Managing “Bring Your Own Device”

Leave a reply

MAC Authentication Bypass (MAB)

MAC Authentication Bypass allows devices without 802.1X capability (printers and IP phones for example) to bypass authentication and be allowed network access based on their MAC address. This feature requires RADIUS-based 802.1X authentication in which the RADIUS server contains a database of authorized MAC addresses.

MAC Authentication Bypass is configurable only in the CLI and only on interfaces configured for 802.1X authentication. For example:

config system interface edit “lan” set ip 10.0.0.200 255.255.255.0 set vlanforward enable set security-mode 802.1X set security-mac-auth-bypass enable set security-groups “Radius-group”

end

end

MAC Authentication Bypass is also available on WiFi SSIDs, regardless of authentication type. It is configurable only in the CLI. You need to enable the radius-mac-auth feature and specify the RADIUS server that will be used. For example:

config wireless-controller vap edit “office-ssid” set security wpa2-only-enterprise set auth usergroup set usergroup “staff” set radius-mac-auth enable set radius-mac-auth-server “ourRadius”

end

end

Pages: 1 2 3 4 5
This entry was posted in Administration Guides, FortiGate on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.