Technical Tip: How to configure MAC filter on SSID
Description
This article explains how to configure MAC filter on SSID.
Important note:
• The MAC filter function is independent of the SSID security mode.
• To enable MAC filter on SSID, first configure the wireless controller address and address group. See instructions below.
Scope
All FortiOS versions.
Solution
Note: the following instructions are relevant for FortiOS 7.0 and earlier. In FortiOS 7.2 and later the configuration method has changed (see further below for 7.2+ instructions).
To block a specific client from connecting to the SSID using MAC filter:
- Create a wireless controller address with the client MAC address and set the policy to deny. In this example, the client MAC address is b4:ae:2b:cb:d1:72.
config wireless-controller address
edit "client_1"
set mac b4:ae:2b:cb:d1:72
set policy deny
next
end
config wireless-controller address
edit <id>
set mac {mac-address}
set policy [allow|deny] The default is deny.
next
end
allow Allow the client with this MAC address.
deny Block the client with this MAC address.
- Create a wireless controller address group using the above address and set the default policy to allow.
config wireless-controller addrgrp
edit mac_grp
set addresses "client_1"
set default-policy allow
next
end
config wireless-controller addrgrp
Description: Configure the MAC address group.
edit <id> set addresses <id1>, <id2>, ...
set default-policy [allow|deny] **default is allow**
next
end
allow : Allow the clients with MAC addresses that are not in the group.
deny: Block the clients with MAC addresses that are not in the group
- On the virtual access point (VAP), select the above address group.
config wireless-controller vap
edit wifi-vap
set ssid "Fortinet-psk"
set security wpa2-only-personal
set passphrase fortinet
set address-group "mac_grp"
next
end
After this configuration, the client (MAC address b4:ae:2b:cb:d1:72) will no longer be allowed to connect to SSID Fortinet-psk. Other clients will be able to connect to the SSID.
To allow a specific client to connect to the SSID using MAC filter:
- Create a wireless controller address with the same MAC address as the client and set the policy to allow. In this example, the client's MAC address is b4:ae:2b:cb:d1:72.
config wireless-controller address
edit "client_1"
set mac b4:ae:2b:cb:d1:72
set policy allow
next
end
- Create a wireless controller address group using the above address and set the default policy to deny.
config wireless-controller addrgrp
edit mac_grp
set addresses "client_1"
set default-policy deny
next
end
- On the virtual access point, select the above address group.
config wireless-controller vap
edit wifi-vap
set ssid "Fortinet-psk"
set security wpa2-only-personal
set passphrase fortinet
set address-group "mac_grp"
next
end
After this configuration, the client (MAC address b4:ae:2b:cb:d1:72) will be allowed to connect to SSID Fortinet-psk. Other clients will not be able to connect to the SSID.
From 7.2.x onward, the configuration will be as below which is different from before:
- Create the firewall address entry:
config firewall address
edit "client-1"
set type mac
set macaddr "b4:ae:2b:cb:d1:72"
next
end
- Create a firewall address group and select the address entry that was just created.
config firewall addrgrp
edit "mac-group"
set member "client-1"
next
end
- To ALLOW the connection, select the created address-group and set the address-group-policy to allow:
config wireless-controller vap
edit "wifi-vap"
set ssid "Fortinet-psk"
set passphrase Fortinet
set address-group-policy allow
set address-group "mac-group"
next
end
Note: When applying a MAC address group to an SSID, FortiGate may display a similar to the following.
# set address-group "mac-group"
WARNING: at most 1024 "firewall address" with 'mac' type in the address-group would take effect
This is an informational message, not an error. It indicates that the FortiGate can process a maximum of 1024 MAC-type firewall address objects within a single address group.
For example, if the address group contains more than 1030 MAC address entries, only the first 1024 will be applied, and the remaining 6 will be ignored. The number of supported mac address objects in an address group depends on the platform, with entry-level units typically supporting 256.
To verify the MAC address objects included in a specific address group, run the following command:
diagnose wireless-controller wlac -c addrgrp
To DENY the connection, select the created address-group and set the address-group-policy to deny:
config wireless-controller vap
edit "wifi-vap"
set ssid "Fortinet-psk"
set passphrase fortinet
set address-group-policy deny
set address-group "mac-group"
next
end
Related documents: