Fortinet black logo

Administration Guide

MAC authentication bypass (MAB)

Copy Link
Copy Doc ID 962fb21b-9bd3-11eb-b70b-00505692583a:110307
Download PDF

MAC authentication bypass (MAB)

Devices such as network printers, cameras, and sensors might not support 802.1x authentication. If you enable the MAB option on the port, the system will use the device MAC address as the user name and password for authentication.

MAB retries authentication three times before the device is assigned to a guest VLAN for unauthorized users. By default, reauthentication is disabled. Use the following commands if you want to change the default behavior:

config switch global

config port-security

set mab-reauth enable

end

You must provision the RADIUS server to authenticate the devices that use MAB, either by adding the MAC addresses as regular users or by implementing additional logic to resolve the MAC addresses in a network inventory database.

The following flowchart shows the FortiSwitch 802.1x port-based authentication with MAB enabled:

The following flowchart shows the FortiSwitch 802.1x MAC-based authentication with MAB enabled:

MAC authentication bypass (MAB)

Devices such as network printers, cameras, and sensors might not support 802.1x authentication. If you enable the MAB option on the port, the system will use the device MAC address as the user name and password for authentication.

MAB retries authentication three times before the device is assigned to a guest VLAN for unauthorized users. By default, reauthentication is disabled. Use the following commands if you want to change the default behavior:

config switch global

config port-security

set mab-reauth enable

end

You must provision the RADIUS server to authenticate the devices that use MAB, either by adding the MAC addresses as regular users or by implementing additional logic to resolve the MAC addresses in a network inventory database.

The following flowchart shows the FortiSwitch 802.1x port-based authentication with MAB enabled:

The following flowchart shows the FortiSwitch 802.1x MAC-based authentication with MAB enabled: