This recipe demonstrates how to add device definitions to your FortiGate using Media Access Control (MAC) addresses. These definitions are then used to identify which devices can access the WiFi network.
By using a MAC address for identification, you can also assign a reserved IP for exclusive use by the device when it connects to the WiFi network.
Warning: Since MAC addresses can be easily spoofed, using MAC to control access should not be considered a security measure.
Open the command prompt and type
ipconfig /all to display configuration information for all network connections.
The MAC address of your Windows device is the Physical Address, under information about the wireless adapter.
Open Terminal and type
ifconfig en1 | grep ether.
Take note of the displayed MAC address.
Open Settings > General> About.
The Wi-Fi Address is the MAC address of your iOS device.
Open Settings > General > About Phone > Hardware Info.
Take note of the Wi-Fi MAC address of your Android device.
Go to User & Device > Custom Devices & Groups and create a new device definition.
Set MAC Address to the device's address and set the other fields as required. In the example, a device definition is created for an iPhone with the MAC Address B0:9F:BA:71:D8:BB.
Go to User & Device > Device Inventory. The new definition now appears in your device list. If you have enabled device identification on the wireless interface, device definitions will be created automatically. You can then use MAC addresses to identify which device a definition refers to.
Go to User & Device > Custom Devices & Groups and create a new group.
Add the new device to the Members list.
Go to Network > Interfaces and edit the wireless interface. If the FortiAP is in bridge mode, you will need to edit the internal interface.
Under DHCP Server, expand Advanced. Create a new entry in the MAC Reservation + Access Control list that reserves an IP address within the DHCP range for the device's MAC address.
Go to Policy & Objects > IPv4Policy and create a new policy.
Set Incoming Interface to your wireless interface, Source Device Type to the device group, and Outgoing Interface to the Internet-facing interface.
Ensure that NAT is turned on.
Connect to the wireless network with a device that is a member of the device group. The device should be able to connect and allow Internet access.
Connection attempts from a device that is not a group member will fail.
Go to FortiView > All Sessions and view the results for now. Filter the results using the reserved Source IP (in the example, 10.10.1.12), to verify that it is being used exclusively by the wireless device.