I'm testing the MAC reservation + Access Control on my new Wifi interface. If I set Unknown MAC Addresses to Block, it of course blocks any connections that aren't specified. If, however, I specify a MAC to test the connection and then remove it to test again, the computer can still connect even though the MAC Reservation has been removed.
How do I clear out the known MAC addresses so that the ones I remove are blocked like they should be?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Probably the session still existed when you changed the MAC address. Default session idle time is 300 seconds (?). If you don't want to wait, use a different service to test or zap the session table.
ede_pfau wrote:If this was the case, then surely logging in the next day would have resulted in failure? Or, Monday morning after an entire weekend? Nope, still lets me login.Probably the session still existed when you changed the MAC address. Default session idle time is 300 seconds (?). If you don't want to wait, use a different service to test or zap the session table.
There has to be some way to fix this, otherwise it calls a security devices security into question...
Problem update. Manually adding the mac back to the reservation as a BLOCKED address, it still allows the computer to join the wifi network.
So, recap of the problem.
Unknown MAC addresses blocked
Individual MAC assigned and allowed
machine connects and disconnects
Individual MAC reservation deleted
machine still able to connect
Individual MAC reservation assigned and set to block
machine still able to connect, despite being blocked.
machine still able to connect after 3 days of inactivity.
I don't know about the rest of you, but I see this as a HUGE security flaw.
Steps taken to fix thus far.
in cli run get system arp to verify mac is in table
Remove DHCP entry through DHCP monitor
remove device from device inventory
in cli run execute clear system arp table
in cli run get system arp to verify mac is gone
retest connection, still successful. Repeat above steps to remove again. Now combing through cli for possible options while waiting for possible timeout after removal to try again. will try at 300 seconds, then a day if it still doesn't work.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.