MAC authentication bypass (MAB)
Devices such as network printers, cameras, and sensors might not support 802.1x authentication. If you enable the MAB option on the port, the system will use the device MAC address as the user name and password for authentication.
MAB retries authentication three times before the device is assigned to a guest VLAN for unauthorized users. By default, reauthentication is disabled. Use the following commands if you want to change the default behavior:
config switch global
set mab-reauth enable
You must provision the RADIUS server to authenticate the devices that use MAB, either by adding the MAC addresses as regular users or by implementing additional logic to resolve the MAC addresses in a network inventory database.
The following flowchart shows the FortiSwitch 802.1x port-based authentication with MAB enabled:
The following flowchart shows the FortiSwitch 802.1x MAC-based authentication with MAB enabled: