FortiAP Management – Configuring MAC filter on SSID

Configuring MAC filter on SSID

This guide provides instructions on simple configuration for enabling MAC filter on SSID. Consider the following for this feature:

  • The MAC filter function is independent of the SSID security mode.
  • To enable MAC filter on SSID, you must first configure the wireless controller address and wireless controller address group. This is covered in the CLI instructions below.

The following shows a simple network topology for this recipe:

To block a specific client from connecting to the SSID using MAC filter:

  1. Create a wireless controller address with the same MAC address as the client and set the policy to deny. In this example, the client’s MAC address is b4:ae:2b:cb:d1:72:

config wireless-controller address edit “client_1” set mac b4:ae:2b:cb:d1:72 set policy deny

next

end

  1. Create a wireless controller address group. Select the above address. Set the default policy to allow:

config wireless-controller addrgrp edit mac_grp set addresses “client_1” set default-policy allow

next

end

  1. On the virtual access point, select the created address group:

config wireless-controller vap edit wifi-vap set ssid “Fortinet-psk” set security wpa2-only-personal set passphrase fortinet set address-group “mac_grp”

next

end

After this configuration, the client (MAC address b4:ae:2b:cb:d1:72) is denied from connecting to SSID Fortinetpsk. Other clients, such as a client with MAC address e0:33:8e:e9:65:01, can connect.

To allow a specific client to connect to the SSID using MAC filter:

  1. Create a wireless controller address with the same MAC address as the client and set the policy to deny. In this example, the client’s MAC address is b4:ae:2b:cb:d1:72:

config wireless-controller address edit “client_1” set mac b4:ae:2b:cb:d1:72

set policy deny

next

end

  1. Create a wireless controller address group. Select the above address. Set the default policy to deny:

config wireless-controller addrgrp edit mac_grp set addresses “client_1” set default-policy deny

next

end

  1. On the virtual access point, select the created address group:

config wireless-controller vap edit wifi-vap set ssid “Fortinet-psk” set security wpa2-only-personal set passphrase fortinet set address-group “mac_grp”

next

end

After this configuration, the client (MAC address b4:ae:2b:cb:d1:72) can connect to SSID Fortinet-psk. Other clients, such as a client with MAC address e0:33:8e:e9:65:01, are denied from connecting.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos