Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nmdc_kzstan
New Contributor

Device authentication by MAC

Hi, I have two policies configured: 1. Subtype Device authentication by MAC (two PCs - > two MAC addresses) to all Allow 2. Subtype Address: source LAN (192.168.1.0/24) (Allow) to all Allow Problem is ony devices authenticated by MAC (two PCs) can access Internet, Policy 2 allowing LAN (192.168.1.0/24) access to Internet counters are 0. If I move Policy 2 above Policy 1 then all traffic goes through Policy 2. What is needed: two PCs (authenticated by MAC addresses) go through Policy 1 (specific UTM features and QoS applied) and all other devices go through Policy 2.

 

TIA

5 REPLIES 5
bikash_Shaw
New Contributor III

Hi 

 

Please upgrade  the firmware to 5.2. 

 

Regards

Bikash

xsilver_FTNT
Staff
Staff

Please note that if the device is not known with certain level of the confidence then device based policies do not work as expected.

Therefore, if you need assured application of the rules to those two devices, always. Then I would suggest to make those two to have static IP, or use DHCP per MAC IP reservation, so if device asks it will always get the same IP. And then make explicit source IP based policies for those two. Yes, it is old-school way but quite stable and proven to work.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

emnoc
Esteemed Contributor III

I have to disagree with mac based identification or ipmacbinding, this can easily be spoof'd and hijacked. By using user network access and identity based fwpolices  and  would be so much better , wiser & stronger.

 

Trusting  mac binding is like saying;

 

" We will only open the outside door to the bank when the person knocks 4 times & has a blue shirt on " .

 

The robbers across  the street only has to watch and repeat and then have access to the same bank. This is why  they have cameras and host of other identification enforcement .

 

just my thought, but be very careful on the ipmacbinding approach.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Bromont_FTNT

Not sure we are talking about wireless devices here.... In any case this should be achievable without any issue using device identification.

xsilver_FTNT

I do agree, but my point was that MAC-IP bond made by DHCP is better than device based policy dependent on device traffic fingerprinting (as there is no active device fingerprinting agreed to be implemented, yet).

 

Of course we can increase the "bank" security to certificate based 802.1x device access identification mixed with user identity policy and anything up to two-factor authentication. Which is then Nx harder to spoof and fake.

But this does not seemed to me as the point/question.

If you simply and temporarily would like to devide few devices and silently apply different profiles on them, and you do not have 802.1x or so implemented, then mac based division seems to me as easy way to achieve the goal without any unnecessary complexity.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors