Refer to the document for configuring FortiSwitch security policies:

FortiSwitch security policies

When the wired client (laptop or desktop) tries to connect to the switch port, it is possible to see a fake MAC address in the time frame of authentication.

• The Fake MAC address will be 00:09:0f:xx:xx:xx (Fortinet vendor specific).
• The Fake MAC is a place-hold MAC before it authenticates with the real MAC address of the wired client.
• The MAC address will be seen only in the transition state of the MAB authentication and will disappear after authentication.

Example :

diagnose  switch  802-1x status port7

   Port7 : Mode: port-based (mac-by-pass enable)

           Link: Link up

           Port State: unauthorized: (  )

            EAP auto-untagged-vlans : Enable

           Dynamic Access Control List : Disable

           Native Vlan : 1

           Allowed Vlan list: 10,20,30

           Untagged Vlan list:

           Guest VLAN :

           Auth-Fail Vlan :

           AuthServer-Timeout Vlan :

           Sessions info:

           00:09:0f:xx:xx:xx    =========>  The fake MAC address.     Type=802.1x,,state=AUTHENTICATING,etime=0,eap_cnt=0 params:reAuth=0

               user="",security_grp="",fortinet_grp=""