Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.

Dynamic Mac Address - Wi-Fi

Hello, everyone!
I hope everyone is doing great.


In our company, we have a Fortigate-100F and multiple FortiAP-231F.


Many of our employees have old Android phones that do not support WPA2-Enterprise, so I had to share a password, which got out of hands, and many unauthorized users are now using the Wi-Fi.


I have done my research, asked on Fortinet community, and asked a professional, and the results say for this can, I can either user mac address filtering or a RADIUS server, which requires hardware and software plus a more complex configuration. I don't want to add to the headache I already have.


The professional mentioned dynamic mac address filtering (or something like that). I looked on the web, but could not find what this guy told me. He will charge me if he helps me, so I want to avoid that.


He said something like, when a new user connects to the Wi-Fi, their address will show up somewhere, and I can add the user's name, so I know who each user is on the firewall's connected users' list, what activities are done, and see the logs.


Does anyone have an idea regarding this solution?


Best regards,

#Fortigate #FortiAP #MacAddressFiltering

Sagvan Saleem
Sagvan Saleem

Hi Sagvan

If you can't use RADIUS MAC filtering, I can suggest a workaround where you only allow the specific MAC addresses at firewall policy level. I mean in your guest-SSID related  firewall policy you select the specific MAC addresses as source instead of any.

This will allow only these MAC addresses to use internet and will deny the others.

However this will work only if your users use a fixed MAC address, because in phones usually the MAC address is dynamic, so they have to fix it otherwise it will not work.


Keep in mind that MAC address filtering (either by RADIUS or firewall policy) is not a so secure method because any user with average experience can copy the MAC address and use it in his device so he can use the WiFi.


PS: The MAC address of the connected users is listed in DHCP monitoring and in Device Inventory.



Thank you for the reply.


You are right. I tried with a mac address. Then I tried at another time, and it was denied.


So let's say I use this method, is there a way I can make this static even on the user's side without making it more heavy on me as I will have to manage these users?

Sagvan Saleem
Sagvan Saleem

Usually in Android, the random MAC will be generated the first time it connects to the SSID and will not be changed as long as the SSID is not deleted (at least what I have tested). This behavior can be changed on SSID configuration on the phone in the section Privacy. You can also instruct the users that if they don't select "Use device MAC" they will not get network access.
The random MAC addresses still have some patterns. You will be able to identify a random MAC by checking the value of the second octet:

  • x2:xx:xx:xx:xx:xx
  • x6:xx:xx:xx:xx:xx
  • xA:xx:xx:xx:xx:xx
  • xE:xx:xx:xx:xx:xx
- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

WPA2 requires a RADIUS server - but it's not complicated. There is one included for free in Windows Server, if that is available to you (called "NPS").


If MAC filtering does not work for you and all allowed devices, then you may set up an access portal in the FGT. Users are presented with a web page where they have to enter name and password. The FGT will check that against either a local database or LDAP/MSAD.

This is well documented in the Admin Guide, and not uncommon for WiFi networks (think hotel guest WiFi).

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors