Adding a MAC filter
On each SSID or FortiAP, you can create a MAC address filter list to either permit or exclude a list of clients identified by their MAC addresses.
This is not the most secure method as someone seeking unauthorized access to your network can obtain MAC addresses from wireless traffic and use them to impersonate legitimate users. A MAC filter list should only be used in conjunction with other security measures such as encryption.
To create and apply a MAC address filter - GUI:
- Go to Policy & Objects > Addresses and select Create New > Address.
- Name the address and set the Type as Device (MAC Address).
-
Enter the MAC address(es) you want to filter.
- When you are finished, click OK.
- Go to Policy & Objects > Addresses and select Create New > Address Group.
- Name the address group
-
Click Members and select the address you created earlier.
- When you are finished, click OK.
- Go to WiFi & Switch Controller > SSIDs and select the SSID you want to apply the filter to.
- Locate Client MAC Address Filtering and select an Address group policy:
- Disable: Disable MAC address filtering policy for MAC addresses that are in the address group. This is the default.
- Allow: Permit clients with MAC addresses that are in the address group.
- Deny: Deny clients with MAC addresses that are in the address group.
-
Select the Address group you created.
-
When you are finished, click OK.
The SSID now accepts or denies the address group you configured.
To create and apply a MAC address filter - CLI:
-
Create the firewall address entry and set the
type
tomac
:config firewall address edit "client-1" set uuid f35b2080-a199-51ec-7d97-00495859217e set type mac set macaddr "f8:e4:e3:d8:5e:af" next end
-
Create a firewall address group and select the address entry you just created.
config firewall addrgrp edit "mac-group" set uuid 26260750-a19a-51ec-b054-b385dab00c07 set member "client-1" next end
-
Under a wireless vap interface, there is a new
address-group-policy
option to help control the mac filter function.-
To allow the connection, select the created
address-group
and set theaddress-group-policy
toallow
:config wireless-controller vap edit "wifi.fap.01" set ssid "ExampleSSID" set passphrase ENC * set schedule "always" set address-group "mac-group" set address-group-policy allow next end
-
To deny the connection, select the created
address-group
and set theaddress-group-policy
todeny
:config wireless-controller vap edit "wifi.fap.02" set ssid "ExampleSSID" set passphrase ENC * set schedule "always" set address-group "mac-group" set address-group-policy deny next end
-