Description

This article describes how to add more MAC addresses when using Address group policy authentication after the maximum number of MAC addresses has been reached by FortiGate.

Scope

FortiAP MAC address authentication.

FortiOS any version.

Solution

It is possible to configure an address group policy on an SSID. Refer to Adding a MAC Filter for configuration details. This allows access to a wireless SSID to be allowed or denied based on a specific group of MAC addresses.

With this feature, multiple MAC addresses can be registered on the FortiGate and used for user authentication. For reference on supported limits, check the Maximum Values Table, which provides the approximate capacity for each FortiGate model and FortiOS version.

However, it is important to understand that this limit cannot be exceeded once reached and that it is not possible either to nest one group inside another group. By doing this second environment, authentication would simply stop working for all the users trying to authenticate.

Also important to mention that this method of authentication should not be used alone. Instead, it should be used along with other types of security measures, such as encryption, as the documentation referenced before states.

Alternative authentication solutions are available, like dynamic VLAN assignment with RADIUS, captive portal authentication with local or remote users, VLAN assignment by FortiAP group, FSSO, among other methods. Should the network administrator have doubts about which solution fits the needs better, it is highly recommended to get in touch with the Fortinet sales representative to discuss the different solutions available.

Related article:

Technical Tip: SSID MAC Filter using address group