FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
Sx11
Staff
Staff
Article Id 212588

Description

 

This article describes FortiAuthenticator MAC Address Bypass (MAB) implementation.

MAC Address Bypass (MAB) offers network access control for endpoints/hosts that do not support IEEE 802.1X.

This is the case for devices such as printers, cameras, IP phones and other IoT devices. These types of devices are considered 'headless' which means there is no User associated with them. In cases where 802.1x fails, we can enable MAB on the switches as a fallback.

MAB configuration requires extra configuration steps on the third party switch (Authenticator/Client) which will forward access-requests to FortiAuthenticator (Authentication Server). This is out of the scope of this KB since different vendors have their own documentation for MAB.

 

For FortiSwitch MAB configuration check Fortinet Documentation:

https://docs.fortinet.com/document/fortiswitch/7.2.0/administration-guide/110307/mac-authentication-...

 

Scope

 

FortiAuthenticator

MAB

 

Solution

 

The Implementation of MAB in FortiAuthenticator consists in importing the MAC device addresses and creating groups for different device types and VLANs.

As an example, we will create two groups (Printers, and Access Points) and authorize them in the RADIUS Policies.

In the end, the Radius Client (FortiGate) will be configured which will forward the authentication requests to FortiAuthenticator (Authentication Server).

 

1) Import the MAC devices in User Management -> MAC Devices.

 

Devices can be imported manually or through a CSV file.

Need to define two Fields: Name, MAC Address.

 

Sx11_0-1652963670731.png

 

2) Create a group for Printers and add the required MAC addresses.

 

Sx11_1-1652963726647.png

 

Expand the Radius Attributes field and add the needed VLAN attributes to match these printers:

 

The RADIUS user attributes used for VLAN ID assignment are:

  • (Tunnel Type) - Set this value to 'VLAN'.
  • (Tunnel Medium Type): Set this value to '802'.
  • (Tunnel Private Group ID) Set this to the VLAN access value. In this example, the printers are in VLAN 100.

Sx11_2-1652963865948.png

 

*** Repeat the same steps for another group named 'MAP FortiAP' of which the access points will be part. Assign another VLAN access value for this group in the Radius Attributes.

 

3) Add the third-party switch as Radius Client.

 

In this case, add a FortiGate.

The secret entered here must match the one on the FortiGate side. Verify that a connectivity test gives a successful outcome.

 

Sx11_3-1652964065995.png

 

4. Configure the RADIUS policy for MAB.

 

a) Specify the name and Client list.

 

Sx11_4-1652964118455.png

 

b) (Optional) attribute criteria to be matched in the access-request.

 

Sx11_5-1652964146645.png

 

c) Select MAB as the authentication type.

 

Sx11_6-1652964203838.png

 

d) Authorize the MAB groups created before.

 

Sx11_7-1652964254607.png

 

e) RADIUS response for Unauthorized devices.

 

Sx11_8-1652964265031.png

 

For debugging and troubleshooting check the following articles:

 

https://community.fortinet.com/t5/FortiAuthenticator/Troubleshooting-Tip-How-to-debug-FortiAuthentic...

 

https://community.fortinet.com/t5/FortiAuthenticator/Troubleshooting-Tip-How-to-work-with-FortiAuthe...

 

 

Contributors