MAC access control with a WiFi network

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

This recipe demonstrates how to add device definitions to your FortiGate using Media Access Control (MAC) addresses. These definitions are then used to identify which devices can access the WiFi network.

By using a MAC address for identification, you can also assign a reserved IP for exclusive use by the device when it connects to the WiFi network.

Warning: Since MAC addresses can be easily spoofed, using MAC to control access should not be considered a security measure.

Find this recipe for other FortiOS versions:
5.2 | 5.4 

1. Finding the MAC address of a device

For Windows devices:

Open the command prompt and type ipconfig /all to display configuration information for all network connections.

The MAC address of your Windows device is the Physical Address, under information about the wireless adapter.

For Mac OS X devices:

Open Terminal and type ifconfig en1 | grep ether.

Take note of the displayed MAC address.

For iOS devices:

Open Settings > General > About.

The Wi-Fi Address  is the MAC address of your iOS device.

For Android devices:

Open Settings > General > About Phone > Hardware Info.

Take note of the Wi-Fi MAC address of your Android device.

2. Defining a device using its MAC address

Go to User & Device > Custom Devices & Groups and create a new device definition.

Set MAC Address to the device’s address and set the other fields as required. In the example, a device definition is created for an iPhone with the MAC Address B0:9F:BA:71:D8:BB.

Go to User & Device > Device Inventory. The new definition now appears in your device list.

 

3. Creating a device group

Go to User & Device > Custom Devices & Groups and create a new group.

Add the new device to the Members list.

4. Reserving an IP address for the device

Go to Network > Interfaces and edit the wireless interface.

Under DHCP Server, expand Advanced. Create a new entry in the MAC Reservation + Access Control list that reserves an IP address within the DHCP range for the device’s MAC address.

 

5. Creating a security policy for wireless traffic

Go to Policy & Objects > IPv4 Policy and create a new policy.

Set Incoming Interface to your wireless interface, Source Device Type to the device group, and Outgoing Interface to the Internet-facing interface.

Ensure that NAT is turned on.

6. Results

Connect to the wireless network with a device that is a member of the device group. The device should be able to connect and allow Internet access.

Connection attempts from a device that is not a group member will fail.

Go to  FortiView > All Sessions and view the results for now. Filter the results using the reserved Source IP (in the example, 10.10.1.12), to verify that it is being used exclusively by the wireless device.

For further reading, check out Managing “bring your own device” in the FortiOS 5.4 Handbook.

Judith Haney

Judith Haney

Technical Writer at Fortinet
Judith Haney is a Technical Writer on the FortiOS technical documentation team. She graduated with honours from Algonquin College's Technical Writer program in September 2014. In a previous lifetime, Judith earned degrees in Mathematics (B.S.) and French literature (M.A.).
Judith Haney

Latest posts by Judith Haney (see all)

  • Was this helpful?
  • Yes   No
The instructions below were written for the most recent OS
versions. Older versions may use different methods.
If you have enabled device identification on the wireless interface, device definitions will be created automatically. You can then use MAC addresses to identify which device a definition refers to.
If the FortiAP is in bridge mode, you will need to edit the internal interface.
  • manatee75

    Is it a requirement if you want to use a “whitelist” MAC access list to wifi to use the internal DHCP server of the Fortigate? It should be MAC based, not IP based. Thanks.

    • Victoria Martin

      Using the internal DHCP server is not required for that configuration.

  • Amr Enany

    is it mandatory for the FG to provide IP addresses (DHCP Server) to be able to block MAC addresses?

    • Victoria Martin

      No, it is not.

  • Abhineet

    As per the above given flowchart, what will happen if fortigate doesnot recognize any mac address if any wireless device attempts to connect (the first step).

    What if only particular mac addresses to be blocked and allow all devices when tconnect to wifi.Will the above steps work?

    • Victoria Martin

      Hello Abhineet,

      You could use MAC addresses to block devices, rather than allowing them. If that was the case, the policy that uses the user group with devices you want to block would have its action set to DENY rather than ACCEPT. You would then need a second policy that allows other devices to connect to the WiFi and this policy would need to be located below the first policy in your list.

      For more information, I’d recommend looking at the “User and device authentication” recipe, which also uses a policy set to DENY: http://cookbook.fortinet.com/user-and-device-authentication-54/