Technical Tip: How to control DHCP user via MAC address

spathak · ‎11-05-2019

Description

This article describes that in a DHCP environment if the user wants to allow/block (control) a few users, this is possible via MAC Reservation + Access Control.

Scope

FortiGate.

Solution

A MAC Address Access Control List (ACL) allows or blocks access on a network interface that includes a DHCP server.

A MAC Address ACL functions is either a list of blocked devices or a list of allowed devices. This is determined by the 'Unknown MAC Address' entry.
- By default, the ACL is a list of blocked devices. The "Unknown MAC Address entry" Action is "Assign IP". Add an entry for each MAC address wanted to block and set its Action to "Block".
- To let the ACL allowing only a limited set of devices, set the "Unknown MAC Address entry" to "Block". Then, add the MAC address of each allowed device. Set Action to "Assign IP".
- Reserve the IP for the particular MAC address is also possible, so that every time that MAC address will get that particular reserved IP

Steps to create via MAC Reservation + Access Control

Go to Network -> Interface -> edit the Interface -> DHCP server -> Advanced.

Available actions:

1) Reserve IP: It will reserve the Particular IP for the defined MAC. Make sure to assign the IP from the DHCP range
2) Assign IP: That MAC address will get an IP from the set DHCP range.
3) Block: This will block the DHCP to assign any IP for that MAC

One option is available: 'Unknown MAC Address', this option is used in case the MAC address is unknown and for setting an action for all those 'Unknown MAC Address'.
- Action for 'Unknown MAC Address' as 'Assign IP' or 'Block IP' can be set.
(recommendation will be to set the action as block IP)

Type :
Regular = Use this for regular LAN users
IPsec = Use for the IPsec client to site users

On FortiOS version 7.2.x option 'MAC Reservation' looks like as per the snippet below: