MAC authentication bypass with dynamic VLAN assignment

In this recipe, you will configure MAC authentication bypass in a wired network with dynamic VLAN assignment.

The purpose of this recipe is to configure and demonstrate MAC address bypass with FortiAuthenticator, using a 3rd-party switch (EX2200) to confirm cross-vendor interoperability. The recipe also demonstrates dynamic VLAN allocation without a supplicant.

1. Configuring MAC Authentication Bypass on the FortiAuthenticator
Go to Authentication > User Management > MAC Devices and create a new MAC-based device.
2. Configuring the user group
Go to Authentication > User Management > User Groups and create a new user group. No members are required; MAC-based authentication devices are automatically linked with this group. Click OK.
Edit the group you just created and add RADIUS Attributes as shown.
3. Configuring the RADIUS client
Go to Authentication > RADIUS Service > Clients and create a new RADIUS client. Configure the Switch IP and Shared Secret. Use the Local realm. Allow MAC-based authentication and link the group created in Step 2.
4. Configuring the 3rd-party switch
The switch configuration provided below is intended for demonstration only. Your switch configuration is likely to differ significantly. set system services dhcp pool 10.1.2.0/24 address-range low 10.1.2.220 set system services dhcp pool 10.1.2.0/24 address-range high 10.1.2.230 set system services dhcp pool 10.1.2.0/24 domain-name fortiad.net set system services dhcp pool 10.1.2.0/24 name-server 10.1.2.122 set system services dhcp pool 10.1.2.0/24 router 10.1.2.1 set system services dhcp pool 10.1.2.0/24 server-identifier 10.1.2.27 set interfaces ge-0/0/0 unit 0 family ethernet-switching #no vlan assigned to printer port, this will be allocated based on Group attributes set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members engineering #interface used to communicate with FortiAuthenticator set interfaces vlan unit 10 family inet address 10.1.2.27/24 set protocols dot1x authenticator authentication-profile-name profile1 set protocols dot1x authenticator interface ge-0/0/0.0 mac-radius restrict #forces mac address as username over RADIUS set access radius-server 10.1.2.29 secret "$9$kmfzIRSlvLhSLNVYZGk.Pf39" set access profile profile1 authentication-order radius set access profile profile1 radius authentication-server 10.1.2.29 set vlans engineering vlan-id 10 set vlans engineering l3-interface vlan.10 No configuration is required on the endpoint.
5. Results
Connect the wired device (in this case, the printer).
Using `tcpdump`, FortiAuthenticator shows receipt of an Incoming Authentication Request (`tcpdump host 10.1.2.27 -nnvvXs`): tcpdump: listening on port1, link-type EN10MB (Ethernet), capture size 262144 bytes 17:36:19.110399 IP (tos 0x0, ttl 64, id 18417, offset 0, flags [none], proto UDP (17), length 185) 10.1.2.27.60114 > 10.1.2.29.1812: [udp sum ok] RADIUS, length: 157 Access-Request (1), id: 0x08, Authenticator: b77fe0657747891fc8d53ae0ad2b0e7a User-Name Attribute (1), length: 14, Value: 0022681af1a0 #Switch forces username to be endpoint MAC address, no configuration needed on endpoint 0x0000: 3030 3232 3638 3161 6631 6130 NAS-Port Attribute (5), length: 6, Value: 70 0x0000: 0000 0046 EAP-Message Attribute (79), length: 19, Value: . 0x0000: 0200 0011 0130 3032 3236 3831 6166 3161 0x0010: 30 Message-Authenticator Attribute (80), length: 18, Value: .y{.j.%..9\|es.'x 0x0000: a679 7b82 6344 2593 f639 7c65 73eb 2778 Acct-Session-Id Attribute (44), length: 24, value: 802.1x81fa002500078442 0x0000: 384f 322e 3178 3831 6661 3030 3235 3030 0x0010: 3037 3834 3432 NAS-Port-rd Attribute (87), length: 12, Value: ge-0/0/0.0 0x0000: 6765 2430 2f30 2f30 2e30 Calling-Station-Id Attribute (31), length: 19, value: 00-22-68-1a-fl-a0 0x0000: 3030 2032 3220 3638 2031 6120 6631 2461 0x0010: 30 Called-Station-Id Attribute (30), length: 19, Value: a8-40-e5-b0-21-80 0x0000: 6138 2464 3024 6535 2d62 302d 3231 2d38 0x0010: 30 NAS-Port-Type Attribute (61), length: 6, value: Ethernet 0x0000: 0000 000f
Go to Logging > Log Access > Logs to verify the device authentication. The Debug Log (at `https://<fac-ip>/debug/radius`) should also confirm successful authentication.
Continuing with `tcpdump`, authentication is accepted from FortiAuthenticator and authorization attributes returned to the switch: 17:36:19.115264 IP (tos Ox0, ttl 64, id 49111, offset 0, flags [none], proto UDP (17), length 73) 10.1.2.29.1812 > 10.1.2.27.60114: (bad udp cksum 0x1880 -> 0x5ccel] RADIUS, length: 45 Access-Accept (2), id: 0x08, Authenticator: b5c7b1bb5a316fb483a622eaae58ccc2 Tunnel-Type Attribute (64), length: 6, Value: Tag[Unused] #13 0x0000: 0000 000d Tunnel-Medium-Type Attribute (65), length: 6, Value: Tag[Unused] 802 Ox0000: 0000 0006 Tunnel-Private-Group-ID Attribute (81), length: 13, Value: engineering Ox0000: 656e 6769 6e65 6572 696e 67 Ox0000: 4500 0049 bfd7 0000 4011 a293 0a01 021d E..I....@ ....... 0x0010: Oa01 021b 0714 ead2 0035 1880 0208 002d 5 0x0020: b5c7 blbb 5a31 6fb4 83a6 22ea ae58 ccc2 ....21o..."..X.. 0x0030: 4006 0000 0000 4106 0000 0006 510d 656e @ A Q en 0x0040: 6769 6e65 6572 696e 67 gineering
Post-authentication DHCP transaction is picked up by FortiAuthenticator (`tcpdump` continued): 17:36:22.955537 IP (tos Ox0, ttl 1, id 18546, offset 0, flags [none], proto UDP (17), length 328) 10.1.2.27.67 > 255.255.255.255.68: judo sum ok] BOOTP/DHCP, Reply, length 300, xid Ox9fc8f40c, Flags (Broadcast] (0x8000) Your-IP 10.1.2.224 Client-Ethernet-Address 00:22:68:1a:fl:a0 Vendor-rfc1048 Extensions Magic Cookie 0x63825363 DHCP-Message Option 53, length 1: ACK Server-ID Option 54, length 4: 10.1.2.27 Lease-Time Option 51, length 4: 86400 Subnet-Mask Option 1, length 4: 255.255.255.0 Default-Gateway Option 3, length 4: 10.1.2.1 Domain-Name-Server Option 6, length 4: 10.1.2.122 Domain-Name Option 15, length 11: "fortiad.net"
The switch logs show a successful dot1x session: root# run show dotlx interface ge-0/0/0.0 802.1X Information: Interface Role State MAC address User ge-0/0/0.0 Authenticator Authenticated 00:22:68:1A:F1:A0 0022681af1a0 The MAC address interface has been dynamically placed into correct VLAN: root# run show vlans engineering Name Tag Interfaces engineering 10 ge-0/0/0.0, ge-0/0/11.0 And the printer shows as available on the network: root# run show arp interface vlan.10 MAC Address Address Name Interface Flags 00:0c:29:5b:90:68 10.1.2.29 10.1.2.29 vlan.10 none 6c:70:9f:d6:ae:al 10.1.2.220 10.1.2.220 vlan.10 none b8:53:ac:4a:d5:f5 10.1.2.221 10.1.2.221 vlan.10 none 00:22:68:1a:fl:a0 10.1.2.224 10.1.2.224 vlan.10 none a4:c3:61:24:b9:07 10.1.2.228 10.1.2.228 vlan.10 none Total entries: 5 {master:0}[edit] root* run ping 10.1.2.224 PING 10.1.2.224 (10.1.2.224): 56 data bytes 64 bytes from 10.1.2.224: icmp_seq=0 tt1=128 time=2.068 ms 64 bytes from 10.1.2.224: icmp_seq=1 tt1=128 time=2.236 ms 64 bytes from 10.1.2.224: icmp_seq=2 tt1=128 time=2.699 ms --- 10.1.2.224 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 2.068/2.334/2.699/0.267 ms