FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nverma
Staff
Staff
Article Id 198254

Description
This article explains how to configure MAC filter on SSID.

Important Note:
• The MAC filter function is independent of the SSID security mode.
• To enable MAC filter on SSID, first configure the wireless controller address and address group. See instructions below.


Scope

 


Solution
To block a specific client from connecting to the SSID using MAC filter:

1. Create a wireless controller address with the client MAC address and set the policy to deny. In this example, the client MAC address is b4:ae:2b:cb:d1:72.

# config wireless-controller address
    edit "client_1"
        set mac b4:ae:2b:cb:d1:72
        set policy deny
    next
end

2. Create a wireless controller address group using the above address and set the default policy to allow.

# config wireless-controller addrgrp
    edit mac_grp
        set addresses "client_1"
        set default-policy allow
    next
end

3. On the virtual access point (VAP), select the above address group.

# config wireless-controller vap
    edit wifi-vap
        set ssid "Fortinet-psk"
        set security wpa2-only-personal
        set passphrase fortinet
        set address-group "mac_grp"
    next
end

After this configuration, the client (MAC address b4:ae:2b:cb:d1:72) will no longer be allowed to connect to SSID Fortinet-psk. Other clients will be able to connect to the SSID.

To allow a specific client to connect to the SSID using MAC filter:

1. Create a wireless controller address with the same MAC address as the client and set the policy to allow. In this example, the client's MAC address is b4:ae:2b:cb:d1:72.

# config wireless-controller address
    edit "client_1"
        set mac b4:ae:2b:cb:d1:72
        set policy allow
    next
end

2. Create a wireless controller address group using the above address and set the default policy to deny.

# config wireless-controller addrgrp
    edit mac_grp
        set addresses "client_1"
        set default-policy deny
    next
end

3. On the virtual access point, select the above address group.

# config wireless-controller vap
    edit wifi-vap
        set ssid "Fortinet-psk"
        set security wpa2-only-personal
        set passphrase fortinet
        set address-group "mac_grp"
    next
end

After this configuration, the client (MAC address b4:ae:2b:cb:d1:72) will be allowed to connect to SSID Fortinet-psk. Other clients won't be able to connect to the SSID.