Fortinet black logo

Administration Guide

MAC authentication bypass (MAB)

Copy Link
Copy Doc ID d887c3dd-ee67-11ec-bb32-fa163e15d75b:110307
Download PDF

MAC authentication bypass (MAB)

Devices such as network printers, cameras, and sensors might not support 802.1X authentication. If you enable the MAB option on the port, the system will use the device MAC address as the user name and password for authentication.

MAB retries authentication three times before the device is assigned to a guest VLAN for unauthorized users. By default, reauthentication is disabled. Use the following commands if you want to change the default behavior:

config switch global

config port-security

set mab-reauth enable

end

You must provision the RADIUS server to authenticate the devices that use MAB, either by adding the MAC addresses as regular users or by implementing additional logic to resolve the MAC addresses in a network inventory database.

The following flowchart shows the FortiSwitch 802.1X port-based authentication with MAB enabled and with an authentication priority of auth-priority legacy:

The following flowchart shows the FortiSwitch 802.1X MAC-based authentication with MAB enabled and with an authentication priority of auth-priority legacy:

You use the CLI to change the priority of MAB authentication and EAP 802.1X authentication.

NOTE: MAB authentication must be enabled before you can change the priority of MAB authentication and EAP 802.1X authentication.

  • Before FortiSwitchOS 7.2.1, the switch tried EAP 802.1X authentication and MAB authentication in the order that they were received with EAP 802.1X authentication having absolute priority. If authentication failed, users were assigned to the auth-fail-vlanid VLAN if it had been configured. There was no time delay. Starting in FortiSwitchOS 7.2.1, use the set auth-priority legacy command to keep this priority. After an upgrade, auth-priority is set to legacy by default.

  • Starting in FortiSwitchOS 7.2.1, if you want the switch to try EAP 802.1X authentication first and then MAB authentication if EAP 802.1X fails, use the set auth-priority dot1x-MAB command. If MAB authentication also fails, users are assigned to the auth-fail-vlanid VLAN if it is configured.

  • Starting in FortiSwitchOS 7.2.1, if you want the switch to try MAB authentication first and then EAP 802.1X authentication if MAB authentication fails, use the set auth-priority MAB-dot1x command. If EAP 802.1X authentication also fails, users are assigned to the auth-fail-vlanid VLAN if it is configured.

  • Starting in FortiSwitchOS 7.2.1, there is an set auth-order command that has been added for future use. It currently has no effect on authentication.

In the following flowchart, the authentication priority is dot1x-MAB. If both EAP 802.1X authentication and MAB authentication fail, the user is assigned to the auth-fail-vlanid VLAN. If an EAPoL-Start packet is received after MAB authentication, the switch changes to EAP 802.1X authentication.

In the following flowchart, the authentication priority is MAB-dot1x. If MAB authentication fails, the switch attempts EAP 802.1X authentication. If an EAPoL-Start packet is received after MAB authentication, the switch attempts EAP 802.1X authentication without any time delay or processing impact.

MAC authentication bypass (MAB)

Devices such as network printers, cameras, and sensors might not support 802.1X authentication. If you enable the MAB option on the port, the system will use the device MAC address as the user name and password for authentication.

MAB retries authentication three times before the device is assigned to a guest VLAN for unauthorized users. By default, reauthentication is disabled. Use the following commands if you want to change the default behavior:

config switch global

config port-security

set mab-reauth enable

end

You must provision the RADIUS server to authenticate the devices that use MAB, either by adding the MAC addresses as regular users or by implementing additional logic to resolve the MAC addresses in a network inventory database.

The following flowchart shows the FortiSwitch 802.1X port-based authentication with MAB enabled and with an authentication priority of auth-priority legacy:

The following flowchart shows the FortiSwitch 802.1X MAC-based authentication with MAB enabled and with an authentication priority of auth-priority legacy:

You use the CLI to change the priority of MAB authentication and EAP 802.1X authentication.

NOTE: MAB authentication must be enabled before you can change the priority of MAB authentication and EAP 802.1X authentication.

  • Before FortiSwitchOS 7.2.1, the switch tried EAP 802.1X authentication and MAB authentication in the order that they were received with EAP 802.1X authentication having absolute priority. If authentication failed, users were assigned to the auth-fail-vlanid VLAN if it had been configured. There was no time delay. Starting in FortiSwitchOS 7.2.1, use the set auth-priority legacy command to keep this priority. After an upgrade, auth-priority is set to legacy by default.

  • Starting in FortiSwitchOS 7.2.1, if you want the switch to try EAP 802.1X authentication first and then MAB authentication if EAP 802.1X fails, use the set auth-priority dot1x-MAB command. If MAB authentication also fails, users are assigned to the auth-fail-vlanid VLAN if it is configured.

  • Starting in FortiSwitchOS 7.2.1, if you want the switch to try MAB authentication first and then EAP 802.1X authentication if MAB authentication fails, use the set auth-priority MAB-dot1x command. If EAP 802.1X authentication also fails, users are assigned to the auth-fail-vlanid VLAN if it is configured.

  • Starting in FortiSwitchOS 7.2.1, there is an set auth-order command that has been added for future use. It currently has no effect on authentication.

In the following flowchart, the authentication priority is dot1x-MAB. If both EAP 802.1X authentication and MAB authentication fail, the user is assigned to the auth-fail-vlanid VLAN. If an EAPoL-Start packet is received after MAB authentication, the switch changes to EAP 802.1X authentication.

In the following flowchart, the authentication priority is MAB-dot1x. If MAB authentication fails, the switch attempts EAP 802.1X authentication. If an EAPoL-Start packet is received after MAB authentication, the switch attempts EAP 802.1X authentication without any time delay or processing impact.