Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Skytech1
New Contributor III

Created on ‎02-26-2025 09:36 AM

Blocking MAB authentication for rogue devices in FortiNAC

Hello community,

 

Is there a way to block MAB for rogue devices in FortiNAC? 

The issue i'm facing is with a Cisco Switch with the following configuration in the ports

interface GigabitEthernet1/0/9
switchport access vlan 31
switchport mode access
switchport voice vlan 18
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 180
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout server-timeout 30
dot1x timeout tx-period 10
spanning-tree portfast

 

This port is intended to work with MAB for a Phone and with 802.1x for PC, however when a PC with no supplicant with certificate connected to the phone, the switch sends mac to FortiNAC, and I see Login OK with mac address, and therefore the device is able to receive the Default VLAN (in this case VLAN 31 which is the access VLAN), and what I'm looking for is that only Phone (which is registered in FortiNAC DB) gets the authentication via MAB, but not the PC which is a rogue device.

 

In other ports of the switch where there is no MAB, only dot1x the PC doesn't authenticate, but when connected behind the Phone, it does.

 

Thanks for your suggestions

Labels:
622
0 Kudos
1 Solution
ebilcari
Staff
Staff

Created on ‎02-28-2025 02:20 AM

Usually FNAC should respond with the Registration VLAN for new connected rogue devices, showing the reason of the isolation and the options on how to register the device. It is not recommended but if required this can be changed by setting 'Deny' in model configuration for the Registration logical network:

 

Deny.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

592
3 REPLIES 3
ebilcari
Staff
Staff

Created on ‎02-28-2025 02:20 AM

Usually FNAC should respond with the Registration VLAN for new connected rogue devices, showing the reason of the isolation and the options on how to register the device. It is not recommended but if required this can be changed by setting 'Deny' in model configuration for the Registration logical network:

 

Deny.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
593
Skytech1
New Contributor III
In response to ebilcari

Created on ‎02-28-2025 08:20 AM

Thanks @ebilcari, I configured the registration with the isolation VLAN to achieve this...It would be nice have an option to block MAB authentication for certain MAC address

573
ebilcari
Staff
Staff
In response to Skytech1

Created on ‎03-02-2025 01:07 AM

You can achieve this by disabling the host from GUI and configure Dead End enforcement. The details are shown in this article.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
553
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.