Adding a MAC filter
On each SSID or FortiAP, you can create a MAC address filter list to either permit or exclude a list of clients identified by their MAC addresses.
This is not the most secure method as someone seeking unauthorized access to your network can obtain MAC addresses from wireless traffic and use them to impersonate legitimate users. A MAC filter list should only be used in conjunction with other security measures such as encryption.
To block a specific client from connecting to an SSID using a MAC filter - CLI
-
Create a wireless controller address with the client's MAC address, and set the policy to deny:
config wireless-controller address
edit "client_1"
set mac b4:ae:2b:cb:d1:72
set policy deny
next
end
-
Create a wireless controller address group using the above address and setting the default policy to allow:
config wireless-controller addrgrp
edit mac_grp
set addresses "client_1"
set default-policy allow
next
end
-
On the VAP, select the above address group:
config wireless-controller vap
edit wifi-vap
set ssid "Fortinet-psk"
set security wpa2-only-personal
set passphrase fortinet
set address-group "mac_grp"
next
end
The client's MAC address (b4:ae:2b:cb:d1:72 in this example) will be denied a connection to the SSID (Fortinet-psk), but other clients (such as e0:33:8e:e9:65:01) will be allowed to connect.
To allow a specific client to connect to an SSID using a MAC filter - CLI
-
Create a wireless controller address with the client's MAC address, and set the policy to allow:
config wireless-controller address
edit "client_1"
set mac b4:ae:2b:cb:d1:72
set policy allow
next
end
-
Create a wireless controller address group using the above address and setting the default policy to deny:
config wireless-controller addrgrp
edit mac_grp
set addresses "client_1"
set default-policy deny
next
end
-
On the VAP, select the above address group:
config wireless-controller vap
edit wifi-vap
set ssid "Fortinet-psk"
set security wpa2-only-personal
set passphrase fortinet
set address-group "mac_grp"
next
end
The client's MAC address (b4:ae:2b:cb:d1:73 in this example) will be allowed to connect to the SSID (Fortinet-psk), but other clients (such as e0:33:8e:e9:65:01) will be denied a connection.
To block a specific client from connecting to a WTP or FortiAP - CLI
config wireless-controller wtp-profile
edit "FAP-profile"
config deny-mac-list
edit 1
set mac 00:09:11:ef:37:67
next
end
end
You can log in to the FortiAP CLI to see the list of denied MAC addresses with the following command:
cw_diag -c deny-mac-list
WTP Configured Access Control List:
00:09:11:ef:37:67
---------------Total 1 MAC entries----------------
You can also see the denied event recorded from the FortiGate wireless event log.