Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Akmostafa
New Contributor III

Created on ‎12-08-2022 07:25 AM

bypassing captive portal using MAB

Hello, I am trying to configure FAC as external captive portal for FortiGate. Things works fine.

However, I need to bypass MAC addresses from the captive portal.

 

I did enable MAC filtering on the SSID on Fortigate and choseFAC as usergroup.

 

On FAC I did an MAB authentication policy matching on a group. I added in the group the desired MACs to bypass. However, when I associate one of the MACs to the SSID it is still exposed to the captive portal.

 

Please note that from FAC logs, the MAC authentication succeeded.

 

2416
0 Kudos
3 REPLIES 3
pminarik
Staff
Staff

Created on ‎12-08-2022 08:01 AM

If FAC says that the MAB-authentication succeeded, that's most likely a sign that there's some authorization issue. If the FortiGate expects some specific user-group for this auth (I can't recall if this can be configured, if not, please ignore), check if the FAC is sending this info in the Fortinet-Group-Name VSA (take a pcap of the RADIUS traffic and check it in Wireshark, for example)

[ corrections always welcome ]
2411
0 Kudos
Akmostafa
New Contributor III

Created on ‎12-11-2022 02:27 AM

Hello Pminarik,

I have verified the access-accept response is reaching Fortigate.

The group attribute is also sent, however, in MAC filtering on Fortigate side there is no option to add a specific group, you are just allowed to choose a radius server.

 

Regards.

Ahmed

2385
0 Kudos
pminarik
Staff
Staff
In response to Akmostafa

Created on ‎12-12-2022 03:11 AM

Hmm, on second thought, maybe the RADIUS-based MAC filtering won't help here.

I'm not a wifi expert, so take this all with a grain of salt, but I suspect what might be happening is that the "Client MAC Address Filtering" is either just an additional MAC-based black/white-list, or it only bypasses PSK/EAP authentication, but perhaps it doesn't affect the state of the captive portal. After all, captive portal has it's own "bypass list" - the "Exempt sources" field.

 

What if you try with the SSID set to simply "Captive Portal"? If there's any chance, I would find this option more likely to be bypass-able than e.g. "WPA2+Captive Portal". But I give no guarantees, just throwing some ideas on the wall here. :)

[ corrections always welcome ]
2361
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.