Wireless MAC Filter Updates

This feature changes the MAC filter function on SSIDs so that it is only based on the MAC address of clients. Previously, the MAC filter worked with device-detection and clients could be filtered by MAC address or device type.

The filter configuration in the CLI is moved from user device and user device-access-list to wireless-controller address and wireless-controller addrgrp respectively.

The new MAC filter function is independent from the security mode of the SSID. To enable it on an SSID, the wireless controller address and address group must be configured.

To block a specific client from connecting to an SSID using a MAC filter:

Create a wireless controller address with the client's MAC address, and set the policy to deny:

config wireless-controller address
    edit "client_1"
        set mac b4:ae:2b:cb:d1:72
        set policy deny
    next
end

Create a wireless controller address group using the above address and setting the default policy to allow:

config wireless-controller addrgrp
   edit mac_grp
       set addresses "client_1"
       set default-policy allow
   next
end

On the VAP, select the above address group:
```
config wireless-controller vap
    edit wifi-vap
        set ssid "Fortinet-psk"
        set security wpa2-only-personal
        set passphrase fortinet       
        set address-group "mac_grp"
    next
end
```
The client's MAC address (b4:ae:2b:cb:d1:72 in this example) will be denied a connection to the SSID (Fortinet-psk), but other clients (such as e0:33:8e:e9:65:01) will be allowed to connect.

To allow a specific client to connect to an SSID using a MAC filter:

Create a wireless controller address with the client's MAC address, and set the policy to allow:

config wireless-controller address
    edit "client_1"
        set mac b4:ae:2b:cb:d1:72
        set policy allow
    next
end

Create a wireless controller address group using the above address and setting the default policy to deny:

config wireless-controller addrgrp
   edit mac_grp
       set addresses "client_1"
       set default-policy deny
   next
end

On the VAP, select the above address group:
```
config wireless-controller vap
    edit wifi-vap
        set ssid "Fortinet-psk"
        set security wpa2-only-personal
        set passphrase fortinet       
        set address-group "mac_grp"
    next
end
```
The client's MAC address (b4:ae:2b:cb:d1:73 in this example) will be allowed to connect to the SSID (Fortinet-psk), but other clients (such as e0:33:8e:e9:65:01) will be denied a connection.

Wireless MAC Filter Updates

The filter configuration in the CLI is moved from user device and user device-access-list to wireless-controller address and wireless-controller addrgrp respectively.

The new MAC filter function is independent from the security mode of the SSID. To enable it on an SSID, the wireless controller address and address group must be configured.

To block a specific client from connecting to an SSID using a MAC filter:

Create a wireless controller address with the client's MAC address, and set the policy to deny:

config wireless-controller address
    edit "client_1"
        set mac b4:ae:2b:cb:d1:72
        set policy deny
    next
end

Create a wireless controller address group using the above address and setting the default policy to allow:

config wireless-controller addrgrp
   edit mac_grp
       set addresses "client_1"
       set default-policy allow
   next
end

On the VAP, select the above address group:

config wireless-controller vap
    edit wifi-vap
        set ssid "Fortinet-psk"
        set security wpa2-only-personal
        set passphrase fortinet       
        set address-group "mac_grp"
    next
end

The client's MAC address (b4:ae:2b:cb:d1:72 in this example) will be denied a connection to the SSID (Fortinet-psk), but other clients (such as e0:33:8e:e9:65:01) will be allowed to connect.

To allow a specific client to connect to an SSID using a MAC filter:

Create a wireless controller address with the client's MAC address, and set the policy to allow:

config wireless-controller address
    edit "client_1"
        set mac b4:ae:2b:cb:d1:72
        set policy allow
    next
end

Create a wireless controller address group using the above address and setting the default policy to deny:

config wireless-controller addrgrp
   edit mac_grp
       set addresses "client_1"
       set default-policy deny
   next
end

On the VAP, select the above address group:

config wireless-controller vap
    edit wifi-vap
        set ssid "Fortinet-psk"
        set security wpa2-only-personal
        set passphrase fortinet       
        set address-group "mac_grp"
    next
end

The client's MAC address (b4:ae:2b:cb:d1:73 in this example) will be allowed to connect to the SSID (Fortinet-psk), but other clients (such as e0:33:8e:e9:65:01) will be denied a connection.

New Features

Wireless MAC Filter Updates

Wireless MAC Filter Updates

To block a specific client from connecting to an SSID using a MAC filter:

To allow a specific client to connect to an SSID using a MAC filter:

Wireless MAC Filter Updates

To block a specific client from connecting to an SSID using a MAC filter:

To allow a specific client to connect to an SSID using a MAC filter: