Configuring MAC filter on SSID
This guide provides instructions on simple configuration for enabling MAC filter on SSID. Consider the following for this feature:
- The MAC filter function is independent of the SSID security mode.
- To enable MAC filter on SSID, you must first configure the wireless controller address and wireless controller address group. This is covered in the CLI instructions below.
The following shows a simple network topology for this recipe:
To block a specific client from connecting to the SSID using MAC filter:
- Create a wireless controller address with the same MAC address as the client and set the policy to deny. In this example, the client’s MAC address is b4:ae:2b:cb:d1:72:
config wireless-controller address edit “client_1” set mac b4:ae:2b:cb:d1:72 set policy deny
next
end
- Create a wireless controller address group. Select the above address. Set the default policy to allow:
config wireless-controller addrgrp edit mac_grp set addresses “client_1” set default-policy allow
next
end
- On the virtual access point, select the created address group:
config wireless-controller vap edit wifi-vap set ssid “Fortinet-psk” set security wpa2-only-personal set passphrase fortinet set address-group “mac_grp”
next
end
After this configuration, the client (MAC address b4:ae:2b:cb:d1:72) is denied from connecting to SSID Fortinetpsk. Other clients, such as a client with MAC address e0:33:8e:e9:65:01, can connect.
To allow a specific client to connect to the SSID using MAC filter:
- Create a wireless controller address with the same MAC address as the client and set the policy to deny. In this example, the client’s MAC address is b4:ae:2b:cb:d1:72:
config wireless-controller address edit “client_1” set mac b4:ae:2b:cb:d1:72
set policy deny
next
end
- Create a wireless controller address group. Select the above address. Set the default policy to deny:
config wireless-controller addrgrp edit mac_grp set addresses “client_1” set default-policy deny
next
end
- On the virtual access point, select the created address group:
config wireless-controller vap edit wifi-vap set ssid “Fortinet-psk” set security wpa2-only-personal set passphrase fortinet set address-group “mac_grp”
next
end
After this configuration, the client (MAC address b4:ae:2b:cb:d1:72) can connect to SSID Fortinet-psk. Other clients, such as a client with MAC address e0:33:8e:e9:65:01, are denied from connecting.