Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

Luiz_Alberto_Camilo
New Contributor III

Created on ‎04-12-2017 11:03 AM

FAC and FGT MAC Address bypass

Hello there, 

I have a Fortigate with Radius authentication pointing to FAC and a internal workstation.
When the workstation tries to browse to any website, it hits a firewall rule that triggers an authentication and pops up an authentication page. If I type an username and password, it works just fine proving that the integration between FAC and FGT is well setup.

I want to use the FAC MAC Auth Bypass list where I create a MAC address and a string text. Inside Radius client configuration, I check the "Allow MAC-based Authentication" and not checking the "Require Call-check" box.

Again When from my workstation I try to browse to somesite, it pops up the Authentication login when I expect to bypass it. As far as I investigated, the action to browse to somesite just triggers the local authentication on Fortigate and the Fortigate doesn't forward Radius auth request to FAC at this point.

How Can I use FAC as Radius Server and use the MAC address bypass to centrally manage bypass devices on several Fortigates ? I cannot control it from each fortigate... Any tips ?

 

Thank you ! 

 

 

Luiz Alberto Camilo
Solutions Architect

Luiz Alberto Camilo NCT São Paulo www.nct.com.br NSE-5 Expert

Luiz Alberto Camilo NCT São Paulo www.nct.com.br NSE-5 Expert
285
0 Kudos
2 REPLIES 2
JameAlle
Staff
Staff

Created on ‎04-12-2017 05:52 PM

Luiz,

This may be a topic that can better be addressed in our technical support forum. MAC address bypass is used as a way of allowing devices unable to authenticate via 802.1x. Did you configure the port for .1x authentication? A typical config could look something like this:

config system interface

edit "lan"

set ip 10.0.0.200 255.255.255.0

set security-mode 802.1X

set security-mac-auth-bypass enable

set security-groups "Radius-group"

end

If you did configure the port for .1x and you are still seeing the problem then reach out to technical support for assistance.

Hope this helps.

James Allen Director of Product and Solutions, LAN Edge
280
0 Kudos
Luiz_Alberto_Camilo
New Contributor III
In response to JameAlle

Created on ‎04-13-2017 03:33 AM

I see, Thank you James.


As I'm using a Fortigate, there's no config like this. 
The one you mentioned is used on switches.. 

This behaviour looks like more as a Design then funcionality ..
I'll gather deep on Fortigate configuration options, and also direct a message to Support forum. 

Thank you very much ! 

Luiz Alberto Camilo
Solutions Architect

Luiz Alberto Camilo NCT São Paulo www.nct.com.br NSE-5 Expert

Luiz Alberto Camilo NCT São Paulo www.nct.com.br NSE-5 Expert
280
0 Kudos
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.