Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
CollabraIT
New Contributor

Clear MAC reservation from interface

I'm testing the MAC reservation + Access Control on my new Wifi interface. If I set Unknown MAC Addresses to Block, it of course blocks any connections that aren't specified. If, however, I specify a MAC to test the connection and then remove it to test again, the computer can still connect even though the MAC Reservation has been removed.

 

How do I clear out the known MAC addresses so that the ones I remove are blocked like they should be?

4 REPLIES 4
ede_pfau
SuperUser
SuperUser

Probably the session still existed when you changed the MAC address. Default session idle time is 300 seconds (?). If you don't want to wait, use a different service to test or zap the session table.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
CollabraIT

ede_pfau wrote:

Probably the session still existed when you changed the MAC address. Default session idle time is 300 seconds (?). If you don't want to wait, use a different service to test or zap the session table.

If this was the case, then surely logging in the next day would have resulted in failure? Or, Monday morning after an entire weekend? Nope, still lets me login.

 

There has to be some way to fix this, otherwise it calls a security devices security into question...

CollabraIT

Problem update. Manually adding the mac back to the reservation as a BLOCKED address, it still allows the computer to join the wifi network.

 

So, recap of the problem.

Unknown MAC addresses blocked

Individual MAC assigned and allowed

machine connects and disconnects

Individual MAC reservation deleted

machine still able to connect

Individual MAC reservation assigned and set to block

machine still able to connect, despite being blocked.

machine still able to connect after 3 days of inactivity.

 

I don't know about the rest of you, but I see this as a HUGE security flaw.

CollabraIT

Steps taken to fix thus far.

in cli run get system arp to verify mac is in table

Remove DHCP entry through DHCP monitor

remove device from device inventory

in cli run execute clear system arp table

in cli run get system arp to verify mac is gone

retest connection, still successful. Repeat above steps to remove again. Now combing through cli for possible options while waiting for possible timeout after removal to try again. will try at 300 seconds, then a day if it still doesn't work.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors