Hello, I am trying to configure FAC as external captive portal for FortiGate. Things works fine.
However, I need to bypass MAC addresses from the captive portal.
I did enable MAC filtering on the SSID on Fortigate and choseFAC as usergroup.
On FAC I did an MAB authentication policy matching on a group. I added in the group the desired MACs to bypass. However, when I associate one of the MACs to the SSID it is still exposed to the captive portal.
Please note that from FAC logs, the MAC authentication succeeded.
If FAC says that the MAB-authentication succeeded, that's most likely a sign that there's some authorization issue. If the FortiGate expects some specific user-group for this auth (I can't recall if this can be configured, if not, please ignore), check if the FAC is sending this info in the Fortinet-Group-Name VSA (take a pcap of the RADIUS traffic and check it in Wireshark, for example)
Hmm, on second thought, maybe the RADIUS-based MAC filtering won't help here.
I'm not a wifi expert, so take this all with a grain of salt, but I suspect what might be happening is that the "Client MAC Address Filtering" is either just an additional MAC-based black/white-list, or it only bypasses PSK/EAP authentication, but perhaps it doesn't affect the state of the captive portal. After all, captive portal has it's own "bypass list" - the "Exempt sources" field.
What if you try with the SSID set to simply "Captive Portal"? If there's any chance, I would find this option more likely to be bypass-able than e.g. "WPA2+Captive Portal". But I give no guarantees, just throwing some ideas on the wall here. :)
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.