MAC Authentication for LAN port hosts
The following models and versions support the MAC authentication on LAN port:
|
There are two methods for authenticating hosts connected to a LAN port:
- RADIUS-based MAC authentication; and
- MAC address group based from FortiGate.
To configure RADIUS-based MAC authentication:
-
On a RADIUS server, add user entries that have the same username and password as the MAC addresses of the hosts connecting through the LAN port (see MAC-based authentication).
The MAC-address user entries can have additional RADIUS attributes added for dynamic VLAN ID assignment (see Configuring dynamic user VLAN assignment).
-
Prepare a VAP with the "
radius-mac-auth
" feature enabled, and then set the MAC authentication of the LAN port to the RADIUS method.config wireless-controller vap
edit "port-mac"
set ssid "lan-bridge-port-mac"
set security open
set radius-mac-auth enable
set radius-mac-auth-server "peap"
set schedule "always"
set port-macauth radius
set port-macauth-timeout 300
set port-macauth-reauth-timeout 180
set dynamic-vlan enable
next
end
-
Assign the VAP to a LAN port with the "
bridge-to-ssid
" mode in an AP profile.Note: In order for the LAN authentication to take effect, the same VAP must be set under an AP radio at the same time.
config wireless-controller wtp-profile
edit "AP profile"
config platform
set type 23JF
end
config lan
set port1-mode bridge-to-ssid
set port1-ssid "port-mac"
end
config radio-1
set band 802.11ax,n,g-only
set vap-all manual
set vaps "port-mac"
end
... ...
... ...
next
end
To configure address group based MAC authentication:
-
On FortiGate WiFi controller, add an address group containing MAC addresses with either an allow or deny policy (see Adding a MAC filter).
config wireless-controller address
edit "001"
set mac 01:02:03:0a:0b:0c
set policy allow
next
edit "002"
set mac 01:02:03:0a:0b:0d
set policy deny
next
end
config wireless-controller addrgrp
edit "mac-group"
set default-policy deny
set addresses "001" "002"
next
end
-
In a VAP, first select the address group for the "MAC filter" feature, and then set the MAC authentication of the LAN port to
address-group
.config wireless-controller vap
edit "port-mac"
set ssid "lan-bridge-port-mac"
set security open
set address-group "mac-group"
set port-macauth address-group
next
end
-
Assign the VAP to a LAN port with the "
bridge-to-ssid
" mode in an AP profile.Note: In order for the LAN authentication to take effect, the same VAP must be set under an AP radio at the same time.
config wireless-controller wtp-profile
edit "AP profile"
config platform
set type 23JF
end
config lan
set port1-mode bridge-to-ssid
set port1-ssid "port-mac"
end
config radio-1
set band 802.11ax,n,g-only
set vap-all manual
set vaps "port-mac"
end
... ...
... ...
next
end