Description

This article describes how to add more MAC addresses when using Address group policy authentication after the maximum number of MAC addresses has been reached by FortiGate.

Scope

FortiAP MAC address authentication.

FortiOS any version.

Solution

It is possible to configure the Address group policy on the SSID. See Adding a MAC Filter. This would allow or deny access to a wireless SSID to a specific group of MAC addresses. With this feature, it is possible to register a number of MAC addresses on FortiGate and refer to them to authenticate a user. Refer to the max table of each FortiGate model to get to know this approximate value.

However, it is important to understand that this limit cannot be exceeded once reached and that it is not possible either to nest one group inside another group. By doing this second environment, authentication would simply stop working for all the users trying to authenticate.

Also important to mention that this method of authentication should not be used alone. Instead, it should be used along with other types of security measures, such as encryption, as the documentation referenced before states.

Alternative authentication solutions are available, like dynamic VLAN assignment with RADIUS, captive portal authentication with local or remote users, VLAN assignment by FortiAP group, FSSO, among other methods. Should the network administrator have doubts about which solution fits the needs better, it is highly recommended to get in touch with the Fortinet sales representative to discuss the different solutions available.