Improve MAC address filtering 7.2.1
This enhancement adds GUI support for configuring MAC address filters in the WiFi & Switch Controller > SSIDs page and introduces a new address-group-policy
command that applies MAC filters directly from the SSID. Using address groups, you can choose if you want to permit or exclude clients based on their MAC addresses.
To create and apply a MAC address filter - GUI:
- Go to Policy & Objects > Addresses and select Create New > Address.
- Name the address and set the Type as Device (MAC Address).
-
Enter the MAC address(es) you want to filter.
- When you are finished, click OK.
- Go to Policy & Objects > Addresses and select Create New > Address Group.
- Name the address group
-
Click Members and select the address you created earlier.
- When you are finished, click OK.
- Go to WiFi & Switch Controller > SSIDs and select the SSID you want to apply the filter to.
- Locate Client MAC Address Filtering and select an Address group policy:
- Disable: Disable MAC address filtering policy for MAC addresses that are in the address group. This is the default.
- Allow: Permit clients with MAC addresses that are in the address group.
- Deny: Deny clients with MAC addresses that are in the address group.
-
Select the Address group you created.
-
When you are finished, click OK.
The SSID now accepts or denies the address group you configured.
To create and apply a MAC address filter - CLI:
-
Create the firewall address entry and set the
type
tomac
:config firewall address edit "client-1" set uuid f35b2080-a199-51ec-7d97-00495859217e set type mac set macaddr "f8:e4:e3:d8:5e:af" next end
-
Create a firewall address group and select the address entry you just created.
config firewall addrgrp edit "mac-group" set uuid 26260750-a19a-51ec-b054-b385dab00c07 set member "client-1" next end
-
Under a wireless vap interface, there is a new
address-group-policy
option to help control the mac filter function.-
To allow the connection, select the created
address-group
and set theaddress-group-policy
toallow
:config wireless-controller vap edit "wifi.fap.01" set ssid "ExampleSSID" set passphrase ENC * set schedule "always" set address-group "mac-group" set address-group-policy allow next end
-
To deny the connection, select the created
address-group
and set theaddress-group-policy
todeny
:config wireless-controller vap edit "wifi.fap.02" set ssid "ExampleSSID" set passphrase ENC * set schedule "always" set address-group "mac-group" set address-group-policy deny next end
-