Description
This article describes controlling access with a MAC Address Access Control List for Interfaces having DHCP enabled.
Scope
FortiGate.
Solution
A MAC Address Access Control List (ACL) allows or blocks access on a network interface that includes a DHCP server.
A MAC Address ACL functions as either a list of blocked devices or a list of allowed devices. This is determined by the 'Unknown MAC Address' entry.
• By default, the ACL is a list of blocked devices. The 'Unknown MAC Address entry' Action is 'Assign IP'. Add an entry for each MAC address to block and set its Action to 'Block'.
• To have the ACL allow only a limited set of devices, set the 'Unknown MAC Address entry' to 'Block'. Then, add the MAC address of each allowed device. Set Action to 'Assign IP'.
Optionally, set Action to Reserve and enter the IP address that will always be assigned to the device.
To create a MAC Address ACL to allow only specific devices:
- Go to the SSID or network interface configuration.
- In the DHCP Server section, expand Advanced. DHCP Server must be enabled.
- In MAC Reservation + Access Control, select Create New and enter an allowed device’s MAC Address.
- In the IP or Action column, select one of:
• Assign IP — device is assigned an IP address from the DHCP server address range.
• Reserve IP — device is assigned the IP address that you specify.
- Repeat Steps 3 and 4 for each additional MAC address entry.
- Set the Unknown MAC Address entry IP or Action to Block.
- Select OK.
To create a MAC Address ACL to block specific devices:
- Go to the SSID or network interface configuration.
- In the DHCP Server section, expand Advanced. DHCP Server must be enabled.
- In MAC Reservation + Access Control, select Create New and enter a blocked device’s MAC Address.
- In the IP or Action column, select Block.
- Repeat Steps 3 and 4 for each additional MAC address entry.
- Set the Unknown MAC Address entry IP or Action to Assign IP.
- Select OK.
Example:
