Per SSID MAC Filtering

Submitted by
Status: Implemented

I would like to see per SSID MAC filtering (Allow all, whitelist, blacklist etc), I realise MAC filtering provides a limited amount of security however it is an important tool in a layered security approach.

Ideally this could be implemented per SSID so that you can run a whitelist (allow only listed MACs) on the corporate network, and allow all (potentially with blacklist) on a guest network.




by Previous Employee UBNT-Brandon
on ‎06-21-2017 12:00 PM

Yes, in upcoming (or perhaps even already-released) versions of unifi this is bumped to 8 SSIDs per radio for Gen2 and above (


Keep in mind this following chart though when doing many SSIDs:

Screen Shot 2017-06-21 at 12.59.31 PM.png


And see here to see how this overhead changes which you vary minimum supported rate (which will make older clients unable to connect):




‎06-21-2017 12:30 PM - edited ‎06-21-2017 12:30 PM

What's the solution for greater than 128 MACS when Radius cannot be used, like in any BYOD scenario?

by Previous Employee UBNT-Brandon
on ‎06-21-2017 12:33 PM

So the idea is you can enter the MAC in the radius database, leveraging the USG.


Alternatively you could make more sites SSIDs if you would like to avoid using the USG.

on ‎06-21-2017 12:36 PM
I'm thinking of a BYOD situation, WPA-Enterprise is not possible in those, since cert installation is not possible. Since my example situation is a school, how could that possibly work? 128 wouldn't cover a student body, and separating out into SSID is obviously not a workable solution for a student body.
on ‎06-21-2017 12:40 PM

we can't have the limit on the AP (or controler) instead of on the SSID?

by Previous Employee UBNT-Brandon
on ‎06-21-2017 12:41 PM

So Radius MAC bypass doesn't need a cert.  It's effectively the same behavior as MAC filtering - with the advantage of using/integrating w/ radius - which allows nice integration.

on ‎06-21-2017 12:45 PM
You're assuming a radius server. There's not a radius server, nor will there be one. We need a solution without the use of a radius server.
by Previous Employee UBNT-Brandon
on ‎06-21-2017 12:48 PM

Sorry I don't think I'm being clear.  What I'm meaning to say is that the USG has a radius server built-in.  So we are adding functionality for increased whitelist/blacklist support per SSID via radius MAC.


So a USG for your site is not a solution?


Why do you need to whitelist/blacklist so many devices?

on ‎06-21-2017 12:52 PM
We don't use USG. We budgeted for and were approved for, and purchased access points. We're using the controller software on an existing machine. We made this plan based on the promise that MAC filtering would be added. We do not have budged for a radius server, and we do not have budget for a USG. We're a site like (but not) a school. Multitudes of devices which need to be approved for wifi use and added with at 1-2 thousand users, each capable of having multiple devices.
by Previous Employee UBNT-Brandon
on ‎06-21-2017 01:02 PM

OK.  Thanks.  So to be clear, MAC filtering has been added (and released).  The limit is 128 MACs blacklisted per SSID.


There are currently 4SSIDs per radio, 8 per AP, so this is a limit of 1024-station blacklist or whitelist per AP.  So you could use this to your advantage in your scenario.


Also not that this is per-site.  So you could make multiple sites to then handle an arbitrary number of whitelisted or blacklisted stations, in the current implementation.