In this recipe, you will configure a managed FortiAP to filter client devices based on MAC address. Only authorized devices will have access to the wireless network.
In the example, only a single device is authorized, but you can add devices as required.
PREP 15 mins COOK 1 min TOTAL 16 mins
1. Acquiring the MAC address |
|
|
Acquire the MAC address of a particular device as follows:
|
|
2. Creating the FortiAP interface |
|
|
Go to Network > Interfaces and create an internal FortiAP interface. Set Addressing Mode to Manual and set an IP/Network Mask. Under Administrative Access, enable CAPWAP. Enable DHCP Server and set the Starting IP and End IP. Enable Device Detection and click OK. |
 |
3. Defining a device using its MAC address |
|
|
Go to User & Device > Custom Devices & Groups and create a new device definition. Set MAC Address to the device’s address obtained in Step 1 and set the other fields as required. |
 |
4. Creating the new SSID |
|
|
Go to WiFi & Switch Controller > SSID and create a new SSID. Set Traffic Mode to Tunnel. Select an IP/Network Mask for the wireless interface and enable DHCP Server. Enable Device Detection.
|
 |
|
Under WiFi Settings, name the SSID (in the example, MySecureWiFi). Set the Security Mode as required and enter a secure Pre-shared Key. Enable Broadcast SSID. Under Filter clients by MAC Address, enable Local and select Add from device list. Add the device you configured in Step 3 and set its Action to Accept. Set the Action for Unknown MAC Addresses to Deny. |
 |
|
If you haven’t already, connect the FortiAP unit to the interface created in Step 2. |
|
5. Managing the FortiAP |
|
|
Go to WiFi & Switch Controller > Managed FortiAPs. If the FortiAP is not listed you may need to wait a few minutes. If the device still does not appear, select Create New > Managed AP. Once you enter the Serial Number, the default FortiAP Profile for that model is selected. Click OK. |
 |
6. Authorizing the managed FortiAP |
|
| Right-click on the FortiAP, and select Authorize. |  |
The device interface will be down initially, but after a few minutes, click Refresh and a  will confirm that the device is authorized. |
 |
7. Editing the default FortiAP Profile |
|
|
Go to WiFi & Switch Controller > FortiAP Profiles and Edit the default profile for your particular FortiAP model. |
 |
|
For all radios you wish to use, set the SSID to Manual and select the SSID created in Step 4. |
|
8. Allowing wireless access to the Internet |
|
|
Go to Policy & Objects > IPv4 Policy and create a new policy. Set Incoming Interface to the SSID and Outgoing Interface to your Internet-facing interface. Enable NAT. |
 |
9. Results |
|
|
Using the authorized device, connect to the broadcast SSID (in the example, MySecureWifi). |
|
|
Go to Log & Report > WiFi Events and verify the authorized connection. |
 |
| Attempt to connect using an unauthorized device and verify that the connection was rejected. |  |
| Go to Monitor > WiFi Client Monitor to view the status of the connected WiFi clients. |  |
in the State column.The post Filtering WiFi clients by MAC address appeared first on Fortinet Cookbook.