MAC authentication bypass with dynamic VLAN assignment


In this recipe, you will configure MAC authentication bypass in a wired network with dynamic VLAN assignment.

The purpose of this recipe is to configure and demonstrate MAC address bypass with FortiAuthenticator, using a 3rd-party switch (EX2200) to confirm cross-vendor interoperability. The recipe also demonstrates dynamic VLAN allocation without a supplicant.

1. Configuring MAC Authentication Bypass on the FortiAuthenticator

Go to Authentication > User Management > MAC Devices and create a new MAC-based device.

2. Configuring the user group

Go to Authentication > User Management > User Groups and create a new user group.

No members are required; MAC-based authentication devices are automatically linked with this group.

Click OK.

Edit the group you just created and add RADIUS Attributes as shown.

3. Configuring the RADIUS client

Go to Authentication > RADIUS Service > Clients and create a new RADIUS client. Configure the Switch IP and Shared Secret.

Use the Local realm.

Allow MAC-based authentication and link the group created in Step 2.

4. Configuring the 3rd-party switch

The switch configuration provided below is intended for demonstration only. Your switch configuration is likely to differ significantly.

set system services dhcp pool address-range low
set system services dhcp pool address-range high
set system services dhcp pool domain-name
set system services dhcp pool name-server
set system services dhcp pool router
set system services dhcp pool server-identifier
set interfaces ge-0/0/0 unit 0 family ethernet-switching #no vlan assigned to printer port, this will be allocated based on Group attributes
set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members engineering #interface used to communicate with FortiAuthenticator
set interfaces vlan unit 10 family inet address
set protocols dot1x authenticator authentication-profile-name profile1
set protocols dot1x authenticator interface ge-0/0/0.0 mac-radius restrict #forces mac address as username over RADIUS
set access radius-server secret "$9$kmfzIRSlvLhSLNVYZGk.Pf39"
set access profile profile1 authentication-order radius
set access profile profile1 radius authentication-server
set vlans engineering vlan-id 10
set vlans engineering l3-interface vlan.10

No configuration is required on the endpoint.

5. Results

Connect the wired device (in this case, the printer).

Using tcpdump, FortiAuthenticator shows receipt of an Incoming Authentication Request (tcpdump host -nnvvXs):

tcpdump: listening on port1, link-type EN10MB (Ethernet), capture size 262144 bytes
17:36:19.110399 IP (tos 0x0, ttl 64, id 18417, offset 0, flags [none], proto UDP (17), length 185) > [udp sum ok] RADIUS, length: 157
    Access-Request (1), id: 0x08, Authenticator: b77fe0657747891fc8d53ae0ad2b0e7a
      User-Name Attribute (1), length: 14, Value: 0022681af1a0 #Switch forces username to be endpoint MAC address, no configuration needed on endpoint
        0x0000:  3030 3232 3638 3161 6631 6130
      NAS-Port Attribute (5), length: 6, Value: 70
        0x0000:  0000 0046
      EAP-Message Attribute (79), length: 19, Value: .
        0x0000:  0200 0011 0130 3032 3236 3831 6166 3161
        0x0010:  30
      Message-Authenticator Attribute (80), length: 18, Value: .y{.j.%..9|es.'x 
        0x0000: a679 7b82 6344 2593 f639 7c65 73eb 2778 
      Acct-Session-Id Attribute (44), length: 24, value: 802.1x81fa002500078442 
        0x0000: 384f 322e 3178 3831 6661 3030 3235 3030 
        0x0010: 3037 3834 3432
      NAS-Port-rd Attribute (87), length: 12, Value: ge-0/0/0.0 
        0x0000: 6765 2430 2f30 2f30 2e30 
      Calling-Station-Id Attribute (31), length: 19, value: 00-22-68-1a-fl-a0 
        0x0000: 3030 2032 3220 3638 2031 6120 6631 2461 
        0x0010: 30 
      Called-Station-Id Attribute (30), length: 19, Value: a8-40-e5-b0-21-80 
        0x0000: 6138 2464 3024 6535 2d62 302d 3231 2d38 
        0x0010: 30 
      NAS-Port-Type Attribute (61), length: 6, value: Ethernet 
        0x0000: 0000 000f 

Go to Logging > Log Access > Logs to verify the device authentication.

The Debug Log (at https://<fac-ip>/debug/radius) should also confirm successful authentication.

Continuing with tcpdump, authentication is accepted from FortiAuthenticator and authorization attributes returned to the switch:

17:36:19.115264 IP (tos Ox0, ttl 64, id 49111, offset 0, flags [none], proto UDP (17), length 73) > (bad udp cksum 0x1880 -> 0x5ccel] RADIUS, length: 45 
    Access-Accept (2), id: 0x08, Authenticator: b5c7b1bb5a316fb483a622eaae58ccc2 
      Tunnel-Type Attribute (64), length: 6, Value: Tag[Unused] #13 
        0x0000: 0000 000d 
      Tunnel-Medium-Type Attribute (65), length: 6, Value: Tag[Unused] 802 
        0x0000: 0000 0006 
      Tunnel-Private-Group-ID Attribute (81), length: 13, Value: engineering
        0x0000: 656e 6769 6e65 6572 696e 67
    0x0000: 4500 0049 bfd7 0000 4011 a293 0a01 021d E..I....@ .......
    0x0010: 0a01 021b 0714 ead2 0035 1880 0208 002d 5 
    0x0020: b5c7 blbb 5a31 6fb4 83a6 22ea ae58 ccc2 ....21o..."..X.. 
    0x0030: 4006 0000 0000 4106 0000 0006 510d 656e @ A Q en 
    0x0040: 6769 6e65 6572 696e 67                  gineering 

Post-authentication DHCP transaction is picked up by FortiAuthenticator (tcpdump continued):

17:36:22.955537 IP (tos Ox0, ttl 1, id 18546, offset 0, flags [none], proto UDP (17), length 328) > judo sum ok] BOOTP/DHCP, Reply, length 300, xid Ox9fc8f40c, Flags (Broadcast] (0x8000)
    Client-Ethernet-Address 00:22:68:1a:fl:a0
    Vendor-rfc1048 Extensions
        Magic Cookie 0x63825363
  DHCP-Message Option 53, length 1: ACK
  Server-ID Option 54, length 4:
  Lease-Time Option 51, length 4: 86400
  Subnet-Mask Option 1, length 4:
  Default-Gateway Option 3, length 4:
  Domain-Name-Server Option 6, length 4:
  Domain-Name Option 15, length 11: "" 

The Switch CLI shows a successful dot1x session:

root# run show dotlx interface ge-0/0/0.0
802.1X Information:
Interface    Role             State            MAC address          User
ge-0/0/0.0   Authenticator    Authenticated    00:22:68:1A:F1:A0    0022681af1a0

The MAC address interface has been dynamically placed into correct VLAN:

root# run show vlans engineering
Name          Tag           Interfaces
engineering   10
                            ge-0/0/0.0*, ge-0/0/11.0*

And the printer shows as available on the network:

root# run show arp interface vlan.10 
MAC Address         Address       Name          Interface   Flags 
00:0c:29:5b:90:68     vlan.10     none 
6c:70:9f:d6:ae:al    vlan.10     none 
b8:53:ac:4a:d5:f5    vlan.10     none
00:22:68:1a:fl:a0    vlan.10     none
a4:c3:61:24:b9:07    vlan.10     none
Total entries: 5

root* run ping 
PING ( 56 data bytes 
64 bytes from icmp_seq=0 tt1=128 time=2.068 ms 
64 bytes from icmp_seq=1 tt1=128 time=2.236 ms 
64 bytes from icmp_seq=2 tt1=128 time=2.699 ms 
--- ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss 
round-trip min/avg/max/stddev = 2.068/2.334/2.699/0.267 ms


Alternatively, you can use the Import option to import from a CSV file.