MAC Authentication for LAN port hosts

The following models and versions support the MAC authentication on LAN port:

FAP-U 6.2.0 and later, managed by FGT running FOS 6.4.3+, without RADIUS accounting and dynamic VLAN assignment.
FAP 7.0.0 and later, FAP-W2 7.0.0 and later, FAP-C 5.4.3, managed by FGT running FOS 7.0.0+, with RADIUS accounting and dynamic VLAN assignment.

There are two methods for authenticating hosts connected to a LAN port:

On a RADIUS server, add user entries that have the same username and password as the MAC addresses of the hosts connecting through the LAN port (see MAC-based authentication).

The MAC-address user entries can have additional RADIUS attributes added for dynamic VLAN ID assignment (see Configuring dynamic user VLAN assignment).
Prepare a VAP with the "radius-mac-auth" feature enabled, and then set the MAC authentication of the LAN port to the RADIUS method.

config wireless-controller vap

edit "port-mac"

set ssid "lan-bridge-port-mac"

set security open

set radius-mac-auth enable

set radius-mac-auth-server "peap"

set schedule "always"

set port-macauth radius

set port-macauth-timeout 300

set port-macauth-reauth-timeout 180

set dynamic-vlan enable

next

end
Assign the VAP to a LAN port with the "bridge-to-ssid" mode in an AP profile.

Note: In order for the LAN authentication to take effect, the same VAP must be set under an AP radio at the same time.

config wireless-controller wtp-profile

edit "AP profile"

config platform

set type 23JF

end

config lan

set port1-mode bridge-to-ssid

set port1-ssid "port-mac"

end

config radio-1

set band 802.11ax,n,g-only

set vap-all manual

set vaps "port-mac"

end

... ...

... ...

next

end

The following models and versions support the MAC authentication on LAN port:

FAP-U 6.2.0 and later, managed by FGT running FOS 6.4.3+, without RADIUS accounting and dynamic VLAN assignment.
FAP 7.0.0 and later, FAP-W2 7.0.0 and later, FAP-C 5.4.3, managed by FGT running FOS 7.0.0+, with RADIUS accounting and dynamic VLAN assignment.

There are two methods for authenticating hosts connected to a LAN port:

On a RADIUS server, add user entries that have the same username and password as the MAC addresses of the hosts connecting through the LAN port (see MAC-based authentication).

The MAC-address user entries can have additional RADIUS attributes added for dynamic VLAN ID assignment (see Configuring dynamic user VLAN assignment).
Prepare a VAP with the "radius-mac-auth" feature enabled, and then set the MAC authentication of the LAN port to the RADIUS method.

config wireless-controller vap

edit "port-mac"

set ssid "lan-bridge-port-mac"

set security open

set radius-mac-auth enable

set radius-mac-auth-server "peap"

set schedule "always"

set port-macauth radius

set port-macauth-timeout 300

set port-macauth-reauth-timeout 180

set dynamic-vlan enable

next

end
Assign the VAP to a LAN port with the "bridge-to-ssid" mode in an AP profile.

Note: In order for the LAN authentication to take effect, the same VAP must be set under an AP radio at the same time.

config wireless-controller wtp-profile

edit "AP profile"

config platform

set type 23JF

end

config lan

set port1-mode bridge-to-ssid

set port1-ssid "port-mac"

end

config radio-1

set band 802.11ax,n,g-only

set vap-all manual

set vaps "port-mac"

end

... ...

... ...

next

end