Technical Tip: External Captive Portal with MAB using Cisco ISE is not supported with FortiEdge Cloud

External Captive Portal authentication workflows that rely on MAC Authentication Bypass (MAB) with Cisco ISE are not supported when FortiAP devices are managed through FortiEdge Cloud.

Technical Reason:

Cisco ISE deployments that use MAC Authentication Bypass (MAB) require the Network Access Device (NAD) to generate a RADIUS authentication request using the client MAC address as the authentication credential.

In External Captive Portal architectures integrated with Cisco ISE, the NAD must be able to:

• Perform MAC-based authentication (MAB).

• Send RADIUS authentication requests using the client MAC address.

• Maintain the authentication session required for policy enforcement.

When FortiAP devices are managed through FortiEdge Cloud, the platform does not support MAC-based authentication for External Captive Portal workflows.

Because of this limitation, the External Captive Portal + MAB authentication flow expected by Cisco ISE cannot be implemented in a FortiEdge Cloud-managed deployment.

Recommendation:

If Cisco ISE integration requires External Captive Portal authentication using MAB, a controller-based architecture should be used instead, such as:

FortiGate is acting as a wireless controller with RADIUS integration to Cisco ISE.