Description
This article describes about how to enable mac address bypass on FortiGate interfaces.
MAC Authentication Bypass (MAB) is supported to accept non-802.1X compliant devices onto the network using their MAC address as authentication.
Scope
All FortiOS versions
Solution
- Can enable MAB on FortiGate as below:
# config sys interface
edit "<>"
set vdom "root"
set ip 192.168.1.1 255.255.255.0
set allowaccess ping radius-acct
set security-mode captive-portal
set security-mac-auth-bypass enable -----> can be enabled only via CLI
set security-external-web "https://<FAC-fqdn>/portal/"
set security-groups "radius-group"
set security-exempt-list "FAC-exempt-list"
set device-identification enable
set role lan
next
end
- With this enabled, when client attempts a connection, FortiGate will generate a RADIUS authentication request using the endpoint's MAC address as the username to the FortiAuthenticator (set up as radius server).
FortiAuthenticator will verify the MAB request against Authentication - > User management - > Mac devices. It will return an Access-Accept response with authorized group name RADIUS attributes if the MAC address is authorized, or an Access-reject otherwise.
Upon an Access-Accept response and correct group membership, the end-user browser bypasses the captive portal and is allowed through to the requested website.
If Access-reject is received, the normal captive portal workflow will continue.
Refer below for more details on setup with respect to FortiAuthenticator:
https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-FortiAuthenticator-MAC-Address-By...
