Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

FortiWiFi and FortiAP Configuration Guide

Adding a MAC filter

On each SSID or FortiAP, you can create a MAC address filter list to either permit or exclude a list of clients identified by their MAC addresses.

This is not the most secure method as someone seeking unauthorized access to your network can obtain MAC addresses from wireless traffic and use them to impersonate legitimate users. A MAC filter list should only be used in conjunction with other security measures such as encryption.

To create and apply a MAC address filter - GUI
  1. Go to Policy & Objects > Addresses and select Create New > Address.
  2. Name the address and set the Type as Device (MAC Address).
  3. Enter the MAC address(es) you want to filter.

  4. When you are finished, click OK.
  5. Go to Policy & Objects > Addresses and select Create New > Address Group.
  6. Name the address group
  7. Click Members and select the address you created earlier.

  8. When you are finished, click OK.
  9. Go to WiFi & Switch Controller > SSIDs and select the SSID you want to apply the filter to.
  10. Locate Client MAC Address Filtering and select an Address group policy:
    • Disable: Disable MAC address filtering policy for MAC addresses that are in the address group. This is the default.
    • Allow: Permit clients with MAC addresses that are in the address group.
    • Deny: Deny clients with MAC addresses that are in the address group.
  11. Select the Address group you created.

  12. When you are finished, click OK.

    The SSID now accepts or denies the address group you configured.

To create and apply a MAC address filter - CLI
  1. Create the firewall address entry and set the type to mac:

     config firewall address
      edit "client-1"
        set uuid f35b2080-a199-51ec-7d97-00495859217e
        set type mac
        set macaddr "f8:e4:e3:d8:5e:af"
      next
    end
  2. Create a firewall address group and select the address entry you just created.

     config firewall addrgrp
      edit "mac-group"
        set uuid 26260750-a19a-51ec-b054-b385dab00c07
        set member "client-1"
      next
    end
  3. Under a wireless vap interface, there is a new address-group-policy option to help control the mac filter function.

    • To allow the connection, select the created address-group and set the address-group-policy to allow:

      config wireless-controller vap
        edit "wifi.fap.01"
          set ssid "ExampleSSID"
          set passphrase ENC *
          set schedule "always"
          set address-group "mac-group"
          set address-group-policy allow
        next
      end
    • To deny the connection, select the created address-group and set the address-group-policy to deny:

      config wireless-controller vap
          edit "wifi.fap.02"
              set ssid "ExampleSSID"
              set passphrase ENC *
              set schedule "always"
              set address-group "mac-group"
              set address-group-policy deny
          next
      end

Adding a MAC filter

On each SSID or FortiAP, you can create a MAC address filter list to either permit or exclude a list of clients identified by their MAC addresses.

This is not the most secure method as someone seeking unauthorized access to your network can obtain MAC addresses from wireless traffic and use them to impersonate legitimate users. A MAC filter list should only be used in conjunction with other security measures such as encryption.

To create and apply a MAC address filter - GUI
  1. Go to Policy & Objects > Addresses and select Create New > Address.
  2. Name the address and set the Type as Device (MAC Address).
  3. Enter the MAC address(es) you want to filter.

  4. When you are finished, click OK.
  5. Go to Policy & Objects > Addresses and select Create New > Address Group.
  6. Name the address group
  7. Click Members and select the address you created earlier.

  8. When you are finished, click OK.
  9. Go to WiFi & Switch Controller > SSIDs and select the SSID you want to apply the filter to.
  10. Locate Client MAC Address Filtering and select an Address group policy:
    • Disable: Disable MAC address filtering policy for MAC addresses that are in the address group. This is the default.
    • Allow: Permit clients with MAC addresses that are in the address group.
    • Deny: Deny clients with MAC addresses that are in the address group.
  11. Select the Address group you created.

  12. When you are finished, click OK.

    The SSID now accepts or denies the address group you configured.

To create and apply a MAC address filter - CLI
  1. Create the firewall address entry and set the type to mac:

     config firewall address
      edit "client-1"
        set uuid f35b2080-a199-51ec-7d97-00495859217e
        set type mac
        set macaddr "f8:e4:e3:d8:5e:af"
      next
    end
  2. Create a firewall address group and select the address entry you just created.

     config firewall addrgrp
      edit "mac-group"
        set uuid 26260750-a19a-51ec-b054-b385dab00c07
        set member "client-1"
      next
    end
  3. Under a wireless vap interface, there is a new address-group-policy option to help control the mac filter function.

    • To allow the connection, select the created address-group and set the address-group-policy to allow:

      config wireless-controller vap
        edit "wifi.fap.01"
          set ssid "ExampleSSID"
          set passphrase ENC *
          set schedule "always"
          set address-group "mac-group"
          set address-group-policy allow
        next
      end
    • To deny the connection, select the created address-group and set the address-group-policy to deny:

      config wireless-controller vap
          edit "wifi.fap.02"
              set ssid "ExampleSSID"
              set passphrase ENC *
              set schedule "always"
              set address-group "mac-group"
              set address-group-policy deny
          next
      end