FortiWLC – CP Bypass for MAC Authenticated Clients

CP Bypass for MAC Authenticated Clients

Wired and wireless clients that are successfully authenticated by their MAC address (MAC Filtering) are considered as captive portal authenticated clients. Both RADIUS-based MAC filtering and local MAC filtering is supported for CP bypass. However, to intentionally block a client, add its MAC address only to the local ACL deny list.

To bypass CP authentication, do the following in a security profile:

  1. Enable Captive Portal and MAC Filtering in the same security profile. 2. Enable the “Captive Portal Bypass For MAC Authentication”
  2. Use this security profile for the ESSID.

NOTES

  • Captive Portal must be enabled.
  • If MAC-filtering authentication fails then the client is redirected for Web Authentication

CP Bypass for MAC Authenticated Clients

Configuring using CLI

Use the captive‐portal‐bypass‐mac command to enable or disable this functionality.

The following station logs provide information on client status:

Wireless Station: MAC-filtering Success and CP is bypassed:

2016‐May‐ 1 04:24:53.030415 | 00:73:8d:b9:e6:bf | Mac Filtering | Mac in permit list ‐ accept client

2016‐May‐ 1 04:24:53.030895 | 00:73:8d:b9:e6:bf | Mac Filtering | Mac‐Filtering is Success and Captive Portal is Bypassed for Wireless Client <00:73:8d:b9:e6:bf>

CP Bypass for MAC Authenticated Clients

Wired Station: MAC-filtering Success and CP is bypassed:

2016‐May‐ 1 04:38:06.888828 | f0:1f:af:33:cd:4e | Mac Filtering | Mac in permit list ‐ accept client

2016‐May‐ 1 04:38:06.890213 | f0:1f:af:33:cd:4e | Mac Filtering | Mac‐Filtering is Success and Captive Portal is Bypassed for Wired Client <f0:1f:af:33:cd:4e>

The following flowchart illustrates the flow of CP bypass for MAC authenticated clients.

This entry was posted in Administration Guides, FortiWLC on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.