mac spoofing can bypass on my captive portal,, i set ssl-ca in my firewall and ap isolation enabled…
any suggestions on how to disconnect client using mac spoof..
Client is only known to the portal by its IP and MAC.
If a client clones (spoofs) both, well … you'll be needing more sophisticated solutions.
Btw : your Wifi channels are encrypted, right ? If they are, your spoofer will have a hard time to obtain MAC addresses.
On an AP used for Captive portal connections AP isolation should always be activated - and you should also isolate AP's among them if you have more then one.
edit : what do you mean by "... i set ssl-ca on my firewall ..." ?
Not really. Captive portals are a clever hack at best.
There is no possible way a firewall can tell two clients apart if they are sharing the same MAC address.
You have a layer 2 problem, so you need to fix it at layer 2. That's a job for your AP/switches, not a firewall.