Skip to Content

Solved: How do I enable mac address bypass on FortiGate interfaces?

MAC Authentication Bypass (MAB) is supported to accept non-802.1X compliant devices onto the network using their MAC address as authentication.

Solution: Enable MAB on FortiGate

Apply below command to enable MAB on FortiGate:

# config sys interface
edit "<>"
set vdom "root"
set ip
set allowaccess ping radius-acct
set security-mode captive-portal
set security-mac-auth-bypass enable -----> can be enabled only via CLI
set security-external-web "https://<FAC-fqdn>/portal/"
set security-groups "radius-group"
set security-exempt-list "FAC-exempt-list"
set device-identification enable
set role lan

With this enabled, when the client attempts a connection, FortiGate will generate a RADIUS authentication request using the endpoint’s MAC address as the username to the FortiAuthenticator (set up as radius server).

FortiAuthenticator will verify the MAB request against Authentication > User management > Mac devices. It will return an Access-Accept response with authorized group name RADIUS attributes if the MAC address is authorized, or an Access-reject otherwise.

Upon an Access-Accept response and correct group membership, the end-user browser bypasses the captive portal and is allowed through to the requested website.

If Access-reject is received, the normal captive portal workflow will continue.

    Ads Blocker Image Powered by Code Help Pro

    It looks like you are using an adblocker.

    Ads keep our content free. Please consider supporting us by allowing ads on