Configuring MAC filter on SSID
Follow these instructions to enable MAC filter on SSID. Consider the following when using this function:
- The MAC filter function is independent of the SSID security mode.
- To enable MAC filter on SSID, first configure the wireless controller address and address group. See instructions below.
Sample topology
To block a specific client from connecting to the SSID using MAC filter:
- Create a wireless controller address with the client MAC address and set the policy to deny. In this example, the client MAC address is b4:ae:2b:cb:d1:72.
config wireless-controller address
edit "client_1"
set mac b4:ae:2b:cb:d1:72
set policy deny
next
end
- Create a wireless controller address group using the above address and set the default policy to allow.
config wireless-controller addrgrp
edit mac_grp
set addresses "client_1"
set default-policy allow
next
end
- On the virtual access point (VAP), select the above address group.
config wireless-controller vap
edit wifi-vap
set ssid "Fortinet-psk"
set security wpa2-only-personal
set passphrase fortinet
set address-group "mac_grp"
next
end
After this configuration, the client (MAC address b4:ae:2b:cb:d1:72) is denied connecting to SSID
Fortinet-psk
. Other clients can connect, such as a client with MAC address e0:33:8e:e9:65:01.
To allow a specific client to connect to the SSID using MAC filter:
- Create a wireless controller address with the same MAC address as the client and set the policy to allow. In this example, the client's MAC address is b4:ae:2b:cb:d1:72.
config wireless-controller address
edit "client_1"
set mac b4:ae:2b:cb:d1:72
set policy allow
next
end
- Create a wireless controller address group using the above address and set the default policy to deny.
config wireless-controller addrgrp
edit mac_grp
set addresses "client_1"
set default-policy deny
next
end
- On the virtual access point, select the above address group.
config wireless-controller vap
edit wifi-vap
set ssid "Fortinet-psk"
set security wpa2-only-personal
set passphrase fortinet
set address-group "mac_grp"
next
end
After this configuration, the client (MAC address b4:ae:2b:cb:d1:72) can connect to SSID
Fortinet-psk
. Other clients are denied from connecting, such as a client with MAC address e0:33:8e:e9:65:01.