/default
2025-04-29T07:04:43.296238-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: ===>NAS IP:10.38.9.85
2025-04-29T07:04:43.296250-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: ===>Username:wilber
2025-04-29T07:04:43.296268-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: ===>Timestamp:1745935483.294844, age:1ms
2025-04-29T07:04:43.297259-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: Found authclient from preloaded authclients list for 10.38.9.85: Fortigate (10.38.9.85)
2025-04-29T07:04:43.299725-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: Found authpolicy 'Policy2' for client '10.38.9.85'
2025-04-29T07:04:43.301658-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: Pass MAC filtering with group_id=3.
2025-04-29T07:04:43.301682-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: Setting 'Auth-Type := FACAUTH'
2025-04-29T07:04:43.301709-07:00 FortiAuthenticator radiusd[1770]: Not doing PAP as Auth-Type is already set.
2025-04-29T07:04:43.301732-07:00 FortiAuthenticator radiusd[1770]: (8) # Executing group from file /usr/etc/raddb/sites-enabled/default
2025-04-29T07:04:43.301779-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: Client type: external (subtype: radius)
2025-04-29T07:04:43.301792-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: Input raw_username: wilber Realm: (null) username: wilber
2025-04-29T07:04:43.301803-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: Searching default realm as well
2025-04-29T07:04:43.301823-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: Realm not specified, default goes to FAC local user
2025-04-29T07:04:43.304869-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: Local user found: wilber
2025-04-29T07:04:43.304893-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: User [enable fido: false, token count: 0, revoked_token_count: 0]
2025-04-29T07:04:43.304909-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: Policy [fido_auth_opt: disabled, twofactor: password only, no_fido: two factor, revoked: reject]
2025-04-29T07:04:43.304924-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: Decided on [is_fido: false, two_factor: password only, token_type: none]
2025-04-29T07:04:43.307837-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: Authentication OK
2025-04-29T07:04:43.307855-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: Setting 'Post-Auth-Type := FACAUTH'
2025-04-29T07:04:43.309228-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: Add Static Radius attribute: attr_id:809762817 (attr 1, vendor 12356) attr_val:'Group2'
2025-04-29T07:04:43.309539-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: update_fac_authlog:164 nas_str = 10.38.9.85~10.38.0.3.
2025-04-29T07:04:43.309596-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: Updated auth log 'wilber' for attempt from 10.38.9.85~10.38.0.3: Local user authentication from 10.38.0.3 with no token successful
2025-04-29T07:04:43.309629-07:00 FortiAuthenticator radiusd[1770]: (8) # Executing group from file /usr/etc/raddb/sites-enabled/default
2025-04-29T07:04:43.309677-07:00 FortiAuthenticator radiusd[1770]: (8) Sent Access-Accept Id 138 from 10.38.9.45:1812 to 10.38.9.85:1551 length 52
2025-04-29T07:04:43.309685-07:00 FortiAuthenticator radiusd[1770]: (8) Message-Authenticator := 0x00
2025-04-29T07:04:43.309692-07:00 FortiAuthenticator radiusd[1770]: (8) Fortinet-Group-Name += "Group2"
2025-04-29T07:04:43.632607-07:00 FortiAuthenticator radiusd[1770]: Waking up in 29.6 seconds.

 

firewall user monitor.PNG

 

Case 2: user wilber with group2 and MAC New2.

 

2025-04-29T07:07:12.494574-07:00 FortiAuthenticator radiusd[1770]: (11) Received Access-Request Id 141 from 10.38.9.85:10394 to 10.38.9.45:1812 length 174
2025-04-29T07:07:12.494616-07:00 FortiAuthenticator radiusd[1770]: (11) CHAP-Password = 0x4651a77eda8b6d6aabcffc0e24d056ee46
2025-04-29T07:07:12.494630-07:00 FortiAuthenticator radiusd[1770]: (11) User-Name = "wilber"
2025-04-29T07:07:12.494642-07:00 FortiAuthenticator radiusd[1770]: (11) NAS-Identifier = "boson-kvm85"
2025-04-29T07:07:12.494666-07:00 FortiAuthenticator radiusd[1770]: (11) Framed-IP-Address = 10.38.0.3
2025-04-29T07:07:12.494682-07:00 FortiAuthenticator radiusd[1770]: (11) NAS-Port = 1
2025-04-29T07:07:12.494695-07:00 FortiAuthenticator radiusd[1770]: (11) NAS-Port-Type = Virtual
2025-04-29T07:07:12.494707-07:00 FortiAuthenticator radiusd[1770]: (11) Called-Station-Id = "00-62-6F-73-55-01"
2025-04-29T07:07:12.494719-07:00 FortiAuthenticator radiusd[1770]: (11) Calling-Station-Id = "00-78-65-6E-73-01"
2025-04-29T07:07:12.494731-07:00 FortiAuthenticator radiusd[1770]: (11) Acct-Session-Id = "000007ef0db6f004"
2025-04-29T07:07:12.494742-07:00 FortiAuthenticator radiusd[1770]: (11) Connect-Info = "web-auth"
2025-04-29T07:07:12.494753-07:00 FortiAuthenticator radiusd[1770]: (11) Fortinet-Vdom-Name = "root"
2025-04-29T07:07:12.494765-07:00 FortiAuthenticator radiusd[1770]: (11) Message-Authenticator = 0xc060fd64abb96a002603acf449dc5029
2025-04-29T07:07:12.494786-07:00 FortiAuthenticator radiusd[1770]: (11) # Executing section authorize from file /usr/etc/raddb/sites-enabled/default
2025-04-29T07:07:12.494857-07:00 FortiAuthenticator radiusd[1770]: (11) chap: &control:Auth-Type := CHAP
2025-04-29T07:07:12.494948-07:00 FortiAuthenticator radiusd[1770]: (11) facauth: ===>NAS IP:10.38.9.85
2025-04-29T07:07:12.494961-07:00 FortiAuthenticator radiusd[1770]: (11) facauth: ===>Username:wilber
2025-04-29T07:07:12.494979-07:00 FortiAuthenticator radiusd[1770]: (11) facauth: ===>Timestamp:1745935632.493989, age:0ms
2025-04-29T07:07:12.495739-07:00 FortiAuthenticator radiusd[1770]: (11) facauth: Found authclient from preloaded authclients list for 10.38.9.85: Fortigate (10.38.9.85)
2025-04-29T07:07:12.498263-07:00 FortiAuthenticator radiusd[1770]: (11) facauth: Found authpolicy 'Policy2' for client '10.38.9.85'
2025-04-29T07:07:12.500082-07:00 FortiAuthenticator radiusd[1770]: (11) facauth: Failed MAC filtering, deny access
2025-04-29T07:07:12.500208-07:00 FortiAuthenticator radiusd[1770]: (11) facauth: Updated auth log 'wilber' for attempt from 10.38.9.85: MAC-filtering failed for device '00-78-65-6E-73-01': MAC address not filtered by NAS groups
2025-04-29T07:07:12.500255-07:00 FortiAuthenticator radiusd[1770]: (11) # Executing group from file /usr/etc/raddb/sites-enabled/default
2025-04-29T07:07:12.828721-07:00 FortiAuthenticator radiusd[1770]: Waking up in 0.6 seconds.
2025-04-29T07:07:13.504763-07:00 FortiAuthenticator radiusd[1770]: (11) Sent Access-Reject Id 141 from 10.38.9.45:1812 to 10.38.9.85:10394 length 38
2025-04-29T07:07:13.504812-07:00 FortiAuthenticator radiusd[1770]: (11) Message-Authenticator := 0x00
2025-04-29T07:07:13.504906-07:00 FortiAuthenticator radiusd[1770]: Waking up in 26.9 seconds.
2025-04-29T07:07:40.504739-07:00 FortiAuthenticator radiusd[1770]: Waking up in 0.9 seconds.
2025-04-29T07:07:41.492608-07:00 FortiAuthenticator radiusd[1770]: Waking up in 1.0 seconds.

 

auth failed fortigate.PNG

 

mac auth failure.PNG

 

Note:

To implement MAC-based authentication, the MAC address should be sent to the authenticator from the RADIUS client. If the RADIUS client does not support sending the calling station ID in the RADIUS header, then MAC-based authentication cannot be implemented. If FortiGate is used as a RADIUS client, then this option is not available for 802.1x authentication.

 

Related document:

config user radius
      Terms & ConditionsAccessibility statement