Fortinet Document Library

Version:


Table of Contents

FortiWiFi and FortiAP Cookbook

6.4.0
Download PDF
Copy Link

Configuring MAC filter on SSID

Follow these instructions to enable MAC filter on SSID. Consider the following when using this function:

  • The MAC filter function is independent of the SSID security mode.
  • To enable MAC filter on SSID, first configure the wireless controller address and address group. See instructions below.

Sample topology

To block a specific client from connecting to the SSID using MAC filter:
  1. Create a wireless controller address with the client MAC address and set the policy to deny. In this example, the client MAC address is b4:ae:2b:cb:d1:72.

    config wireless-controller address

    edit "client_1"

    set mac b4:ae:2b:cb:d1:72

    set policy deny

    next

    end

  2. Create a wireless controller address group using the above address and set the default policy to allow.

    config wireless-controller addrgrp

    edit mac_grp

    set addresses "client_1"

    set default-policy allow

    next

    end

  3. On the virtual access point (VAP), select the above address group.

    config wireless-controller vap

    edit wifi-vap

    set ssid "Fortinet-psk"

    set security wpa2-only-personal

    set passphrase fortinet

    set address-group "mac_grp"

    next

    end

    After this configuration, the client (MAC address b4:ae:2b:cb:d1:72) is denied connecting to SSID Fortinet-psk. Other clients can connect, such as a client with MAC address e0:33:8e:e9:65:01.

To allow a specific client to connect to the SSID using MAC filter:
  1. Create a wireless controller address with the same MAC address as the client and set the policy to allow. In this example, the client's MAC address is b4:ae:2b:cb:d1:72.

    config wireless-controller address

    edit "client_1"

    set mac b4:ae:2b:cb:d1:72

    set policy allow

    next

    end

  2. Create a wireless controller address group using the above address and set the default policy to deny.

    config wireless-controller addrgrp

    edit mac_grp

    set addresses "client_1"

    set default-policy deny

    next

    end

  3. On the virtual access point, select the above address group.

    config wireless-controller vap

    edit wifi-vap

    set ssid "Fortinet-psk"

    set security wpa2-only-personal

    set passphrase fortinet

    set address-group "mac_grp"

    next

    end

    After this configuration, the client (MAC address b4:ae:2b:cb:d1:72) can connect to SSID Fortinet-psk. Other clients are denied from connecting, such as a client with MAC address e0:33:8e:e9:65:01.

Configuring MAC filter on SSID

Follow these instructions to enable MAC filter on SSID. Consider the following when using this function:

  • The MAC filter function is independent of the SSID security mode.
  • To enable MAC filter on SSID, first configure the wireless controller address and address group. See instructions below.

Sample topology

To block a specific client from connecting to the SSID using MAC filter:
  1. Create a wireless controller address with the client MAC address and set the policy to deny. In this example, the client MAC address is b4:ae:2b:cb:d1:72.

    config wireless-controller address

    edit "client_1"

    set mac b4:ae:2b:cb:d1:72

    set policy deny

    next

    end

  2. Create a wireless controller address group using the above address and set the default policy to allow.

    config wireless-controller addrgrp

    edit mac_grp

    set addresses "client_1"

    set default-policy allow

    next

    end

  3. On the virtual access point (VAP), select the above address group.

    config wireless-controller vap

    edit wifi-vap

    set ssid "Fortinet-psk"

    set security wpa2-only-personal

    set passphrase fortinet

    set address-group "mac_grp"

    next

    end

    After this configuration, the client (MAC address b4:ae:2b:cb:d1:72) is denied connecting to SSID Fortinet-psk. Other clients can connect, such as a client with MAC address e0:33:8e:e9:65:01.

To allow a specific client to connect to the SSID using MAC filter:
  1. Create a wireless controller address with the same MAC address as the client and set the policy to allow. In this example, the client's MAC address is b4:ae:2b:cb:d1:72.

    config wireless-controller address

    edit "client_1"

    set mac b4:ae:2b:cb:d1:72

    set policy allow

    next

    end

  2. Create a wireless controller address group using the above address and set the default policy to deny.

    config wireless-controller addrgrp

    edit mac_grp

    set addresses "client_1"

    set default-policy deny

    next

    end

  3. On the virtual access point, select the above address group.

    config wireless-controller vap

    edit wifi-vap

    set ssid "Fortinet-psk"

    set security wpa2-only-personal

    set passphrase fortinet

    set address-group "mac_grp"

    next

    end

    After this configuration, the client (MAC address b4:ae:2b:cb:d1:72) can connect to SSID Fortinet-psk. Other clients are denied from connecting, such as a client with MAC address e0:33:8e:e9:65:01.