Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
shaik
New Contributor

Configuring MAC Filtering

Hi guys, I Moved from FortiGate OS Version 4 Patch 3 to Version 5 Patch 2. In the old OS Version it was easy configuring from the cli the mac filtering list. in the new version there is user access-list list with devices and stuff. i cant succed configuring it to make it work! can someone give me an example from start to end how to configure one SSID to accept specific MAC address? thanks a lot!
7 REPLIES 7
Bromont_FTNT
Staff
Staff

I' ll have to check further but the MAC filter list on the Fortigate may have been replaced by radius-mac-auth where your you would configure your radius server with the allowed MAC IDs
shaik
New Contributor

It doens' t make sense that i must configure radius server because in the current state mac filtering is working with the MAC configured in the previous version but every new mac i' m trying to add via user access-list can' t connet to the ssid. I just can' t understand where it configured to mac filter in this version. edit : this is the error i see in the firewall WiFi logs when trying to connect with new device i just added to user access-list: " STA denied due to BYOD-ACL on association" edit 2: found that if i had my new device mac to the head of the " device-access-list" list it works, so i can understand from this test that the length of this list is limited? please put some light on the issue?
Bromont_FTNT
Staff
Staff

CLI guide shows these commands removed... seems to point towards using reserved MAC in the DHCP server. I suppose the idea is that if someone is smart enough to statically assign themselves the right IP and gateway they could spoof MAC ID too.
shaik
New Contributor

As i said i' m using v5 GA 2 and i still have " config user device-access-list" which is the key to mac filtering. Also, as i said, i did some tests and i figure that only the new mac i add (60+) are not working, when i move the new one i just added to the top of the list it does connect to the wifi! so, some idea? some limitations?
jmguerrero
New Contributor

Have you tried to configure MAC address authentication via Radius? config wireless-controller vap edit vap1 set radius-mac-auth enable set radius-mac-auth-server 192.168.1.95 end from: http://goo.gl/sDbFcw
shaik
New Contributor

I dont have radius server in my lan
anly_FTNT
Staff
Staff

radius-mac-auth is RADIUS-based MAC authentication. It is different than BYOD feature, which is enhancement of mac-filter-list. For your BYOD question, I think it is related to how you set up your device-access-list. The first matching member in the list has higher priority, so if a device falls into multiple member in your list, the action of the first member will be effective.
Labels
Top Kudoed Authors