Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    6.2.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Wireless MAC Filter Updates

    Wireless MAC Filter Updates

    This feature changes the MAC filter function on SSIDs so that it is only based on the MAC address of clients. Previously, the MAC filter worked with device-detection and clients could be filtered by MAC address or device type.

    The filter configuration in the CLI is moved from user device and user device-access-list to wireless-controller address and wireless-controller addrgrp respectively.

    The new MAC filter function is independent from the security mode of the SSID. To enable it on an SSID, the wireless controller address and address group must be configured.

    To block a specific client from connecting to an SSID using a MAC filter:
    1. Create a wireless controller address with the client's MAC address, and set the policy to deny:
      config wireless-controller address
    edit "client_1"
        set mac b4:ae:2b:cb:d1:72
        set policy deny
    next
end
    2. Create a wireless controller address group using the above address and setting the default policy to allow:
      config wireless-controller addrgrp
   edit mac_grp
       set addresses "client_1"
       set default-policy allow
   next
end
    3. On the VAP, select the above address group:
      config wireless-controller vap
    edit wifi-vap
        set ssid "Fortinet-psk"
        set security wpa2-only-personal
        set passphrase fortinet       
        set address-group "mac_grp"
    next
end

      The client's MAC address (b4:ae:2b:cb:d1:72 in this example) will be denied a connection to the SSID (Fortinet-psk), but other clients (such as e0:33:8e:e9:65:01) will be allowed to connect.

    To allow a specific client to connect to an SSID using a MAC filter:
    1. Create a wireless controller address with the client's MAC address, and set the policy to allow:
      config wireless-controller address
    edit "client_1"
        set mac b4:ae:2b:cb:d1:72
        set policy allow
    next
end
    2. Create a wireless controller address group using the above address and setting the default policy to deny:
      config wireless-controller addrgrp
   edit mac_grp
       set addresses "client_1"
       set default-policy deny
   next
end
    3. On the VAP, select the above address group:
      config wireless-controller vap
    edit wifi-vap
        set ssid "Fortinet-psk"
        set security wpa2-only-personal
        set passphrase fortinet       
        set address-group "mac_grp"
    next
end

      The client's MAC address (b4:ae:2b:cb:d1:73 in this example) will be allowed to connect to the SSID (Fortinet-psk), but other clients (such as e0:33:8e:e9:65:01) will be denied a connection.

    Previous
    Next

    Wireless MAC Filter Updates

    Wireless MAC Filter Updates

    This feature changes the MAC filter function on SSIDs so that it is only based on the MAC address of clients. Previously, the MAC filter worked with device-detection and clients could be filtered by MAC address or device type.

    The filter configuration in the CLI is moved from user device and user device-access-list to wireless-controller address and wireless-controller addrgrp respectively.

    The new MAC filter function is independent from the security mode of the SSID. To enable it on an SSID, the wireless controller address and address group must be configured.

    To block a specific client from connecting to an SSID using a MAC filter:
    1. Create a wireless controller address with the client's MAC address, and set the policy to deny:
      config wireless-controller address
    edit "client_1"
        set mac b4:ae:2b:cb:d1:72
        set policy deny
    next
end
    2. Create a wireless controller address group using the above address and setting the default policy to allow:
      config wireless-controller addrgrp
   edit mac_grp
       set addresses "client_1"
       set default-policy allow
   next
end
    3. On the VAP, select the above address group:
      config wireless-controller vap
    edit wifi-vap
        set ssid "Fortinet-psk"
        set security wpa2-only-personal
        set passphrase fortinet       
        set address-group "mac_grp"
    next
end

      The client's MAC address (b4:ae:2b:cb:d1:72 in this example) will be denied a connection to the SSID (Fortinet-psk), but other clients (such as e0:33:8e:e9:65:01) will be allowed to connect.

    To allow a specific client to connect to an SSID using a MAC filter:
    1. Create a wireless controller address with the client's MAC address, and set the policy to allow:
      config wireless-controller address
    edit "client_1"
        set mac b4:ae:2b:cb:d1:72
        set policy allow
    next
end
    2. Create a wireless controller address group using the above address and setting the default policy to deny:
      config wireless-controller addrgrp
   edit mac_grp
       set addresses "client_1"
       set default-policy deny
   next
end
    3. On the VAP, select the above address group:
      config wireless-controller vap
    edit wifi-vap
        set ssid "Fortinet-psk"
        set security wpa2-only-personal
        set passphrase fortinet       
        set address-group "mac_grp"
    next
end

      The client's MAC address (b4:ae:2b:cb:d1:73 in this example) will be allowed to connect to the SSID (Fortinet-psk), but other clients (such as e0:33:8e:e9:65:01) will be denied a connection.

    Previous
    Next