Sending RADIUS success for unauthorized MAC
Hello,
I need to acheive the below scenario using Fortiauthenticator.
SSID with self registeration captive portal, user register their devices.
After device registeration, users should not login using their credentials, they should be automatically authorized by their MAC (previously registered)
To achevice them, I have configured the following:
1- SSID with MAC filtering and automatice vlan asignment.
2- radius policy on FAC for mac authorization.
3- authorized macs should be granted access to the network (succeeded)
4- unauthorized MACs : send access accept with the known three attributes to assign the host to a specific vlan (tunnel-type=vlan, tunnel-medium-type=ieee 802, tunnel-private-group-id=vlan-id (171)). This configured in the authentication policy which give the option to set "radius authentication response" to access accept for unauthorized MACs and to configure the attributes to be sent.
5- On Fortigate I have configured subinterface of the ssid (vlan-171), with extenral captive portal directed to FAC.
in the self registration portal, i enabled device tracking so that users can register their devices. I have configured to place the registered devices in a user gourp (which is used as authorized group in the authentication policy)(
Results:
when a user is connected for the first time nothing happens, I see from packet capture that radius requests is sent to FAC, in FAC debugs I see that the mac is unathorized, but the access accept is not sent as I need.
Another approach:
configure the ssid with external captive portal.
the portal has self registeration enabled.
in the portal policy i select mac authorization.
results:
authorized macs are successfully logined to the network.
unauthorized mac are presented a replacement message that their mac is not authorized, but not presented the option to go to the self registration page. :(