Hot!Filter clients by MAC Address 6.0.4 Fortigate 300D

Author
Fabio
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/03/05 03:24:54
  • Status: offline
2019/03/26 03:14:07 (permalink) 6.0
0

Filter clients by MAC Address 6.0.4 Fortigate 300D

Hi everyone, I have a really weird problem since I upgraded my Fortigate 300D to 6.0.4.

I have several wifi SSID but only 3 of them also have the Mac address filter local through the list of devices.

Everything worked until I had 5.6.6, since I updated to 6.0.4 only two wifi continue to work with the local Mac address filter, the third wifi does not work and denies access to the device even if present in the device-access-list.

The strange thing is that I can't understand why two work and the third does not work: they are configured in the same way.

Here are the acl-devices this is the one that doesn't work:
config user device-access-list
     edit "WIFI_PUB_7"
        set default-action deny
        config device-list
            edit 1
                set device "AirXXX_1"
                set action accept
            next
            edit 2
                set device "AirXXX_2"
                set action accept
            next

config user device
   edit "AirXXX_1"
        set mac b4:e6:2d:b7:a7:99
        set comment "Room_XXXX"
        set category windows-device
    next
    edit "AirXXX_2"
        set mac b4:e6:2d:b7:87:79
        set comment "Room_XXXX"
        set category windows-device
    next

config system interface
edit "WIFI_PUB_7"
        set vdom "root"
        set ip 10.3.12.1 255.255.255.0
        set allowaccess ping
        set type vap-switch
        set alias "aircare"
        set device-identification enable
        set device-identification-active-scan enable
        set device-access-list "WIFI_PUB_7"
        set role lan
        set snmp-index 58
    next

And this is what works:

edit "WIFI_PUB_5"
        set default-action deny
        config device-list
            edit 1
                set device "Macbook_Pro_Slim_2018"
                set action accept
            next
            edit 2
                set device "notebook_XXXXX01"
                set action accept
            next
            edit 3
                set device "notebook_XXXXX02"
                set action accept
            next

config user device
edit "Macbook_Pro_Slim_2018"
        set mac 8c:85:90:64:4e:a5
        set type mac
    next
edit "notebook_XXXXX01"
        set mac b8:8a:60:e8:c3:17
        set type windows-pc
        set category windows-device
    next
    edit "notebook_XXXXX02"
        set mac b8:8a:60:e8:c2:27
        set type windows-pc
        set category windows-device
    next

config system interface
edit "WIFI_PUB_5"
        set vdom "root"
        set ip 10.3.15.1 255.255.255.0
        set allowaccess ping
        set type vap-switch
        set device-identification enable
        set device-identification-active-scan enable
        set device-access-list "WIFI_PUB_5"
        set role lan
        set snmp-index 48
    next

The behavior of the acl at general level is executed: the default action is respected but it is as if it could not read the subsequent entries; in fact if I change the default action to accept the devices pass the authentication

What I thought was a software limitation of the new firmware that does not manage more than two device-access-lists ..
I have clearly rebooted the Firewall and deleted and recreated the interface that was wrong
#1

1 Reply Related Threads

    Fabio
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/03/05 03:24:54
    • Status: offline
    Re: Filter clients by MAC Address 6.0.4 Fortigate 300D 2019/03/27 01:45:57 (permalink)
    0
    I wanted to update you on the problem of authentication by filter mac address; I have just created 4 SSIDs in another VDOM and everything works properly. Perhaps the problem is in the root VDOM where there is something corrupted in the configuration. The important thing is that there is no software limit to the number of wifi with Mac address filter
    #2
    Jump to:
    © 2019 APG vNext Commercial Version 5.5