Fortinet black logo

FortiWiFi and FortiAP Configuration Guide

Adding a MAC filter

Copy Link
Copy Doc ID 39730980-35ec-11ec-9c99-00505692583a:367786
Download PDF

Adding a MAC filter

On each SSID or FortiAP, you can create a MAC address filter list to either permit or exclude a list of clients identified by their MAC addresses.

This is not the most secure method as someone seeking unauthorized access to your network can obtain MAC addresses from wireless traffic and use them to impersonate legitimate users. A MAC filter list should only be used in conjunction with other security measures such as encryption.

To block a specific client from connecting to an SSID using a MAC filter - CLI
  1. Create a wireless controller address with the client's MAC address, and set the policy to deny:

    config wireless-controller address

    edit "client_1"

    set mac b4:ae:2b:cb:d1:72

    set policy deny

    next

    end

  2. Create a wireless controller address group using the above address and setting the default policy to allow:

    config wireless-controller addrgrp

    edit mac_grp

    set addresses "client_1"

    set default-policy allow

    next

    end

  3. On the VAP, select the above address group:

    config wireless-controller vap

    edit wifi-vap

    set ssid "Fortinet-psk"

    set security wpa2-only-personal

    set passphrase fortinet

    set address-group "mac_grp"

    next

    end

The client's MAC address (b4:ae:2b:cb:d1:72 in this example) will be denied a connection to the SSID (Fortinet-psk), but other clients (such as e0:33:8e:e9:65:01) will be allowed to connect.

To allow a specific client to connect to an SSID using a MAC filter - CLI
  1. Create a wireless controller address with the client's MAC address, and set the policy to allow:

    config wireless-controller address

    edit "client_1"

    set mac b4:ae:2b:cb:d1:72

    set policy allow

    next

    end

  2. Create a wireless controller address group using the above address and setting the default policy to deny:

    config wireless-controller addrgrp

    edit mac_grp

    set addresses "client_1"

    set default-policy deny

    next

    end

  3. On the VAP, select the above address group:

    config wireless-controller vap

    edit wifi-vap

    set ssid "Fortinet-psk"

    set security wpa2-only-personal

    set passphrase fortinet

    set address-group "mac_grp"

    next

    end

The client's MAC address (b4:ae:2b:cb:d1:73 in this example) will be allowed to connect to the SSID (Fortinet-psk), but other clients (such as e0:33:8e:e9:65:01) will be denied a connection.

To block a specific client from connecting to a WTP or FortiAP - CLI

config wireless-controller wtp-profile

edit "FAP-profile"

config deny-mac-list

edit 1

set mac 00:09:11:ef:37:67

next

end

end

You can log in to the FortiAP CLI to see the list of denied MAC addresses with the following command:

cw_diag -c deny-mac-list

WTP Configured Access Control List:

00:09:11:ef:37:67

---------------Total 1 MAC entries----------------

You can also see the denied event recorded from the FortiGate wireless event log.

Adding a MAC filter

On each SSID or FortiAP, you can create a MAC address filter list to either permit or exclude a list of clients identified by their MAC addresses.

This is not the most secure method as someone seeking unauthorized access to your network can obtain MAC addresses from wireless traffic and use them to impersonate legitimate users. A MAC filter list should only be used in conjunction with other security measures such as encryption.

To block a specific client from connecting to an SSID using a MAC filter - CLI
  1. Create a wireless controller address with the client's MAC address, and set the policy to deny:

    config wireless-controller address

    edit "client_1"

    set mac b4:ae:2b:cb:d1:72

    set policy deny

    next

    end

  2. Create a wireless controller address group using the above address and setting the default policy to allow:

    config wireless-controller addrgrp

    edit mac_grp

    set addresses "client_1"

    set default-policy allow

    next

    end

  3. On the VAP, select the above address group:

    config wireless-controller vap

    edit wifi-vap

    set ssid "Fortinet-psk"

    set security wpa2-only-personal

    set passphrase fortinet

    set address-group "mac_grp"

    next

    end

The client's MAC address (b4:ae:2b:cb:d1:72 in this example) will be denied a connection to the SSID (Fortinet-psk), but other clients (such as e0:33:8e:e9:65:01) will be allowed to connect.

To allow a specific client to connect to an SSID using a MAC filter - CLI
  1. Create a wireless controller address with the client's MAC address, and set the policy to allow:

    config wireless-controller address

    edit "client_1"

    set mac b4:ae:2b:cb:d1:72

    set policy allow

    next

    end

  2. Create a wireless controller address group using the above address and setting the default policy to deny:

    config wireless-controller addrgrp

    edit mac_grp

    set addresses "client_1"

    set default-policy deny

    next

    end

  3. On the VAP, select the above address group:

    config wireless-controller vap

    edit wifi-vap

    set ssid "Fortinet-psk"

    set security wpa2-only-personal

    set passphrase fortinet

    set address-group "mac_grp"

    next

    end

The client's MAC address (b4:ae:2b:cb:d1:73 in this example) will be allowed to connect to the SSID (Fortinet-psk), but other clients (such as e0:33:8e:e9:65:01) will be denied a connection.

To block a specific client from connecting to a WTP or FortiAP - CLI

config wireless-controller wtp-profile

edit "FAP-profile"

config deny-mac-list

edit 1

set mac 00:09:11:ef:37:67

next

end

end

You can log in to the FortiAP CLI to see the list of denied MAC addresses with the following command:

cw_diag -c deny-mac-list

WTP Configured Access Control List:

00:09:11:ef:37:67

---------------Total 1 MAC entries----------------

You can also see the denied event recorded from the FortiGate wireless event log.