MAC Authentication Bypass (MAB) is supported to accept non-802.1X compliant devices onto the network using their MAC address as authentication.
Solution: Enable MAB on FortiGate
Apply below command to enable MAB on FortiGate:
# config sys interface
edit "<>"
set vdom "root"
set ip 192.168.1.1 255.255.255.0
set allowaccess ping radius-acct
set security-mode captive-portal
set security-mac-auth-bypass enable -----> can be enabled only via CLI
set security-external-web "https://<FAC-fqdn>/portal/"
set security-groups "radius-group"
set security-exempt-list "FAC-exempt-list"
set device-identification enable
set role lan
next
endWith this enabled, when the client attempts a connection, FortiGate will generate a RADIUS authentication request using the endpoint’s MAC address as the username to the FortiAuthenticator (set up as radius server).
FortiAuthenticator will verify the MAB request against Authentication > User management > Mac devices. It will return an Access-Accept response with authorized group name RADIUS attributes if the MAC address is authorized, or an Access-reject otherwise.
Upon an Access-Accept response and correct group membership, the end-user browser bypasses the captive portal and is allowed through to the requested website.
If Access-reject is received, the normal captive portal workflow will continue.
