Fortinet black logo

FortiWiFi and FortiAP Configuration Guide

Home FortiAP / FortiWiFi 7.2.1 FortiWiFi and FortiAP Configuration Guide

Adding a MAC filter

7.2.1
7.4.2
7.4.1
7.4.0
7.2.5
7.2.4
7.2.1
7.2.0
7.0.4
7.0.2
7.0.1
7.0.0
6.4.6
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.2
6.2.0
6.0.5
6.0.4
6.0.3
5.6.4
5.4.3
Copy Link
Copy Doc ID c67ff8dd-1365-11ed-9eba-fa163e15d75b:367786
Download PDF

Adding a MAC filter

On each SSID or FortiAP, you can create a MAC address filter list to either permit or exclude a list of clients identified by their MAC addresses.

This is not the most secure method as someone seeking unauthorized access to your network can obtain MAC addresses from wireless traffic and use them to impersonate legitimate users. A MAC filter list should only be used in conjunction with other security measures such as encryption.

To create and apply a MAC address filter - GUI
  1. Go to Policy & Objects > Addresses and select Create New > Address.
  2. Name the address and set the Type as Device (MAC Address).

  3. Enter the MAC address(es) you want to filter.

  4. When you are finished, click OK.
  5. Go to Policy & Objects > Addresses and select Create New > Address Group.
  6. Name the address group

  7. Click Members and select the address you created earlier.

  8. When you are finished, click OK.
  9. Go to WiFi & Switch Controller > SSIDs and select the SSID you want to apply the filter to.
  10. Locate Client MAC Address Filtering and select an Address group policy:
    • Disable: Disable MAC address filtering policy for MAC addresses that are in the address group. This is the default.
    • Allow: Permit clients with MAC addresses that are in the address group.
    • Deny: Deny clients with MAC addresses that are in the address group.

  11. Select the Address group you created.

  12. When you are finished, click OK.

    The SSID now accepts or denies the address group you configured.

To create and apply a MAC address filter - CLI

  1. Create the firewall address entry and set the type to mac:

     config firewall address
  edit "client-1"
    set uuid f35b2080-a199-51ec-7d97-00495859217e
    set type mac
    set macaddr "f8:e4:e3:d8:5e:af"
  next
end

  2. Create a firewall address group and select the address entry you just created.

     config firewall addrgrp
  edit "mac-group"
    set uuid 26260750-a19a-51ec-b054-b385dab00c07
    set member "client-1"
  next
end

  3. Under a wireless vap interface, there is a new address-group-policy option to help control the mac filter function.

    • To allow the connection, select the created address-group and set the address-group-policy to allow:

      config wireless-controller vap
  edit "wifi.fap.01"
    set ssid "ExampleSSID"
    set passphrase ENC *
    set schedule "always"
    set address-group "mac-group"
    set address-group-policy allow
  next
end

    • To deny the connection, select the created address-group and set the address-group-policy to deny:

      config wireless-controller vap
    edit "wifi.fap.02"
        set ssid "ExampleSSID"
        set passphrase ENC *
        set schedule "always"
        set address-group "mac-group"
        set address-group-policy deny
    next
end
Previous
Next

Adding a MAC filter

On each SSID or FortiAP, you can create a MAC address filter list to either permit or exclude a list of clients identified by their MAC addresses.

This is not the most secure method as someone seeking unauthorized access to your network can obtain MAC addresses from wireless traffic and use them to impersonate legitimate users. A MAC filter list should only be used in conjunction with other security measures such as encryption.

To create and apply a MAC address filter - GUI
  1. Go to Policy & Objects > Addresses and select Create New > Address.
  2. Name the address and set the Type as Device (MAC Address).

  3. Enter the MAC address(es) you want to filter.

  4. When you are finished, click OK.
  5. Go to Policy & Objects > Addresses and select Create New > Address Group.
  6. Name the address group

  7. Click Members and select the address you created earlier.

  8. When you are finished, click OK.
  9. Go to WiFi & Switch Controller > SSIDs and select the SSID you want to apply the filter to.
  10. Locate Client MAC Address Filtering and select an Address group policy:
    • Disable: Disable MAC address filtering policy for MAC addresses that are in the address group. This is the default.
    • Allow: Permit clients with MAC addresses that are in the address group.
    • Deny: Deny clients with MAC addresses that are in the address group.

  11. Select the Address group you created.

  12. When you are finished, click OK.

    The SSID now accepts or denies the address group you configured.

To create and apply a MAC address filter - CLI

  1. Create the firewall address entry and set the type to mac:

     config firewall address
  edit "client-1"
    set uuid f35b2080-a199-51ec-7d97-00495859217e
    set type mac
    set macaddr "f8:e4:e3:d8:5e:af"
  next
end

  2. Create a firewall address group and select the address entry you just created.

     config firewall addrgrp
  edit "mac-group"
    set uuid 26260750-a19a-51ec-b054-b385dab00c07
    set member "client-1"
  next
end

  3. Under a wireless vap interface, there is a new address-group-policy option to help control the mac filter function.

    • To allow the connection, select the created address-group and set the address-group-policy to allow:

      config wireless-controller vap
  edit "wifi.fap.01"
    set ssid "ExampleSSID"
    set passphrase ENC *
    set schedule "always"
    set address-group "mac-group"
    set address-group-policy allow
  next
end

    • To deny the connection, select the created address-group and set the address-group-policy to deny:

      config wireless-controller vap
    edit "wifi.fap.02"
        set ssid "ExampleSSID"
        set passphrase ENC *
        set schedule "always"
        set address-group "mac-group"
        set address-group-policy deny
    next
end
Previous
Next