MAC Access Control

Video Activity

In this video, you will learn how to add device definitions to your FortiGate using Media Access Control addresses, or MAC addresses. These definitions form a whitelist that allows you to control the devices that can access your wireless network. MAC address identification also allows you to assign a reserved IP for exclusive use of a device when i...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
1 hour 35 minutes
Difficulty
Beginner
CEU/CPE
2
Video Description

In this video, you will learn how to add device definitions to your FortiGate using Media Access Control addresses, or MAC addresses. These definitions form a whitelist that allows you to control the devices that can access your wireless network. MAC address identification also allows you to assign a reserved IP for exclusive use of a device when it connects to the wireless network.

Video Transcription
00:00
>> In this video, you will learn
00:00
how to add device definitions to
00:00
your FortiGate using media access
00:00
control addresses or MAC addresses.
00:00
These definitions form a whitelist that allow you to
00:00
control the devices that can
00:00
access your wireless network.
00:00
Each network device has
00:00
a unique MAC address added by the manufacturer.
00:00
This makes them a handy way to identify a device.
00:00
In this example, we'll identify an iPhone.
00:00
MAC address identification also allows you to assign
00:00
a reserved IP for exclusive use of
00:00
a device when it connects to the wireless network.
00:00
Even though MAC address filtering isn't foolproof,
00:00
to get around this configuration,
00:00
a malicious hacker would have to guess
00:00
an address on your Mac whitelist.
00:00
First, you will identify
00:00
the unique MAC address of a device on your network.
00:00
For Windows devices, open
00:00
the command prompt and type ipconfig/all.
00:00
This output shows the configuration information
00:00
for all the network connections.
00:00
Look for information about
00:00
the wireless adapter and note the physical address.
00:00
For Mac OS X devices,
00:00
open terminal, and type the following.
00:00
Make sure to note the MAC address.
00:00
For iOS devices, open Settings,
00:00
General, About Device,
00:00
and take note of the Wi-Fi address.
00:00
For Android devices,
00:00
open Settings, About Device,
00:00
Status, and take note of the Wi-Fi MAC address.
00:00
Next, go to User and Device,
00:00
Device, Device Definitions,
00:00
and create a new device definition for an iPhone.
00:00
Set alias to iPhone.
00:00
Set MAC address to the physical address of
00:00
the device and set the device type to iPhone.
00:00
The new definitions will now appear
00:00
>> in your device list.
00:00
>> If device identification is
00:00
enabled on the wireless interface,
00:00
device definitions will be created automatically.
00:00
Then you can use MAC addresses to
00:00
identify which device a definition refers to.
00:00
Now go to User and Device,
00:00
Device, Device Groups and create a new group.
00:00
Name the group Wi-Fi access
00:00
and add the new device as a group member.
00:00
Next, go to System,
00:00
Network, Interfaces and edit the wireless interface.
00:00
If the 48P is in bridge mode,
00:00
you will need to edit the internal interface.
00:00
Under DHCP server, go to Advanced Options.
00:00
Create a new entry in
00:00
the MAC Reservation to an Access Control list.
00:00
Make sure your reserve an IP address within
00:00
the DHCP range of the device's MAC address.
00:00
Go to Policy and Objects,
00:00
Policy, IPV4, and create a new policy.
00:00
Set incoming interface to your wireless interface.
00:00
Source device to the device group,
00:00
and outgoing interface to the
00:00
>> internet facing interface.
00:00
>> Make sure that NAT is turned on.
00:00
To check your results,
00:00
connect to the wireless network with
00:00
a device that is a member of the device group.
00:00
You should be able to connect to
00:00
the Wi-Fi and browse the Internet.
00:00
Connection attempts from a device that
00:00
is not part of the group will fail.
00:00
Go to System, FortiView,
00:00
All Session, and select "Now" to
00:00
>> view the current results.
00:00
>> Filter the results using the reserved source IP,
00:00
and verify that it is being used
00:00
exclusively by the wireless device.
00:00
Thank you for watching.
00:00
If you need further details,
00:00
you can visit docs.fortinet.com
00:00
to access our complete documentation library.
00:00
Also check out our new cookbook site at
00:00
cookbook.fortinet.com.
Up Next