FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 222371



This article describes about how to enable mac address bypass on FortiGate interfaces.

MAC Authentication Bypass (MAB) is supported to accept non-802.1X compliant devices onto the network using their MAC address as authentication. 




All FortiOS versions




- Can enable MAB on FortiGate as below:


# config sys interface
    edit "<>"
      set vdom "root"
      set ip
      set allowaccess ping radius-acct
      set security-mode captive-portal
      set security-mac-auth-bypass enable -----> can be enabled only via CLI 
      set security-external-web "https://<FAC-fqdn>/portal/"
      set security-groups "radius-group"
      set security-exempt-list "FAC-exempt-list"
      set device-identification enable
      set role lan


- With this enabled, when client attempts a connection, FortiGate will generate a RADIUS authentication request  using the endpoint's MAC address as the username to the FortiAuthenticator (set up as radius server).


FortiAuthenticator will verify the MAB request against Authentication - > User management - > Mac devices. It will return an Access-Accept response with authorized group name RADIUS attributes if the MAC address is authorized, or an Access-reject otherwise.

Upon an Access-Accept response and correct group membership, the end-user browser bypasses the captive portal and is allowed through to the requested website.


If Access-reject is received, the normal captive portal workflow will continue.


Refer below for more details on setup with respect to FortiAuthenticator: