Managing “Bring Your Own Device”

MAC Authentication Bypass (MAB)

MAC Authentication Bypass allows devices without 802.1X capability (printers and IP phones for example) to bypass authentication and be allowed network access based on their MAC address. This feature requires RADIUS-based 802.1X authentication in which the RADIUS server contains a database of authorized MAC addresses.

MAC Authentication Bypass is configurable only in the CLI and only on interfaces configured for 802.1X authentication. For example:

config system interface edit “lan” set ip set vlanforward enable set security-mode 802.1X set security-mac-auth-bypass enable set security-groups “Radius-group”



MAC Authentication Bypass is also available on WiFi SSIDs, regardless of authentication type. It is configurable only in the CLI. You need to enable the radius-mac-auth feature and specify the RADIUS server that will be used. For example:

config wireless-controller vap edit “office-ssid” set security wpa2-only-enterprise set auth usergroup set usergroup “staff” set radius-mac-auth enable set radius-mac-auth-server “ourRadius”



Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To Buy Your Fortinet Hardware From The Fortinet GURU

Leave a Reply

Name *
Email *

This site uses Akismet to reduce spam. Learn how your comment data is processed.