FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.



This article describes about how to enable mac address bypass on FortiGate interfaces.

MAC Authentication Bypass (MAB) is supported to accept non-802.1X compliant devices onto the network using their MAC address as authentication. 




All FortiOS versions




- Can enable MAB on FortiGate as below:


# config sys interface
    edit "<>"
      set vdom "root"
      set ip
      set allowaccess ping radius-acct
      set security-mode captive-portal
      set security-mac-auth-bypass enable -----> can be enabled only via CLI 
      set security-external-web "https://<FAC-fqdn>/portal/"
      set security-groups "radius-group"
      set security-exempt-list "FAC-exempt-list"
      set device-identification enable
      set role lan


- With this enabled, when client attempts a connection, FortiGate will generate a RADIUS authentication request  using the endpoint's MAC address as the username to the FortiAuthenticator (set up as radius server).


FortiAuthenticator will verify the MAB request against Authentication - > User management - > Mac devices. It will return an Access-Accept response with authorized group name RADIUS attributes if the MAC address is authorized, or an Access-reject otherwise.

Upon an Access-Accept response and correct group membership, the end-user browser bypasses the captive portal and is allowed through to the requested website.


If Access-reject is received, the normal captive portal workflow will continue.


Refer below for more details on setup with respect to FortiAuthenticator: