FortiOS 5.2 Authentication: MAC access control

In this example, you will add device definitions to your FortiGate using Media Access Control (MAC) addresses. These definitions are then used to determine which devices can access the wireless network.

By using a MAC address for identification, you will also be able to assign a reserved IP for exclusive use by the device when it connects to the wireless network.

Warning: Since MAC addresses can be easily spoofed, using MAC access control should not be considered a security measure.

1. Finding the MAC address of a device

For Windows devices:

Open the command prompt and type ipconfig /all

This output displays configuration information for all of your network connections. Look for the information about the wireless adapter and take note of the Physical Address.

For Mac OS X devices:

Open Terminal and type ifconfig en1 | grep ether.

Take note of the displayed MAC address.

For iOS devices:

Open Settings > General and take note of the Wi-Fi Address.

For Android devices:

Open Settings > More > About Device > Status and take note of the Wi-Fi MAC address.

2. Defining a device using its MAC address

Go to User & Device > Device > Device Definitions and create a new device definition.

Set MAC Address to the address of the device and set the other fields as required. In the example, a device definition is created for an iPhone with the MAC Address B0:34:95:C2:EF:D8.

The new definition will now appear in your device list.

3. Creating a device group

Go to User & Device > Device > Device Groups and create a new group.

Add the new device to the Members list.

4. Reserving an IP address for the device

Go to System > Network > Interfaces and edit the wireless interface.

Under DHCP Server, expand Advanced. Create a new entry in the MAC Reservation + Access Control list that reserves an IP address within the DHCP range for the device’s MAC address.

5. Creating a security policy for wireless traffic

Go to Policy & Objects > Policy > IPv4 and create a new policy.

Set Incoming Interface to your wireless interface, Source Device Type to the device group, and Outgoing Interface to the Internet-facing interface.

Ensure that NAT is turned on.

6. Results

Connect to the wireless network with a device that is a member of the device group. The device should be able to connect and allow Internet access.

Connection attempts from a device that is not a group member will fail.

Go to System > FortiView > All Sessions and view the results for now. Filter the results using the reserved Source IP (in the example, 10.10.80.20), to verify that it is being used exclusively by the wireless device.