Authentication binds to MAC address
In previous FortiOS versions, firewall authentication was source IP based, thus there was no action in response to a MAC address change. This was a security flaw that allowed an unauthenticated user to access restricted resources, especially in a WiFi environment where the IP and MAC binding changed frequently.
MAC addresses can now be bound with the user identity so that the MAC address is matched while matching an auth logon.