FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hbac
Staff
Staff
Article Id 280203
Description This article describes an issue when Wi-Fi connections to an SSID get denied with 'action=client-denial" and reason="STA denied on WTP due to VAP ACL' in the WiFi Events logs. 
Scope FortiGate.
Solution

This issue happens when the 'Address group policy' is enabled and set to 'Allow' under the SSID -> Client MAC Address Filtering and the Wi-Fi client's MAC address is not included in the 'Address group'.

 

The same issue happens if the Wi-Fi client's MAC address is included in the 'Address group' but the 'Address group policy' is set to deny. Ensure the client's MAC addresses are included in the address group and the action is set to allow. 

 

SSIDS.PNG

Contributors