FortiAP Management – Configuring MAC filter on SSID

Configuring MAC filter on SSID

This guide provides instructions on simple configuration for enabling MAC filter on SSID. Consider the following for this feature:

  • The MAC filter function is independent of the SSID security mode.
  • To enable MAC filter on SSID, you must first configure the wireless controller address and wireless controller address group. This is covered in the CLI instructions below.

The following shows a simple network topology for this recipe:

To block a specific client from connecting to the SSID using MAC filter:

  1. Create a wireless controller address with the same MAC address as the client and set the policy to deny. In this example, the client’s MAC address is b4:ae:2b:cb:d1:72:

config wireless-controller address edit “client_1” set mac b4:ae:2b:cb:d1:72 set policy deny

next

end

  1. Create a wireless controller address group. Select the above address. Set the default policy to allow:

config wireless-controller addrgrp edit mac_grp set addresses “client_1” set default-policy allow

next

end

  1. On the virtual access point, select the created address group:

config wireless-controller vap edit wifi-vap set ssid “Fortinet-psk” set security wpa2-only-personal set passphrase fortinet set address-group “mac_grp”

next

end

After this configuration, the client (MAC address b4:ae:2b:cb:d1:72) is denied from connecting to SSID Fortinetpsk. Other clients, such as a client with MAC address e0:33:8e:e9:65:01, can connect.

To allow a specific client to connect to the SSID using MAC filter:

  1. Create a wireless controller address with the same MAC address as the client and set the policy to deny. In this example, the client’s MAC address is b4:ae:2b:cb:d1:72:

config wireless-controller address edit “client_1” set mac b4:ae:2b:cb:d1:72

set policy deny

next

end

  1. Create a wireless controller address group. Select the above address. Set the default policy to deny:

config wireless-controller addrgrp edit mac_grp set addresses “client_1” set default-policy deny

next

end

  1. On the virtual access point, select the created address group:

config wireless-controller vap edit wifi-vap set ssid “Fortinet-psk” set security wpa2-only-personal set passphrase fortinet set address-group “mac_grp”

next

end

After this configuration, the client (MAC address b4:ae:2b:cb:d1:72) can connect to SSID Fortinet-psk. Other clients, such as a client with MAC address e0:33:8e:e9:65:01, are denied from connecting.

This entry was posted in Administration Guides, FortiAP, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “FortiAP Management – Configuring MAC filter on SSID

  1. Alan Gorman

    On 6.0 and below local MAC address filtering was only available on tunnel SSIDs, not bridged. Looks like that did not change in 6.2 with the “config wireless-controller” set up. True?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.