Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    6.0.0
    6.0.0

    Controlling access with a MAC ACL

    Controlling access with a MAC ACL

    A MAC access control list (ACL) allows or blocks access on a network interface that includes a DHCP server. If the interface does not use DHCP, or if you want to limit network access to a larger group such as employee devices, it is better to create a device group and specify that group in your security policies.

    A MAC ACL functions as either a list of devices to block, allowing all other devices, or a list of devices to allow, blocking all other devices.

    Allowed devices are assigned an IP address. The assign IP address action assigns the device an IP address from the DHCP range. In a list of allowed devices, you can also use the Reserve IP action to always provide a specific IP address to the device.

    The Unknown MAC Address entry applies to "other" unknown, unlisted devices. Its action must be opposite to that of the other entries. In an allow list, it must block. In a block list, it must allow.

    To create a MAC ACL to allow only specific devices
    1. Go to the SSID or network interface configuration.
    2. In the DHCP Server section, expand Advanced.DHCP Server must be enabled.
    3. In MAC Reservation + Access Control, select Create New and enter an allowed device’s MAC Address.

    4. In the IP or Action column, select one of:

      • Assign IP — device is assigned an IP address from the DHCP server address range.
      • Reserve IP — device is assigned the IP address that you specify.
    5. Repeat Steps Controlling access with a MAC ACL and Controlling access with a MAC ACL for each additional MAC address entry.
    6. Set the Unknown MAC Address entry IP or Action to Block.Devices not in the list will be blocked.
    7. Select OK.
    To create a MAC ACL to block specific devices
    1. Go to the SSID or network interface configuration.
    2. In the DHCP Server section, expand Advanced. DHCP Server must be enabled.
    3. In MAC Reservation + Access Control, select Create New and enter the MAC Address of a device that must be blocked.
    4. In the IP or Action column, select Block.
    5. Repeat Steps Controlling access with a MAC ACL and Controlling access with a MAC ACL for each device that must be blocked.
    6. Set the Unknown MAC Address entry IP or Action to Assign IP.Devices not in the list will be assigned IP addresses.
    7. Select OK.

    MAC authentication bypass

    MAC authentication bypass (MAB) allows devices without 802.1X capability (printers and IP phones for example) to bypass authentication and be allowed network access based on their MAC address. This feature requires RADIUS-based 802.1X authentication in which the RADIUS server contains a database of authorized MAC addresses.

    MAB is configurable only in the CLI and only on interfaces configured for 802.1X authentication. For example:

    config system interface

    edit "lan"

    set ip 10.0.0.200 255.255.255.0

    set vlanforward enable

    set security-mode 802.1X

    set security-mac-auth-bypass enable

    set security-groups "Radius-group"

    end

    end

    MAB is also available on WiFi SSIDs, regardless of authentication type. It is configurable only in the CLI. You need to enable the radius-mac-auth feature and specify the RADIUS server that will be used. For example:

    config wireless-controller vap

    edit "office-ssid"

    set security wpa2-only-enterprise

    set auth usergroup

    set usergroup "staff"

    set radius-mac-auth enable

    set radius-mac-auth-server "ourRadius"

    end

    end

    Previous
    Next

    Controlling access with a MAC ACL

    Controlling access with a MAC ACL

    A MAC access control list (ACL) allows or blocks access on a network interface that includes a DHCP server. If the interface does not use DHCP, or if you want to limit network access to a larger group such as employee devices, it is better to create a device group and specify that group in your security policies.

    A MAC ACL functions as either a list of devices to block, allowing all other devices, or a list of devices to allow, blocking all other devices.

    Allowed devices are assigned an IP address. The assign IP address action assigns the device an IP address from the DHCP range. In a list of allowed devices, you can also use the Reserve IP action to always provide a specific IP address to the device.

    The Unknown MAC Address entry applies to "other" unknown, unlisted devices. Its action must be opposite to that of the other entries. In an allow list, it must block. In a block list, it must allow.

    To create a MAC ACL to allow only specific devices
    1. Go to the SSID or network interface configuration.
    2. In the DHCP Server section, expand Advanced.DHCP Server must be enabled.
    3. In MAC Reservation + Access Control, select Create New and enter an allowed device’s MAC Address.

    4. In the IP or Action column, select one of:

      • Assign IP — device is assigned an IP address from the DHCP server address range.
      • Reserve IP — device is assigned the IP address that you specify.
    5. Repeat Steps Controlling access with a MAC ACL and Controlling access with a MAC ACL for each additional MAC address entry.
    6. Set the Unknown MAC Address entry IP or Action to Block.Devices not in the list will be blocked.
    7. Select OK.
    To create a MAC ACL to block specific devices
    1. Go to the SSID or network interface configuration.
    2. In the DHCP Server section, expand Advanced. DHCP Server must be enabled.
    3. In MAC Reservation + Access Control, select Create New and enter the MAC Address of a device that must be blocked.
    4. In the IP or Action column, select Block.
    5. Repeat Steps Controlling access with a MAC ACL and Controlling access with a MAC ACL for each device that must be blocked.
    6. Set the Unknown MAC Address entry IP or Action to Assign IP.Devices not in the list will be assigned IP addresses.
    7. Select OK.

    MAC authentication bypass

    MAC authentication bypass (MAB) allows devices without 802.1X capability (printers and IP phones for example) to bypass authentication and be allowed network access based on their MAC address. This feature requires RADIUS-based 802.1X authentication in which the RADIUS server contains a database of authorized MAC addresses.

    MAB is configurable only in the CLI and only on interfaces configured for 802.1X authentication. For example:

    config system interface

    edit "lan"

    set ip 10.0.0.200 255.255.255.0

    set vlanforward enable

    set security-mode 802.1X

    set security-mac-auth-bypass enable

    set security-groups "Radius-group"

    end

    end

    MAB is also available on WiFi SSIDs, regardless of authentication type. It is configurable only in the CLI. You need to enable the radius-mac-auth feature and specify the RADIUS server that will be used. For example:

    config wireless-controller vap

    edit "office-ssid"

    set security wpa2-only-enterprise

    set auth usergroup

    set usergroup "staff"

    set radius-mac-auth enable

    set radius-mac-auth-server "ourRadius"

    end

    end

    Previous
    Next