Description |
This article describes a solution where customers do not have static IP on LAN systems and want to use MAC addresses as sources. By default, it is not possible to use source MAC in firewall policy for LDAP authentication, since it would only trigger it with IP in source. |
Scope | All FortiGate versions. |
Solution |
If it is desired to authenticate the user with LDAP and specify the source MAC address in the source field of FortiGate firewall policy the authentication will fail by default.
Even if testing the user credential on LDAP successful authentication will throw an error on the captive portal auth page (authentication failed). This is if it works as expected with the IP address as the source.
Now in some environments, users do not have static IP assignments and it is desired to use MAC MAC-based policy. For that it is necessary to enable captive portal authentication based on interface (LAN).
It is necessary to call the LDAP group and MAC addresses in the firewall policy source.
config firewall policy config user group
Now if the user tries to log in the authentication will be triggered to: http://Lan-IP:1000. If it is desired to change the default port, it is possible to use the commands below:
FortiGate# config system global --------------------------------------------------------------------------------------------------------------------------
After configuring the authentication on the interface level and policy as MAC based the user got authenticated successfully:
FortiGate-81E # diagnose firewall auth list 10.14.10.163, user_0
Note: There are other ways to do this in case the user does not want to enable interface captive portal. In most cases, if IP addresses are not static the user will be using DHCP, so it is possible to bind the MAC on DHCO settings and enable normal IP (subnet) based source in the firewall policy.
Related article: Technical Tip: How to configure FortiGate to use an LDAP server |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.