Technical Tip: MAC address filtering for Wireless clients

Description

This document explains how to block a wireless device based on its MAC address.

Scope

This only works for wireless users, not for LAN users.

Solution

Below is the required configuration (FortiOS 5.0 or 5.2):

# config user device
    edit "Cellphone"
        set mac 40:0e:85:05:10:52
    next
end

# config user device-access-list
    edit "Private_wireles"
     set default-action accept
     config device-list
     edit 284
     set action deny
     set device "Cellphone"
     next
    

# show
config system interface
    edit "310SSID"
        set vdom "root"
        set ip 10.100.100.1 255.255.255.0
        set type vap-switch
        set device-identification enable
        set device-access-list "Private_wireles"
        set snmp-index 14
    next
end

The above configuration allows all wireless users but one to access the Internet provided the traffic matches existing firewall policies.