Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hbac
Staff
Staff

Created on ‎10-22-2023 10:53 PM

Article Id 280203

Technical Tip: Wi-Fi connections get denied with reason='STA denied on WTP due to VAP ACL'

Description This article describes an issue when Wi-Fi connections to an SSID get denied with 'action=client-denial" and reason="STA denied on WTP due to VAP ACL' in the WiFi Events logs. 
Scope FortiGate.
Solution

This issue happens when the 'Address group policy' is enabled and set to 'Allow' under the SSID -> Client MAC Address Filtering and the Wi-Fi client's MAC address is not included in the 'Address group'.

 

The same issue happens if the Wi-Fi client's MAC address is included in the 'Address group' but the 'Address group policy' is set to deny. Ensure the client's MAC addresses are included in the address group and the action is set to allow. 

 

SSIDS.PNG
1825
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.