Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×

Per SSID MAC Filtering

Submitted by -
Status: Implemented

I would like to see per SSID MAC filtering (Allow all, whitelist, blacklist etc), I realise MAC filtering provides a limited amount of security however it is an important tool in a layered security approach.

Ideally this could be implemented per SSID so that you can run a whitelist (allow only listed MACs) on the corporate network, and allow all (potentially with blacklist) on a guest network.

 

 

Duplicates:
http://community.ubnt.com/t5/UniFi-Feature-Requests/MAC-address-Whitelist/idi-p/1174586
http://community.ubnt.com/t5/ideas/v2/ideapage/blog-id/UniFi_Ideas/article-id/20
http://community.ubnt.com/t5/ideas/v2/ideapage/blog-id/UniFi_Ideas/article-id/270
http://community.ubnt.com/t5/ideas/v2/ideapage/blog-id/UniFi_Ideas/article-id/331
http://community.ubnt.com/t5/ideas/v2/ideapage/blog-id/UniFi_Ideas/article-id/1100
http://community.ubnt.com/t5/ideas/v2/ideapage/blog-id/UniFi_Ideas/article-id/1583
http://community.ubnt.com/t5/ideas/v2/ideapage/blog-id/UniFi_Ideas/article-id/1600
http://community.ubnt.com/t5/ideas/v2/ideapage/blog-id/UniFi_Ideas/article-id/2065
http://community.ubnt.com/t5/ideas/v2/ideapage/blog-id/UniFi_Ideas/article-id/1643
http://community.ubnt.com/t5/ideas/v2/ideapage/blog-id/UniFi_Ideas/article-id/1140
http://community.ubnt.com/t5/ideas/v2/ideapage/blog-id/UniFi_Ideas/article-id/1963
http://community.ubnt.com/t5/ideas/v2/ideapage/blog-id/UniFi_Ideas/article-id/141
http://community.ubnt.com/t5/ideas/v2/ideapage/blog-id/UniFi_Ideas/article-id/2206
http://community.ubnt.com/t5/ideas/v2/ideapage/blog-id/UniFi_Ideas/article-id/1579
http://community.ubnt.com/t5/ideas/v2/ideapage/blog-id/UniFi_Ideas/article-id/2168

Comments
by Ubiquiti Employee
on ‎07-05-2017 10:43 AM

Quick update: After some rework it looks like we will be able to get 512 addresses per WLAN group.  Will release version in Beta Forum for soaking when ready (ETA: 3 weeks).  

 

Sign up for Beta in the meantime if interested in using this version:

https://help.ubnt.com/hc/en-us/articles/204908664-How-To-Sign-Up-for-Beta-Access

 

Thanks,

Brandon

by
on ‎07-05-2017 05:28 PM

@UBNT-Brandon This. Is. Amazing!

 

Right now I'm using controller version 2.4.6 with a unifi-labs hack to get it to work but it has major issues. I can't wait to upgrade!

 

Thanks for your hard work and for the update. I can't wait! Hopefully I can use this for the new school year.

 

 

by Ubiquiti Employee
on ‎07-05-2017 05:30 PM

Wow!  That is quite an old release!!!  So check out unstable-demo.ubnt.com for the latest/greatest interface (note not all feature will work there... like topology view; not supported yet).

 

Thanks,

Brandon

by
on ‎07-10-2017 09:17 AM

Great to hear that MAC filtering will be added soon. I tried to set it up using MS NPS, but it did not work properly. Now with MAC filtering done by the device and user filtering done by a RADIUS server I will have a complex solution required by my company.

by Ubiquiti Employee
on ‎07-12-2017 04:04 PM

Note that the implementation which increases the MAC ACL limit from 128 MACs to 512 MACs per SSID is implemented and in initial testing now.

by
on ‎07-13-2017 11:39 AM

@UBNT-Brandon

 

Why only 512 MACs per SSID, would not 1024 possible?

by Ubiquiti Employee
on ‎07-14-2017 11:04 AM

Hi @verisjuliano.

 

So we're pushing it already w/ 512 blocked MACs per SSID.  What is your use-case for 1024?  

 

At some point perhaps is it worth just changing the SSID password (which has unlimited blocking) or moving priveleged access to radius authentication (keep in mind UniFi has an internal radius system - with effectively no user limit, syncs w/ external radius, and also supports radius hotspot - for devices which cannot do WPA-Enterprise natively)?

 

Thanks,

Brandon

by
‎07-14-2017 08:30 PM - edited ‎07-15-2017 01:50 AM

I agree with @UBNT-Brandon, I don't see its effectiveness pass 100 MAC address, better use Radius. I know Radius can be daunting to set up. Here is a link for a quick and easy Radius setup wburham.blogspot.com.

by
‎07-14-2017 09:00 PM - edited ‎07-14-2017 09:43 PM

@smykdd I think my solution wburham.blogspot.com would be great for you, both mac filtering and user filtering plus access permission per SSID is in just one line.

by
‎07-14-2017 09:20 PM - edited ‎07-14-2017 09:40 PM

@ketrel USG only costs $112-$120 but if you're really in a pinch why not use Raspberry Pi 3 as a Radius server, even though I'd still recommend Unifi USG. Most devices can handle WPA-Enterpise, I personally use TTLS/mschapv2. To restrict user access please check this link wburham.blogspot.com for a quick and easy Radius setup.