Created on 08-29-2019 01:13 AM Edited on 02-05-2024 02:47 AM By Jean-Philippe_P
Description
This article explains how to configure MAC filter on SSID.
Important Note:
• The MAC filter function is independent of the SSID security mode.
• To enable MAC filter on SSID, first configure the wireless controller address and address group. See instructions below.
Scope
Solution
To block a specific client from connecting to the SSID using MAC filter:
1. Create a wireless controller address with the client MAC address and set the policy to deny. In this example, the client MAC address is b4:ae:2b:cb:d1:72.
# config wireless-controller address
edit "client_1"
set mac b4:ae:2b:cb:d1:72
set policy deny
next
end
2. Create a wireless controller address group using the above address and set the default policy to allow.
# config wireless-controller addrgrp
edit mac_grp
set addresses "client_1"
set default-policy allow
next
end
3. On the virtual access point (VAP), select the above address group.
# config wireless-controller vap
edit wifi-vap
set ssid "Fortinet-psk"
set security wpa2-only-personal
set passphrase fortinet
set address-group "mac_grp"
next
end
After this configuration, the client (MAC address b4:ae:2b:cb:d1:72) will no longer be allowed to connect to SSID Fortinet-psk. Other clients will be able to connect to the SSID.
To allow a specific client to connect to the SSID using MAC filter:
1. Create a wireless controller address with the same MAC address as the client and set the policy to allow. In this example, the client's MAC address is b4:ae:2b:cb:d1:72.
# config wireless-controller address
edit "client_1"
set mac b4:ae:2b:cb:d1:72
set policy allow
next
end
2. Create a wireless controller address group using the above address and set the default policy to deny.
# config wireless-controller addrgrp
edit mac_grp
set addresses "client_1"
set default-policy deny
next
end
3. On the virtual access point, select the above address group.
# config wireless-controller vap
edit wifi-vap
set ssid "Fortinet-psk"
set security wpa2-only-personal
set passphrase fortinet
set address-group "mac_grp"
next
end
After this configuration, the client (MAC address b4:ae:2b:cb:d1:72) will be allowed to connect to SSID Fortinet-psk. Other clients won't be able to connect to the SSID.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.