FortiOS 5.6 Online Help Link FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link

Home > Online Help

> Chapter 19 - Managing Devices > Managing “bring your own device” > MAC-acl

Controlling access with a MAC Address Access Control List

A MAC Address Access Control List (ACL) allows or blocks access on a network interface that includes a DHCP server. If the interface does not use DHCP, or if you want to limit network access to a larger group such as employee devices, it is better to create a device group and specify that group in your security policies.

A MAC Address ACL functions as either

  • a list of devices to block, allowing all other devices

or

  • a list of devices to allow, blocking all other devices

Allowed devices are assigned an IP address. The Assign IP action assigns the device an IP address from the DHCP range. In a list of allowed devices, you can also use the Reserve IP action to always provide a specific IP address to the device.

The Unknown MAC Address entry applies to "other" unknown, unlisted devices. Its action must be opposite to that of the other entries. In an allow list, it must block. In a block list, it must allow.

To create a MAC Address ACL to allow only specific devices
  1. Go to the SSID or network interface configuration.
  2. In the DHCP Server section, expand Advanced.
    DHCP Server must be enabled.
  3. In MAC Reservation + Access Control, select Create New and enter an allowed device’s MAC Address.
  4. In the IP or Action column, select one of:
  • Assign IP — device is assigned an IP address from the DHCP server address range.
  • Reserve IP — device is assigned the IP address that you specify.
  1. Repeat Steps Controlling access with a MAC Address Access Control List and Controlling access with a MAC Address Access Control List for each additional MAC address entry.
  2. Set the Unknown MAC Address entry IP or Action to Block.
    Devices not in the list will be blocked.
  3. Select OK.
To create a MAC Address ACL to block specific devices
  1. Go to the SSID or network interface configuration.
  2. In the DHCP Server section, expand Advanced.
    DHCP Server must be enabled.
  3. In MAC Reservation + Access Control, select Create New and enter the MAC Address of a device that must be blocked.
  4. In the IP or Action column, select Block.
  5. Repeat Steps Controlling access with a MAC Address Access Control List and Controlling access with a MAC Address Access Control List for each device that must be blocked.
  6. Set the Unknown MAC Address entry IP or Action to Assign IP.
    Devices not in the list will be assigned IP addresses.
  7. Select OK.