Filtering WiFi clients by MAC address


In this recipe, you will configure a managed FortiAP to filter client devices based on MAC address. Only authorized devices will have access to the wireless network.

In the example, only a single device is authorized, but you can add devices as required.

PREP 15 mins      COOK 1 min      TOTAL 16 mins

1. Acquiring the MAC address

Acquire the MAC address of a particular device as follows:

  • Windows device:
    Open the command prompt and type ipconfig /all.
    The MAC address of your Windows device is the Physical Address, under information about the wireless adapter.
  • Mac OS X device:
    Open Terminal and type ifconfig en1 | grep ether.
    Take note of the displayed MAC address.
  • iOS device:
    Open Settings > General > About.
    The Wi-Fi Address  is the MAC address of your iOS device.
  • Android device:
    Open Settings > About Device > Status.
    Take note of the Wi-Fi MAC address of your Android device.

2. Creating the FortiAP interface

Go to Network > Interfaces and create an internal FortiAP interface.

Set Addressing Mode to Manual and set an IP/Network Mask.

Under Administrative Access, enable CAPWAP.

Enable DHCP Server and set the Starting IP and End IP.

Enable Device Detection and click OK.

3. Defining a device using its MAC address

Go to User & Device > Custom Devices & Groups and create a new device definition.

Set MAC Address to the device’s address obtained in Step 1 and set the other fields as required.

4. Creating the new SSID

Go to WiFi & Switch Controller > SSID and create a new SSID.

Set Traffic Mode to Tunnel.

Select an IP/Network Mask for the wireless interface and enable DHCP Server.

Enable Device Detection.


Under WiFi Settings, name the SSID (in the example, MySecureWiFi).

Set the Security Mode as required and enter a secure Pre-shared Key.

Enable Broadcast SSID.

Under Filter clients by MAC Address, enable Local and select Add from device list.

Add the device you configured in Step 3 and set its Action to Accept. Set the Action for Unknown MAC Addresses to Deny.

If you haven’t already, connect the FortiAP unit to the interface created in Step 2.

5. Managing the FortiAP

Go to WiFi & Switch Controller > Managed FortiAPs.

If the FortiAP is not listed you may need to wait a few minutes. If the device still does not appear, select Create New > Managed AP.

Once you enter the Serial Number, the default FortiAP Profile for that model is selected. Click OK.

6. Authorizing the managed FortiAP

Right-click on the FortiAP, and select Authorize.
The device interface will be down initially, but after a few minutes, click Refresh and a  will confirm that the device is authorized.

7. Editing the default FortiAP Profile

Go to WiFi & Switch Controller > FortiAP Profiles and Edit the default profile for your particular FortiAP model.

For all radios you wish to use, set the SSID to Manual and select the SSID created in Step 4.

8. Allowing wireless access to the Internet

Go to Policy & Objects > IPv4 Policy and create a new policy.

Set Incoming Interface to the SSID and Outgoing Interface to your Internet-facing interface.

Enable NAT.

9. Results

Using the authorized device, connect to the broadcast SSID (in the example, MySecureWifi).

Go to Log & Report > WiFi Events and verify the authorized connection.

Attempt to connect using an unauthorized device and verify that the connection was rejected.
Go to Monitor > WiFi Client Monitor to view the status of the connected WiFi clients.


Fortinet Technical Documentation

Fortinet Technical Documentation

Contact Fortinet Technical Documentation at
Fortinet Technical Documentation

Latest posts by Fortinet Technical Documentation (see all)

The FortiAP will be configured in Tunnel mode.
All times listed are approximations.
Note that some device types might be missing from this list. Furthermore, the instructions noted are relevant to the most recent operating systems at the time that this recipe was published. Older or newer operating systems may differ.
Optional: Enable PING for troubleshooting.
By default, the FortiGate adds newly discovered FortiAPs to the Managed FortiAPs list but does not authorize them, as indicated by the  in the State column.