Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×

Per SSID MAC Filtering

Submitted by -
Status: Implemented

I would like to see per SSID MAC filtering (Allow all, whitelist, blacklist etc), I realise MAC filtering provides a limited amount of security however it is an important tool in a layered security approach.

Ideally this could be implemented per SSID so that you can run a whitelist (allow only listed MACs) on the corporate network, and allow all (potentially with blacklist) on a guest network.

 

 

Duplicates:
http://community.ubnt.com/t5/UniFi-Feature-Requests/MAC-address-Whitelist/idi-p/1174586
http://community.ubnt.com/t5/ideas/v2/ideapage/blog-id/UniFi_Ideas/article-id/20
http://community.ubnt.com/t5/ideas/v2/ideapage/blog-id/UniFi_Ideas/article-id/270
http://community.ubnt.com/t5/ideas/v2/ideapage/blog-id/UniFi_Ideas/article-id/331
http://community.ubnt.com/t5/ideas/v2/ideapage/blog-id/UniFi_Ideas/article-id/1100
http://community.ubnt.com/t5/ideas/v2/ideapage/blog-id/UniFi_Ideas/article-id/1583
http://community.ubnt.com/t5/ideas/v2/ideapage/blog-id/UniFi_Ideas/article-id/1600
http://community.ubnt.com/t5/ideas/v2/ideapage/blog-id/UniFi_Ideas/article-id/2065
http://community.ubnt.com/t5/ideas/v2/ideapage/blog-id/UniFi_Ideas/article-id/1643
http://community.ubnt.com/t5/ideas/v2/ideapage/blog-id/UniFi_Ideas/article-id/1140
http://community.ubnt.com/t5/ideas/v2/ideapage/blog-id/UniFi_Ideas/article-id/1963
http://community.ubnt.com/t5/ideas/v2/ideapage/blog-id/UniFi_Ideas/article-id/141
http://community.ubnt.com/t5/ideas/v2/ideapage/blog-id/UniFi_Ideas/article-id/2206
http://community.ubnt.com/t5/ideas/v2/ideapage/blog-id/UniFi_Ideas/article-id/1579
http://community.ubnt.com/t5/ideas/v2/ideapage/blog-id/UniFi_Ideas/article-id/2168

Comments
by Ubiquiti Employee
on ‎06-21-2017 12:00 PM

Yes, in upcoming (or perhaps even already-released) versions of unifi this is bumped to 8 SSIDs per radio for Gen2 and above (https://help.ubnt.com/hc/en-us/articles/235634387-UniFi-Which-hardware-generation-is-my-UniFi-Access...)

 

Keep in mind this following chart though when doing many SSIDs:

Screen Shot 2017-06-21 at 12.59.31 PM.png

 

And see here to see how this overhead changes which you vary minimum supported rate (which will make older clients unable to connect):

http://www.revolutionwifi.net/capacity-planner

 

Cheers,

Brandon

by
‎06-21-2017 12:30 PM - edited ‎06-21-2017 12:30 PM

What's the solution for greater than 128 MACS when Radius cannot be used, like in any BYOD scenario?

by Ubiquiti Employee
on ‎06-21-2017 12:33 PM

So the idea is you can enter the MAC in the radius database, leveraging the USG.

 

Alternatively you could make more sites SSIDs if you would like to avoid using the USG.

by
on ‎06-21-2017 12:36 PM
I'm thinking of a BYOD situation, WPA-Enterprise is not possible in those, since cert installation is not possible. Since my example situation is a school, how could that possibly work? 128 wouldn't cover a student body, and separating out into SSID is obviously not a workable solution for a student body.
by
on ‎06-21-2017 12:40 PM

we can't have the limit on the AP (or controler) instead of on the SSID?

by Ubiquiti Employee
on ‎06-21-2017 12:41 PM

So Radius MAC bypass doesn't need a cert.  It's effectively the same behavior as MAC filtering - with the advantage of using/integrating w/ radius - which allows nice integration.

by
on ‎06-21-2017 12:45 PM
You're assuming a radius server. There's not a radius server, nor will there be one. We need a solution without the use of a radius server.
by Ubiquiti Employee
on ‎06-21-2017 12:48 PM

Sorry I don't think I'm being clear.  What I'm meaning to say is that the USG has a radius server built-in.  So we are adding functionality for increased whitelist/blacklist support per SSID via radius MAC.

 

So a USG for your site is not a solution?

 

Why do you need to whitelist/blacklist so many devices?

by
on ‎06-21-2017 12:52 PM
We don't use USG. We budgeted for and were approved for, and purchased access points. We're using the controller software on an existing machine. We made this plan based on the promise that MAC filtering would be added. We do not have budged for a radius server, and we do not have budget for a USG. We're a site like (but not) a school. Multitudes of devices which need to be approved for wifi use and added with at 1-2 thousand users, each capable of having multiple devices.
by Ubiquiti Employee
on ‎06-21-2017 01:02 PM

OK.  Thanks.  So to be clear, MAC filtering has been added (and released).  The limit is 128 MACs blacklisted per SSID.

 

There are currently 4SSIDs per radio, 8 per AP, so this is a limit of 1024-station blacklist or whitelist per AP.  So you could use this to your advantage in your scenario.

 

Also not that this is per-site.  So you could make multiple sites to then handle an arbitrary number of whitelisted or blacklisted stations, in the current implementation.

 

Thanks,

Brandon