FortiWLC – Configure MAC Filtering

Configure MAC Filtering

MAC filtering controls a user station’s access to the WLAN by permitting or denying access based on specific MAC addresses. A MAC address is unique to each IEEE 802-compliant networking device. In 802.11 wireless networks, network access can be controlled by permitting or denying a specific station MAC address, assigned to its wireless NIC card, from attempting to access the WLAN.

The Wireless LAN System provides MAC filtering using the following methods:

  • Locally on the Controller, through the administration of an Access Control List (ACL) that permits or denies access for specific stations based on their unique MAC addresses. Two ACLs are available for MAC filtering:
  • Permit ACL, which limits access to only those MAC addresses on the permit list
  • Deny ACL, which specifically disallows access to those addresses (clients) on the deny

list

The following flowcharts illustrate how MAC filtering works:

MAC Filtering Behaviour

If ACL environment is Deny list

If ACL environment is Permit

If ACL environment is Disabled

Changes made to the local access/deny ACL are implemented in real time.

  • Remotely, in conjunction with the RADIUS Server, which is configured to authorize access to a set of MAC addresses. The user authentication follows the procedure shown in RADIUS Authentication, but a MAC address is used for user validation.

If the Controller Deny ACL is enabled, those addresses on the Deny list overrule MAC addresses on the RADIUS Server. Changes made to the MAC addresses on the RADIUS Server are not implemented in real time.

  • Per ESS, which allows MAC filtering to be enabled or disabled in the associated Security Profile, overriding the MAC filtering setting on the controller, or on the RADIUS server.

The state that is set for the MAC filtering option determines the type of access control in use, with the precedence in the order of ESS Security Profile setting, local MAC filtering list, and then the RADIUS Server state:

  • For Controller ACL administration, the valid states are: disabled: (default) both the permit and deny ACLs are inactive, even if they contain MAC addresses
  • permit: permit ACL is enabled and deny ACL (if it exists) is disabled
  • deny: deny ACL is enabled and permit ACL (if it exists) is disabled
  • For remote RADIUS Server administration, the valid states are:
  • enabled
  • disabled

The following table summarizes the controller/RADIUS Server settings.

                   RADIUS Server Setting

disabled                        enabled

MAC

Filtering

disabled

no MAC filtering RADIUS MAC filtering only
Permit ACL enabled allow client in Permit list only check Permit list first; if

not in Permit list, check

RADIUS server

Deny ACL enabled Deny list used only if not in Deny list, check

RADIUS server

Configure MAC Filtering

MAC filtering can be set up for both the controller and the RADIUS Server. By default, MAC filtering is disabled. Enable MAC filtering before adding MAC addresses. MAC filtering provides the following features:

  • Enforced per security profile.
  • Simultaneously use permit and deny list.
  • Specify the same MAC address in both permit and deny list.
  • Ability to simultaneously use global permit and deny list along with RADIUS based MAC-filtering per ESS level.

To change the state of MAC filtering so that the permit list is enabled, use the mac‐filterstate permit command

Add addresses to a permit ACL list by specifying them as command arguments, or by importing them from a prepared list. To add one or more MAC addresses to the permit access control list along with a brief description, type the following:

controller(config)# access‐list permit 00:40:96:51:eb:2b 00:40:96:51:eb:22 controller(config‐acl‐permit)# descr MyClient controller(config‐acl‐permit)# end

To import a list of MAC addresses to permit, create a text file listing all the MAC addresses, and import the text file. When creating the text file to be imported, only include one MAC address, in hexadecimal format (xx:xx:xx:xx:xx:xx), per line. For example, the contents of a text file to be imported might look like the following:

00:04:23:87:89:71

00:06:25:a7:e9:11

00:07:e9:15:69:40

00:0c:30:be:f8:19 00:0c:e6:09:46:64

00:0c:e6:12:07:41

After creating the text file, transfer the file to the controller’s /images directory. Use the CLI copy command to transfer the file to the controller. Check that the file has been copied using the dir command. The following example shows the command to import a text file named acl that adds the MAC addresses to the permit ACL list: controller(config)# access-list permit import acl

00:04:23:87:89:71

00:06:25:a7:e9:11

00:07:e9:15:69:40

00:0c:30:be:f8:19 00:0c:e6:09:46:64

00:0c:e6:12:07:41

00:0c:e6:bd:01:05

Successfully Added : 7

Duplicate Entries  : 0 Invalid Format     : 0

Entries Processed  : 7

Configure a Deny MAC Filtering List

To set up a Deny MAC Filtering List, enable the ACL deny state and then either configure a Deny ACL or import a Deny ACL.

A Deny ACL takes precedence over RADIUS Server access, so you can use it to immediately deny access to a station or black-list certain clients (for example, if they have a virus or are attacking other devices).

By default, MAC filtering is disabled. To change the state of MAC filtering so that the deny list is enabled, use the mac‐filter‐state deny command.

Add client addresses to a deny ACL list by either specifying them as command arguments, or by importing them from a prepared list. This command specifies them as command arguments and enters a brief description:

controller(config)# access‐list deny 00:40:96:51:eb:2b 00:40:96:51:eb:10 controller(config‐acl‐deny)# descr DenyStation controller(config‐acl‐deny)# end controller(config)#

To import a list of MAC addresses to deny, create a text file listing all the MAC addresses, and import the text file. When creating the text file to be imported, only include one MAC address, in hexadecimal format (xx:xx:xx:xx:xx:xx), per line. For example, the contents of a text file to be imported might look like the following:

00:04:23:87:89:71

00:06:25:a7:e9:11

00:07:e9:15:69:40

00:0c:30:be:f8:19

00:0c:e6:09:46:64

00:0c:e6:12:07:41

After creating a text file for import, transfer the file to the controller’s /images directory using the CLI copy command. Ensure that the file has been copied using the dir command. Then, import the file.

The following example imports a text file named denyacl that adds the MAC addresses to the deny ACL list:

controller(config)# access-list deny import denyacl

00:04:23:87:89:71

00:06:25:a7:e9:11

00:07:e9:15:69:40

00:0c:30:be:f8:19

00:0c:e6:09:46:64

00:0c:e6:12:07:41

Successfully Added : 6

Duplicate Entries  : 0 Invalid Format     : 0

Entries Processed  : 6

Active connections do not get disconnected if the ACL environment is changed from Permit to Deny.

However, during successive connection the MAC entry is filtered against deny or permit list.

Configure a Remote RADIUS Server for MAC Filtering

When RADIUS Server MAC filtering is enabled, station MAC addresses are set up and managed by a remote RADIUS Server. When a new station attempts to join the WLAN, the Controller queries the RADIUS server with the MAC address to determine whether the client is

 

permitted. If the RADIUS server does not respond, or responds that the client is not authorized, the client is blocked from entering the WLAN.

RADIUS Server configuration with the CLI is performed using the mac‐filter‐radius‐server   command in the security profile where you specify the configuration profile for the primary (and optional secondary) RADIUS Server (includes IP address, secret key, port, and the delimiter used between MAC addresses in its authorization table).

This radius server is used only in one of the following conditions:

  • If ACL environment is set to deny list and the MAC entry is not in the deny list then the packet is forward to the radius server.
  • If ACL environment is set to permit list and the MAC entry is not in the permit list then the packet is forwarded to the radius server.

For more information on configuring a RADIUS profile, see “Configure 802.1X RADIUS Security With the CLI” on page 226.

Configure an Security Profile for MAC Filtering

Control is provided per security profile via settings to turn off or on MAC Filtering settings. For example, if controller-based MAC filtering or if RADIUS Server MAC Filtering is enabled, the command no macfiltering disables those settings for the ESS. To enable global MAC filtering again, use the macfiltering command.

This entry was posted in Administration Guides, FortiWLC on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.