FortiAuthenticator provides access management and single sign on.
Description This article describes how to use FortiAuthenticator as a radius server for MAC-based authentication.
Scope FortiAuthenticator, FortiGate.

Specific remote users using wireless can authenticate using their MAC from their devices like mobile phones, PC, tablets, etc.


Step 1. Configuration on FortiGate. 


Configure FortiAuthenticator as Radius Server on FortiGate: User&Authentication -> Radius Server -> Create New. After that, select creation test connectivity.


Radius Server.png

To configure SSID test on FortiGate, go to Wireless & Switch Controller -> SSID -> Create New. Then specify the Name, the Security Mode, and the Pre-shared Key. Enable MAC Address Filtering and select FAC as the Radius server.




It is supposed that the policy is created to allow access between FortiAuthenticator and FortiGate.


Step 2. Configuration on FortiAuthenticator.


It will create some test MAC Addresses on FortiAuthenticator: Authentication -> User Management -> MAC Devices -> Create new and specify the Mac Addresses of the devices. 




Create a new user group on FortiAuthenticator: User Management -> User Group -> Create New -> Select option MAC and move all MAC addresses on the right side.


lista Mac.png


Add FortiGate as Client on FortiAuthenticator: Authentication -> Radius Service -> Clients -> Create New.




Create a new Radius Policy for MAC authentication: Authentication -> Radius Service -> Policies -> Create New.


Create a Policy Name, select FortiGate, leave Radius Attribute Criteria empty, and on Authentication Type select MAC Authentication Bypass (MAB).


On Identity Source, select the Authorized Groups created before, on Radius Response do not change anything, select Update and exit.


radius Policy.png


Test it to connect with the SSID, it will be then possible to authenticate successfully, this can be verified on the Radius Debug Logs.


Debug Logs.png