Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Akmostafa
New Contributor III

bypassing captive portal using MAB

Hello, I am trying to configure FAC as external captive portal for FortiGate. Things works fine.

However, I need to bypass MAC addresses from the captive portal.

 

I did enable MAC filtering on the SSID on Fortigate and choseFAC as usergroup.

 

On FAC I did an MAB authentication policy matching on a group. I added in the group the desired MACs to bypass. However, when I associate one of the MACs to the SSID it is still exposed to the captive portal.

 

Please note that from FAC logs, the MAC authentication succeeded.

 

3 REPLIES 3
pminarik
Staff
Staff

If FAC says that the MAB-authentication succeeded, that's most likely a sign that there's some authorization issue. If the FortiGate expects some specific user-group for this auth (I can't recall if this can be configured, if not, please ignore), check if the FAC is sending this info in the Fortinet-Group-Name VSA (take a pcap of the RADIUS traffic and check it in Wireshark, for example)

[ corrections always welcome ]
Akmostafa
New Contributor III

Hello Pminarik,

I have verified the access-accept response is reaching Fortigate.

The group attribute is also sent, however, in MAC filtering on Fortigate side there is no option to add a specific group, you are just allowed to choose a radius server.

 

Regards.

Ahmed

pminarik

Hmm, on second thought, maybe the RADIUS-based MAC filtering won't help here.

I'm not a wifi expert, so take this all with a grain of salt, but I suspect what might be happening is that the "Client MAC Address Filtering" is either just an additional MAC-based black/white-list, or it only bypasses PSK/EAP authentication, but perhaps it doesn't affect the state of the captive portal. After all, captive portal has it's own "bypass list" - the "Exempt sources" field.

 

What if you try with the SSID set to simply "Captive Portal"? If there's any chance, I would find this option more likely to be bypass-able than e.g. "WPA2+Captive Portal". But I give no guarantees, just throwing some ideas on the wall here. :)

[ corrections always welcome ]
Labels
Top Kudoed Authors