CP Bypass for MAC Authenticated Clients
Wired and wireless clients that are successfully authenticated by their MAC address (MAC Filtering) are considered as captive portal authenticated clients. Both RADIUS-based MAC filtering and local MAC filtering is supported for CP bypass. However, to intentionally block a client, add its MAC address only to the local ACL deny list.
To bypass CP authentication, do the following in a security profile:
- Enable Captive Portal and MAC Filtering in the same security profile. 2. Enable the “Captive Portal Bypass For MAC Authentication”
- Use this security profile for the ESSID.
NOTES
- Captive Portal must be enabled.
- If MAC-filtering authentication fails then the client is redirected for Web Authentication
CP Bypass for MAC Authenticated Clients
Configuring using CLI
Use the captive‐portal‐bypass‐mac command to enable or disable this functionality.
The following station logs provide information on client status:
Wireless Station: MAC-filtering Success and CP is bypassed:
2016‐May‐ 1 04:24:53.030415 | 00:73:8d:b9:e6:bf | Mac Filtering | Mac in permit list ‐ accept client
2016‐May‐ 1 04:24:53.030895 | 00:73:8d:b9:e6:bf | Mac Filtering | Mac‐Filtering is Success and Captive Portal is Bypassed for Wireless Client <00:73:8d:b9:e6:bf>
CP Bypass for MAC Authenticated Clients
Wired Station: MAC-filtering Success and CP is bypassed:
2016‐May‐ 1 04:38:06.888828 | f0:1f:af:33:cd:4e | Mac Filtering | Mac in permit list ‐ accept client
2016‐May‐ 1 04:38:06.890213 | f0:1f:af:33:cd:4e | Mac Filtering | Mac‐Filtering is Success and Captive Portal is Bypassed for Wired Client <f0:1f:af:33:cd:4e>
The following flowchart illustrates the flow of CP bypass for MAC authenticated clients.