Fortinet black logo

Configuring MAC filter on SSID

6.2.0
Copy Link
Copy Doc ID ac61f4d3-ce67-11e9-8977-00505692583a:512025
Download PDF

Configuring MAC filter on SSID

Follow these instructions to enable MAC filter on SSID. Consider the following when using this function:

  • The MAC filter function is independent of the SSID security mode.
  • To enable MAC filter on SSID, first configure the wireless controller address and address group. See instructions below.

Sample topology

To block a specific client from connecting to the SSID using MAC filter:
  1. Create a wireless controller address with the client MAC address and set the policy to deny. In this example, the client MAC address is b4:ae:2b:cb:d1:72.

    config wireless-controller address

    edit "client_1"

    set mac b4:ae:2b:cb:d1:72

    set policy deny

    next

    end

  2. Create a wireless controller address group using the above address and set the default policy to allow.

    config wireless-controller addrgrp

    edit mac_grp

    set addresses "client_1"

    set default-policy allow

    next

    end

  3. On the virtual access point (VAP), select the above address group.

    config wireless-controller vap

    edit wifi-vap

    set ssid "Fortinet-psk"

    set security wpa2-only-personal

    set passphrase fortinet

    set address-group "mac_grp"

    next

    end

    After this configuration, the client (MAC address b4:ae:2b:cb:d1:72) is denied connecting to SSID Fortinet-psk. Other clients can connect, such as a client with MAC address e0:33:8e:e9:65:01.

To allow a specific client to connect to the SSID using MAC filter:
  1. Create a wireless controller address with the same MAC address as the client and set the policy to allow. In this example, the client's MAC address is b4:ae:2b:cb:d1:72.

    config wireless-controller address

    edit "client_1"

    set mac b4:ae:2b:cb:d1:72

    set policy allow

    next

    end

  2. Create a wireless controller address group using the above address and set the default policy to deny.

    config wireless-controller addrgrp

    edit mac_grp

    set addresses "client_1"

    set default-policy deny

    next

    end

  3. On the virtual access point, select the above address group.

    config wireless-controller vap

    edit wifi-vap

    set ssid "Fortinet-psk"

    set security wpa2-only-personal

    set passphrase fortinet

    set address-group "mac_grp"

    next

    end

    After this configuration, the client (MAC address b4:ae:2b:cb:d1:72) can connect to SSID Fortinet-psk. Other clients are denied from connecting, such as a client with MAC address e0:33:8e:e9:65:01.

Configuring MAC filter on SSID

Follow these instructions to enable MAC filter on SSID. Consider the following when using this function:

  • The MAC filter function is independent of the SSID security mode.
  • To enable MAC filter on SSID, first configure the wireless controller address and address group. See instructions below.

Sample topology

To block a specific client from connecting to the SSID using MAC filter:
  1. Create a wireless controller address with the client MAC address and set the policy to deny. In this example, the client MAC address is b4:ae:2b:cb:d1:72.

    config wireless-controller address

    edit "client_1"

    set mac b4:ae:2b:cb:d1:72

    set policy deny

    next

    end

  2. Create a wireless controller address group using the above address and set the default policy to allow.

    config wireless-controller addrgrp

    edit mac_grp

    set addresses "client_1"

    set default-policy allow

    next

    end

  3. On the virtual access point (VAP), select the above address group.

    config wireless-controller vap

    edit wifi-vap

    set ssid "Fortinet-psk"

    set security wpa2-only-personal

    set passphrase fortinet

    set address-group "mac_grp"

    next

    end

    After this configuration, the client (MAC address b4:ae:2b:cb:d1:72) is denied connecting to SSID Fortinet-psk. Other clients can connect, such as a client with MAC address e0:33:8e:e9:65:01.

To allow a specific client to connect to the SSID using MAC filter:
  1. Create a wireless controller address with the same MAC address as the client and set the policy to allow. In this example, the client's MAC address is b4:ae:2b:cb:d1:72.

    config wireless-controller address

    edit "client_1"

    set mac b4:ae:2b:cb:d1:72

    set policy allow

    next

    end

  2. Create a wireless controller address group using the above address and set the default policy to deny.

    config wireless-controller addrgrp

    edit mac_grp

    set addresses "client_1"

    set default-policy deny

    next

    end

  3. On the virtual access point, select the above address group.

    config wireless-controller vap

    edit wifi-vap

    set ssid "Fortinet-psk"

    set security wpa2-only-personal

    set passphrase fortinet

    set address-group "mac_grp"

    next

    end

    After this configuration, the client (MAC address b4:ae:2b:cb:d1:72) can connect to SSID Fortinet-psk. Other clients are denied from connecting, such as a client with MAC address e0:33:8e:e9:65:01.