Fortinet Document Library

Version:


Table of Contents

New Features

6.2.0
Download PDF
Copy Link

Wireless MAC Filter Updates

This feature changes the MAC filter function on SSIDs so that it is only based on the MAC address of clients. Previously, the MAC filter worked with device-detection and clients could be filtered by MAC address or device type.

The filter configuration in the CLI is moved from user device and user device-access-list to wireless-controller address and wireless-controller addrgrp respectively.

The new MAC filter function is independent from the security mode of the SSID. To enable it on an SSID, the wireless controller address and address group must be configured.

To block a specific client from connecting to an SSID using a MAC filter:
  1. Create a wireless controller address with the client's MAC address, and set the policy to deny:
    config wireless-controller address
        edit "client_1"
            set mac b4:ae:2b:cb:d1:72
            set policy deny
        next
    end
  2. Create a wireless controller address group using the above address and setting the default policy to allow:
    config wireless-controller addrgrp
       edit mac_grp
           set addresses "client_1"
           set default-policy allow
       next
    end
  3. On the VAP, select the above address group:
    config wireless-controller vap
        edit wifi-vap
            set ssid "Fortinet-psk"
            set security wpa2-only-personal
            set passphrase fortinet       
            set address-group "mac_grp"
        next
    end

    The client's MAC address (b4:ae:2b:cb:d1:72 in this example) will be denied a connection to the SSID (Fortinet-psk), but other clients (such as e0:33:8e:e9:65:01) will be allowed to connect.

To allow a specific client to connect to an SSID using a MAC filter:
  1. Create a wireless controller address with the client's MAC address, and set the policy to allow:
    config wireless-controller address
        edit "client_1"
            set mac b4:ae:2b:cb:d1:72
            set policy allow
        next
    end
  2. Create a wireless controller address group using the above address and setting the default policy to deny:
    config wireless-controller addrgrp
       edit mac_grp
           set addresses "client_1"
           set default-policy deny
       next
    end
  3. On the VAP, select the above address group:
    config wireless-controller vap
        edit wifi-vap
            set ssid "Fortinet-psk"
            set security wpa2-only-personal
            set passphrase fortinet       
            set address-group "mac_grp"
        next
    end

    The client's MAC address (b4:ae:2b:cb:d1:73 in this example) will be allowed to connect to the SSID (Fortinet-psk), but other clients (such as e0:33:8e:e9:65:01) will be denied a connection.

Wireless MAC Filter Updates

This feature changes the MAC filter function on SSIDs so that it is only based on the MAC address of clients. Previously, the MAC filter worked with device-detection and clients could be filtered by MAC address or device type.

The filter configuration in the CLI is moved from user device and user device-access-list to wireless-controller address and wireless-controller addrgrp respectively.

The new MAC filter function is independent from the security mode of the SSID. To enable it on an SSID, the wireless controller address and address group must be configured.

To block a specific client from connecting to an SSID using a MAC filter:
  1. Create a wireless controller address with the client's MAC address, and set the policy to deny:
    config wireless-controller address
        edit "client_1"
            set mac b4:ae:2b:cb:d1:72
            set policy deny
        next
    end
  2. Create a wireless controller address group using the above address and setting the default policy to allow:
    config wireless-controller addrgrp
       edit mac_grp
           set addresses "client_1"
           set default-policy allow
       next
    end
  3. On the VAP, select the above address group:
    config wireless-controller vap
        edit wifi-vap
            set ssid "Fortinet-psk"
            set security wpa2-only-personal
            set passphrase fortinet       
            set address-group "mac_grp"
        next
    end

    The client's MAC address (b4:ae:2b:cb:d1:72 in this example) will be denied a connection to the SSID (Fortinet-psk), but other clients (such as e0:33:8e:e9:65:01) will be allowed to connect.

To allow a specific client to connect to an SSID using a MAC filter:
  1. Create a wireless controller address with the client's MAC address, and set the policy to allow:
    config wireless-controller address
        edit "client_1"
            set mac b4:ae:2b:cb:d1:72
            set policy allow
        next
    end
  2. Create a wireless controller address group using the above address and setting the default policy to deny:
    config wireless-controller addrgrp
       edit mac_grp
           set addresses "client_1"
           set default-policy deny
       next
    end
  3. On the VAP, select the above address group:
    config wireless-controller vap
        edit wifi-vap
            set ssid "Fortinet-psk"
            set security wpa2-only-personal
            set passphrase fortinet       
            set address-group "mac_grp"
        next
    end

    The client's MAC address (b4:ae:2b:cb:d1:73 in this example) will be allowed to connect to the SSID (Fortinet-psk), but other clients (such as e0:33:8e:e9:65:01) will be denied a connection.