MAC Authentication Bypass (MAB) is supported to accept non-802.1X compliant devices onto the network using their MAC address as authentication.
Solution: Enable MAB on FortiGate
Apply below command to enable MAB on FortiGate:
# config sys interface edit "<>" set vdom "root" set ip 192.168.1.1 255.255.255.0 set allowaccess ping radius-acct set security-mode captive-portal set security-mac-auth-bypass enable -----> can be enabled only via CLI set security-external-web "https://<FAC-fqdn>/portal/" set security-groups "radius-group" set security-exempt-list "FAC-exempt-list" set device-identification enable set role lan next end
With this enabled, when the client attempts a connection, FortiGate will generate a RADIUS authentication request using the endpoint’s MAC address as the username to the FortiAuthenticator (set up as radius server).
FortiAuthenticator will verify the MAB request against Authentication > User management > Mac devices. It will return an Access-Accept response with authorized group name RADIUS attributes if the MAC address is authorized, or an Access-reject otherwise.
Upon an Access-Accept response and correct group membership, the end-user browser bypasses the captive portal and is allowed through to the requested website.
If Access-reject is received, the normal captive portal workflow will continue.