DescriptionThis article provides a procedure to block any MAC address using a device access list.
SolutionIn a network, MAC address filtering is more secure and more reliable than IP address filtering because the MAC address does not change.
Generally in a wireless environment a common security measure to prevent any unwanted network access is MAC address filtering. In this example the FortiGate is configured to accept traffic from only specific MAC addresses, and whitelisted devices are assigned new IP addresses through DHCP. In this way they retain their ability to communicate with the network. Any attempt to communicate by masquerading the IP address will blocked as the attacker’s computer’s MAC address will not match with the MAC address of the whitelisted devices.
Configuration CLI
To allow all MAC addresses except those in the list.
Step 1) Create user device
# config user device
# edit user-1
# set mac AA:BB:CC:11:22:33 ----{ MAC address to be Black-Listed.
# next
# end
Step 2) Create device-access-list which selects the above device
# config user device-access-list
# edit Black-list
# set default-action accept ----{ This will allow all MAC addresses except the one in the list.
# config device-list
# edit 1
# set device "user-1"
# set action deny
# next
# end
# next
# end
Step 3) Enable the device-access-list under WiFi interface
# config system interface
# edit [name]
# set device-identification enable
# set device-access-list Black-list
# next
# end
Note that the above steps could be used to block all MAC addresses that are not mentioned in the list by using 'set default-action deny' and 'set action allow' in step (2). That is:
# config user device-access-list
# edit Black-list
# set default-action deny
# config device-list
# edit 1
# set device "user-1"
# set action allow
# next
# end
# next
# end
