Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Fabio
Contributor

Filter clients by MAC Address 6.0.4 Fortigate 300D

Hi everyone, I have a really weird problem since I upgraded my Fortigate 300D to 6.0.4. I have several wifi SSID but only 3 of them also have the Mac address filter local through the list of devices. Everything worked until I had 5.6.6, since I updated to 6.0.4 only two wifi continue to work with the local Mac address filter, the third wifi does not work and denies access to the device even if present in the device-access-list. The strange thing is that I can't understand why two work and the third does not work: they are configured in the same way. Here are the acl-devices this is the one that doesn't work: config user device-access-list      edit "WIFI_PUB_7"         set default-action deny         config device-list             edit 1                 set device "AirXXX_1"                 set action accept             next             edit 2                 set device "AirXXX_2"                 set action accept             next config user device    edit "AirXXX_1"         set mac b4:e6:2d:b7:a7:99         set comment "Room_XXXX"         set category windows-device     next     edit "AirXXX_2"         set mac b4:e6:2d:b7:87:79         set comment "Room_XXXX"         set category windows-device     next config system interface edit "WIFI_PUB_7"         set vdom "root"         set ip 10.3.12.1 255.255.255.0         set allowaccess ping         set type vap-switch         set alias "aircare"         set device-identification enable         set device-identification-active-scan enable         set device-access-list "WIFI_PUB_7"         set role lan         set snmp-index 58     next And this is what works: edit "WIFI_PUB_5"         set default-action deny         config device-list             edit 1                 set device "Macbook_Pro_Slim_2018"                 set action accept             next             edit 2                 set device "notebook_XXXXX01"                 set action accept             next             edit 3                 set device "notebook_XXXXX02"                 set action accept             next config user device edit "Macbook_Pro_Slim_2018"         set mac 8c:85:90:64:4e:a5         set type mac     next edit "notebook_XXXXX01"         set mac b8:8a:60:e8:c3:17         set type windows-pc         set category windows-device     next     edit "notebook_XXXXX02"         set mac b8:8a:60:e8:c2:27         set type windows-pc         set category windows-device     next config system interface edit "WIFI_PUB_5"         set vdom "root"         set ip 10.3.15.1 255.255.255.0         set allowaccess ping         set type vap-switch         set device-identification enable         set device-identification-active-scan enable         set device-access-list "WIFI_PUB_5"         set role lan         set snmp-index 48     next The behavior of the acl at general level is executed: the default action is respected but it is as if it could not read the subsequent entries; in fact if I change the default action to accept the devices pass the authentication What I thought was a software limitation of the new firmware that does not manage more than two device-access-lists .. I have clearly rebooted the Firewall and deleted and recreated the interface that was wrong

Fabio
Fabio
1 REPLY 1
Fabio
Contributor

I wanted to update you on the problem of authentication by filter mac address; I have just created 4 SSIDs in another VDOM and everything works properly. Perhaps the problem is in the root VDOM where there is something corrupted in the configuration. The important thing is that there is no software limit to the number of wifi with Mac address filter

Fabio
Fabio
Labels
Top Kudoed Authors