Hello, I am trying to configure FAC as external captive portal for FortiGate. Things works fine.
However, I need to bypass MAC addresses from the captive portal.
I did enable MAC filtering on the SSID on Fortigate and choseFAC as usergroup.
On FAC I did an MAB authentication policy matching on a group. I added in the group the desired MACs to bypass. However, when I associate one of the MACs to the SSID it is still exposed to the captive portal.
Please note that from FAC logs, the MAC authentication succeeded.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If FAC says that the MAB-authentication succeeded, that's most likely a sign that there's some authorization issue. If the FortiGate expects some specific user-group for this auth (I can't recall if this can be configured, if not, please ignore), check if the FAC is sending this info in the Fortinet-Group-Name VSA (take a pcap of the RADIUS traffic and check it in Wireshark, for example)
Hello Pminarik,
I have verified the access-accept response is reaching Fortigate.
The group attribute is also sent, however, in MAC filtering on Fortigate side there is no option to add a specific group, you are just allowed to choose a radius server.
Regards.
Ahmed
Hmm, on second thought, maybe the RADIUS-based MAC filtering won't help here.
I'm not a wifi expert, so take this all with a grain of salt, but I suspect what might be happening is that the "Client MAC Address Filtering" is either just an additional MAC-based black/white-list, or it only bypasses PSK/EAP authentication, but perhaps it doesn't affect the state of the captive portal. After all, captive portal has it's own "bypass list" - the "Exempt sources" field.
What if you try with the SSID set to simply "Captive Portal"? If there's any chance, I would find this option more likely to be bypass-able than e.g. "WPA2+Captive Portal". But I give no guarantees, just throwing some ideas on the wall here. :)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.