FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
athirat
Staff
Staff

Description

 

This article describes about how to enable mac address bypass on FortiGate interfaces.

MAC Authentication Bypass (MAB) is supported to accept non-802.1X compliant devices onto the network using their MAC address as authentication. 

 

Scope

 

All FortiOS versions

 

Solution

 

- Can enable MAB on FortiGate as below:

 

# config sys interface
    edit "<>"
      set vdom "root"
      set ip 192.168.1.1 255.255.255.0
      set allowaccess ping radius-acct
      set security-mode captive-portal
      set security-mac-auth-bypass enable -----> can be enabled only via CLI 
      set security-external-web "https://<FAC-fqdn>/portal/"
      set security-groups "radius-group"
      set security-exempt-list "FAC-exempt-list"
      set device-identification enable
      set role lan
    next
  end

 

- With this enabled, when client attempts a connection, FortiGate will generate a RADIUS authentication request  using the endpoint's MAC address as the username to the FortiAuthenticator (set up as radius server).

 

FortiAuthenticator will verify the MAB request against Authentication - > User management - > Mac devices. It will return an Access-Accept response with authorized group name RADIUS attributes if the MAC address is authorized, or an Access-reject otherwise.

Upon an Access-Accept response and correct group membership, the end-user browser bypasses the captive portal and is allowed through to the requested website.

 

If Access-reject is received, the normal captive portal workflow will continue.

 

Refer below for more details on setup with respect to FortiAuthenticator:

https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-FortiAuthenticator-MAC-Address-By...

Contributors