MAC Authentication Bypass (MAB)
MAC Authentication Bypass allows devices without 802.1X capability (printers and IP phones for example) to bypass authentication and be allowed network access based on their MAC address. This feature requires RADIUS-based 802.1X authentication in which the RADIUS server contains a database of authorized MAC addresses.
MAC Authentication Bypass is configurable only in the CLI and only on interfaces configured for 802.1X authentication. For example:
config system interface edit “lan” set ip 10.0.0.200 255.255.255.0 set vlanforward enable set security-mode 802.1X set security-mac-auth-bypass enable set security-groups “Radius-group”
end
end
MAC Authentication Bypass is also available on WiFi SSIDs, regardless of authentication type. It is configurable only in the CLI. You need to enable the radius-mac-auth feature and specify the RADIUS server that will be used. For example:
config wireless-controller vap edit “office-ssid” set security wpa2-only-enterprise set auth usergroup set usergroup “staff” set radius-mac-auth enable set radius-mac-auth-server “ourRadius”
end
end
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!