Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
js2
Staff
Staff

Created on ‎04-29-2025 07:49 AM

Article Id 389823

Technical Tip: RADIUS authentication with MAC binding

Description This article describes how to bind a MAC address with a RADIUS policy in FortiAuthenticator.
Scope FortiAuthenticator.
Solution

Step 1: Configure MAC address and define the username.

 

MAC device.PNG

 

Step 2: Create a group for the MAC device. Make sure to select MAC while creating the group.

 

group mapping.PNG

 

Step 3: Configure the RADIUS policy. In device authorization, enable verifying the MAC address in authentication requests and refer the authorized group.

 

authorized group.PNG

 

In this example, it is integrated with FortiGate and a user-based policy is configured with the RADIUS group. 

 

Solution:

RADIUS debug output from FortiAuthenticator:

 

Case1: user wilber with group2 and MAC New1:

 

2025-04-29T07:04:43.295662-07:00 FortiAuthenticator radiusd[1770]: (8) Received Access-Request Id 138 from 10.38.9.85:1551 to 10.38.9.45:1812 length 173
2025-04-29T07:04:43.295700-07:00 FortiAuthenticator radiusd[1770]: (8) User-Password = <<< secret >>>
2025-04-29T07:04:43.295717-07:00 FortiAuthenticator radiusd[1770]: (8) User-Name = "wilber"
2025-04-29T07:04:43.295729-07:00 FortiAuthenticator radiusd[1770]: (8) NAS-Identifier = "boson-kvm85"
2025-04-29T07:04:43.295754-07:00 FortiAuthenticator radiusd[1770]: (8) Framed-IP-Address = 10.38.0.3
2025-04-29T07:04:43.295769-07:00 FortiAuthenticator radiusd[1770]: (8) NAS-Port = 1
2025-04-29T07:04:43.295782-07:00 FortiAuthenticator radiusd[1770]: (8) NAS-Port-Type = Virtual
2025-04-29T07:04:43.295794-07:00 FortiAuthenticator radiusd[1770]: (8) Called-Station-Id = "00-62-6F-73-55-01"
2025-04-29T07:04:43.295805-07:00 FortiAuthenticator radiusd[1770]: (8) Calling-Station-Id = "00-78-65-6E-73-01"
2025-04-29T07:04:43.295816-07:00 FortiAuthenticator radiusd[1770]: (8) Acct-Session-Id = "000007ef0db6f003"
2025-04-29T07:04:43.295827-07:00 FortiAuthenticator radiusd[1770]: (8) Connect-Info = "web-auth"
2025-04-29T07:04:43.296082-07:00 FortiAuthenticator radiusd[1770]: (8) Fortinet-Vdom-Name = "root"
2025-04-29T07:04:43.296109-07:00 FortiAuthenticator radiusd[1770]: (8) Message-Authenticator = 0xaafa48bb32be5a155263e75517cb21d4
2025-04-29T07:04:43.296129-07:00 FortiAuthenticator radiusd[1770]: (8) # Executing section authorize from file /usr/etc/raddb/sites-enabled/default
2025-04-29T07:04:43.296238-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: ===>NAS IP:10.38.9.85
2025-04-29T07:04:43.296250-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: ===>Username:wilber
2025-04-29T07:04:43.296268-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: ===>Timestamp:1745935483.294844, age:1ms
2025-04-29T07:04:43.297259-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: Found authclient from preloaded authclients list for 10.38.9.85: Fortigate (10.38.9.85)
2025-04-29T07:04:43.299725-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: Found authpolicy 'Policy2' for client '10.38.9.85'
2025-04-29T07:04:43.301658-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: Pass MAC filtering with group_id=3.
2025-04-29T07:04:43.301682-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: Setting 'Auth-Type := FACAUTH'
2025-04-29T07:04:43.301709-07:00 FortiAuthenticator radiusd[1770]: Not doing PAP as Auth-Type is already set.
2025-04-29T07:04:43.301732-07:00 FortiAuthenticator radiusd[1770]: (8) # Executing group from file /usr/etc/raddb/sites-enabled/default
2025-04-29T07:04:43.301779-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: Client type: external (subtype: radius)
2025-04-29T07:04:43.301792-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: Input raw_username: wilber Realm: (null) username: wilber
2025-04-29T07:04:43.301803-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: Searching default realm as well
2025-04-29T07:04:43.301823-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: Realm not specified, default goes to FAC local user
2025-04-29T07:04:43.304869-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: Local user found: wilber
2025-04-29T07:04:43.304893-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: User [enable fido: false, token count: 0, revoked_token_count: 0]
2025-04-29T07:04:43.304909-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: Policy [fido_auth_opt: disabled, twofactor: password only, no_fido: two factor, revoked: reject]
2025-04-29T07:04:43.304924-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: Decided on [is_fido: false, two_factor: password only, token_type: none]
2025-04-29T07:04:43.307837-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: Authentication OK
2025-04-29T07:04:43.307855-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: Setting 'Post-Auth-Type := FACAUTH'
2025-04-29T07:04:43.309228-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: Add Static Radius attribute: attr_id:809762817 (attr 1, vendor 12356) attr_val:'Group2'
2025-04-29T07:04:43.309539-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: update_fac_authlog:164 nas_str = 10.38.9.85~10.38.0.3.
2025-04-29T07:04:43.309596-07:00 FortiAuthenticator radiusd[1770]: (8) facauth: Updated auth log 'wilber' for attempt from 10.38.9.85~10.38.0.3: Local user authentication from 10.38.0.3 with no token successful
2025-04-29T07:04:43.309629-07:00 FortiAuthenticator radiusd[1770]: (8) # Executing group from file /usr/etc/raddb/sites-enabled/default
2025-04-29T07:04:43.309677-07:00 FortiAuthenticator radiusd[1770]: (8) Sent Access-Accept Id 138 from 10.38.9.45:1812 to 10.38.9.85:1551 length 52
2025-04-29T07:04:43.309685-07:00 FortiAuthenticator radiusd[1770]: (8) Message-Authenticator := 0x00
2025-04-29T07:04:43.309692-07:00 FortiAuthenticator radiusd[1770]: (8) Fortinet-Group-Name += "Group2"
2025-04-29T07:04:43.632607-07:00 FortiAuthenticator radiusd[1770]: Waking up in 29.6 seconds.

 

firewall user monitor.PNG

 

Case2: user wilber with group2 and MAC New2

 

2025-04-29T07:07:12.494574-07:00 FortiAuthenticator radiusd[1770]: (11) Received Access-Request Id 141 from 10.38.9.85:10394 to 10.38.9.45:1812 length 174
2025-04-29T07:07:12.494616-07:00 FortiAuthenticator radiusd[1770]: (11) CHAP-Password = 0x4651a77eda8b6d6aabcffc0e24d056ee46
2025-04-29T07:07:12.494630-07:00 FortiAuthenticator radiusd[1770]: (11) User-Name = "wilber"
2025-04-29T07:07:12.494642-07:00 FortiAuthenticator radiusd[1770]: (11) NAS-Identifier = "boson-kvm85"
2025-04-29T07:07:12.494666-07:00 FortiAuthenticator radiusd[1770]: (11) Framed-IP-Address = 10.38.0.3
2025-04-29T07:07:12.494682-07:00 FortiAuthenticator radiusd[1770]: (11) NAS-Port = 1
2025-04-29T07:07:12.494695-07:00 FortiAuthenticator radiusd[1770]: (11) NAS-Port-Type = Virtual
2025-04-29T07:07:12.494707-07:00 FortiAuthenticator radiusd[1770]: (11) Called-Station-Id = "00-62-6F-73-55-01"
2025-04-29T07:07:12.494719-07:00 FortiAuthenticator radiusd[1770]: (11) Calling-Station-Id = "00-78-65-6E-73-01"
2025-04-29T07:07:12.494731-07:00 FortiAuthenticator radiusd[1770]: (11) Acct-Session-Id = "000007ef0db6f004"
2025-04-29T07:07:12.494742-07:00 FortiAuthenticator radiusd[1770]: (11) Connect-Info = "web-auth"
2025-04-29T07:07:12.494753-07:00 FortiAuthenticator radiusd[1770]: (11) Fortinet-Vdom-Name = "root"
2025-04-29T07:07:12.494765-07:00 FortiAuthenticator radiusd[1770]: (11) Message-Authenticator = 0xc060fd64abb96a002603acf449dc5029
2025-04-29T07:07:12.494786-07:00 FortiAuthenticator radiusd[1770]: (11) # Executing section authorize from file /usr/etc/raddb/sites-enabled/default
2025-04-29T07:07:12.494857-07:00 FortiAuthenticator radiusd[1770]: (11) chap: &control:Auth-Type := CHAP
2025-04-29T07:07:12.494948-07:00 FortiAuthenticator radiusd[1770]: (11) facauth: ===>NAS IP:10.38.9.85
2025-04-29T07:07:12.494961-07:00 FortiAuthenticator radiusd[1770]: (11) facauth: ===>Username:wilber
2025-04-29T07:07:12.494979-07:00 FortiAuthenticator radiusd[1770]: (11) facauth: ===>Timestamp:1745935632.493989, age:0ms
2025-04-29T07:07:12.495739-07:00 FortiAuthenticator radiusd[1770]: (11) facauth: Found authclient from preloaded authclients list for 10.38.9.85: Fortigate (10.38.9.85)
2025-04-29T07:07:12.498263-07:00 FortiAuthenticator radiusd[1770]: (11) facauth: Found authpolicy 'Policy2' for client '10.38.9.85'
2025-04-29T07:07:12.500082-07:00 FortiAuthenticator radiusd[1770]: (11) facauth: Failed MAC filtering, deny access
2025-04-29T07:07:12.500208-07:00 FortiAuthenticator radiusd[1770]: (11) facauth: Updated auth log 'wilber' for attempt from 10.38.9.85: MAC-filtering failed for device '00-78-65-6E-73-01': MAC address not filtered by NAS groups
2025-04-29T07:07:12.500255-07:00 FortiAuthenticator radiusd[1770]: (11) # Executing group from file /usr/etc/raddb/sites-enabled/default
2025-04-29T07:07:12.828721-07:00 FortiAuthenticator radiusd[1770]: Waking up in 0.6 seconds.
2025-04-29T07:07:13.504763-07:00 FortiAuthenticator radiusd[1770]: (11) Sent Access-Reject Id 141 from 10.38.9.45:1812 to 10.38.9.85:10394 length 38
2025-04-29T07:07:13.504812-07:00 FortiAuthenticator radiusd[1770]: (11) Message-Authenticator := 0x00
2025-04-29T07:07:13.504906-07:00 FortiAuthenticator radiusd[1770]: Waking up in 26.9 seconds.
2025-04-29T07:07:40.504739-07:00 FortiAuthenticator radiusd[1770]: Waking up in 0.9 seconds.
2025-04-29T07:07:41.492608-07:00 FortiAuthenticator radiusd[1770]: Waking up in 1.0 seconds.

 

auth failed fortigate.PNG

 

mac auth failure.PNG
216
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.