Reply
Established Member
Posts: 1,529
Registered: ‎08-20-2012
Kudos: 814
Solutions: 20

Re: MAC filtering on UniFi

If many users think that it's a too great threshold to install a radius server or even an extra computer to handle it, would it be hard to add it to eigher the CRM point or the Cloud key, or, what the ****, why not just make one new device with the same platform that only acts as a radius server? Then the threshold would be that much smaller and the authentication problems could be solved ?  Does a feature request on this already extist? I have not searched for any yet...

Veteran Member
Posts: 4,742
Registered: ‎03-11-2013
Kudos: 1506
Solutions: 89

Re: MAC filtering on UniFi


@rdahlin wrote:

If many users think that it's a too great threshold to install a radius server or even an extra computer to handle it, would it be hard to add it to eigher the CRM point or the Cloud key, or, what the ****, why not just make one new device with the same platform that only acts as a radius server? Then the threshold would be that much smaller and the authentication problems could be solved ?  Does a feature request on this already extist? I have not searched for any yet...


Technically MAC filtering is about as reliable as chocolate teapots, so, with reason, many organisations are reluctant to implement it. Especially as many of those requesting the feature appear to be unaware that a six year old can defeat it, nor do they understand that at least one major manufacturer is randomising mac addresses, because of security concerns.

 

Whether or not a Rdius server could be run on a CloudKey or a CRM point is entirely dependent upon what else is going on. People do successfully run Radius servers on Raspberry Pi devices, so the hardware demands need not be onerous.

 

For many users, the illusion of security is suffcient.

 

R+C

New Member
Posts: 1
Registered: ‎02-29-2016
Kudos: 2

Re: MAC filtering on UniFi

Sorry but the Radius server is to be used only for the users management (userid and password) or it can also be used to notice the list of enabled mac address?

 

I need to manage a school that must only use its owned devices, and i can't manage every single user.
About the security... Yes, MAC block guarantees low protection, but for users with a basic informatics knowledge is harder clone a MAC than interchange an username and a password.

 

Thanks

Emerging Member
Posts: 97
Registered: ‎02-23-2015
Kudos: 25

Re: MAC filtering on UniFi

In our use-case, we use RADIUS for all our network auth, but we're a game design school and a lot of consoles/portables don't support RADIUS authentication. We currently define MAC addresses of registered consoles via our Cisco WLC and lump them into a "non-authable devices" list.

 

It seems a really basic feature - I'd much rather see it in there, and make me check a box acknowledging that it's insecure.

 

New Member
Posts: 2
Registered: ‎03-30-2016
Kudos: 1

Re: MAC filtering on UniFi


@dapopa9 wrote:
We also need basic "Allowed List" type MAC filtering. We use this because we need a few of our company laptops to be able to access the WPA secured network, however we do NOT want our employees also connecting their iPhones, Androids, and whatever else to this particular.
The allowed list MAC filtering works perfectly for this.
SSame need here
New Member
Posts: 2
Registered: ‎03-30-2016
Kudos: 1

Re: MAC filtering on UniFi

"but you will prevent the average Joe User from clicking on your network and connecting"

 

EXACTLY the use we need it for.      Prevents all the average joes on our factory floor from using their personal wifi devices to consume all our business internet bandwidth streaming media.

Veteran Member
Posts: 4,742
Registered: ‎03-11-2013
Kudos: 1506
Solutions: 89

Re: MAC filtering on UniFi

If it is important, you can set up Univention Corporate Server (free), this allows Samba to be configured as an AD Controller, along with this goes the creation and management of ACL Blacklists and Whitelists.

 

R+C

 

Emerging Member
Posts: 97
Registered: ‎02-23-2015
Kudos: 25

Re: MAC filtering on UniFi

Doesn't that use Radius for auth though? Devices that don't support Radius still wouldn't work Man Sad

 

New Member
Posts: 4
Registered: ‎04-15-2016
Kudos: 1

Re: MAC filtering on UniFi

[ Edited ]

I bought Ubiquiti UAP-AC-LR first time for my company and after few days of use I am disappointed and dissatisfied.
I am completely surprised that there is no possibility of blocking unknown MAC addresses.
The simplest and a lot cheaper devices have this function. 
The device is advertised as for enterprise but using it is very dangerous. In my opinion, the device is suitable only for use at home . Not suitable for larger groups of users. All who knows security key can connect to APEvery time when an employee leaves the company, administrator must change security key. This is unacceptable.

Solution to this problem can be to add a checkbox "Block unknown users" and possibility of adding users (MAC addresses) to list.

But I will not wait for change this , just turn the device to the store. Ubiquiti never again !

New Member
Posts: 7
Registered: ‎02-27-2016
Kudos: 5

Re: MAC filtering on UniFi

I call it lazy developers. Sure all you security "experts" have a way to bypass this by just using a good (acceptable, or whitelisted MAC address). But that still requires you know what's good. And maybe that takes you some time because as an attacker you have to wait until that MAC is no longer active otherwise you'll never get good comms or will get noticed by the user you're spoofing their MAC address of. There are so many things that will get you caught by spoofing a MAC address, and if you don't know what they are then all the better -- this is not a how-to hack, or how to bypass security forum. 

 

Simply put: adding MAC filtering just sets the bar a little higher, and makes "intent" clearly black and white in terms of legalese. So I still say it's a valid requirement; and it would appear that a LOT of other people do too.

New Member
Posts: 4
Registered: ‎04-15-2016
Kudos: 1

Re: MAC filtering on UniFi

Of course, MAC filtering is a basis function for unautorized access protection. Ubiquiti is probably the only one manufacturer that does not have it in the APs

Highlighted
New Member
Posts: 4
Registered: ‎04-15-2016
Kudos: 1

Re: MAC filtering on UniFi


@UBNT-Cody wrote:

I'm afraid MAC filtering is unlikely going to be added as it's inherently insecure.  If you want per-device filtering, it's much better to implement WPA2 Enterprise with a Radius server, which UniFi does support.

Inherently insecure is Ubiquiti AP without MAC filtering and Radius server.
Member
Posts: 149
Registered: ‎06-08-2014
Kudos: 52
Solutions: 4

Re: MAC filtering on UniFi

[ Edited ]

Firstly, even if it is useless in most networks, I agree Mac filtering should be available on Unifi. In fact, if the unifi Gateway and Unifi switch supported it too, it would be fairly awesome.

 

 

 

However, also, in my experience, kids are incredibly resourceful.. At School, I worked out how to send messages over the network using netware. After I worked it out, soon after, most the school knew how to do it, and was doing it for at least 6 months before teachers caught on. In another case, a few people abused the auto-reply/rules system, to the point that apparently Microsoft called, because hotmail was  getting pounded by emails from our schools email server.

 

In university, we worked out a way to get Quake running on the computers (it needed to be reinstalled though EVERY reboot, so there were literally dozens of copies of quake installed on every computer by the end of the year). I can only imagine the expression on administrators faces at the end of the year wondering where all those copies of quake came from.

 

The problem with schools, is that it only takes 1 kid to work it out, then the entire school will know soon after (and teachers tend to be hopeless at identifying problems). So, I would recommend to always try to solve the problem entirely. 

 

These days in fact, its even easier for students, because of the tools available, and Google. 

 

It won't block users with basic knowledge, because the people who work it out, will teach them how to do it (or do it for them), and a large school with 1000 or 2000 students, likely has at least a handful of nerds (unless its a kindergarden). It's even easier because many WiFi drivers have mac spoofing built into the driver (accessible in the same spot for everyone in control panel).   

 

So it really depends on how important it is for you to block external clients, but imho, the assumption you are making only holds true, if you assume that students don't communicate amongst themselves. They definitely do.. 

New Member
Posts: 10
Registered: ‎04-01-2016
Kudos: 2

Re: MAC filtering on UniFi

As an IT director for 3 large companies and even more smaller operations (Less than 10 users) and a sales manager for my main company I was BLOWN AWAY when I couldn't find the option to enable this...  Even my old crappy Netgear WNAP320 could easily handle this (Which is what I replaced this with).  I have a simple 5 AP deployment with one of them being outside too and the thing reaches to the south end of our property which is 1417 feet away.  I'm blown away by everything that Ubiquiti has offered so far including 2 backbone extensions with Air Fiber 5x's but the fact that this feature isn't available is mind boggling.


I will agree with the latter posts in this thread and say that we (system engineers and IT directors) know 100% that "a 6 year old could crack it" - IE - spoof the MAC and be on with their lives.  Except kinda....  What I've learned through my life of managing HUNDREDS of users including owners of said companies (Which I have to block them out of their own system for their own safety) is that 99.99999% of people are lazy and will just take the path of least resistance.  Yes, I now have to constantly change the WIFI password because when one employee gets the new password and "promises that they won't share it".... They DO share it and now I have unknown, personal devices not only sucking more bandwidth (Not the biggest deal with bandwidth throttling) but more so the fact that they are on the company network wasting time on Facebook.

 

Fortunately for me we have ZERO cell coverage inside our main corporate building due to the way it's built that I can just strip WIFI from them and boom, productivity goes way up…. That is until the password makes its way around the office again.

 

I have thumbs up’d the request for this simple feature just because it’s SOP.  It is SOP in a LOT of back-end installations (Not a hotel for example) to not only use MAC filtering but also to HIDE the SSID (Again, easily attainable with a basic WIFI scanner right…..) But again, 99.999999% of the time they look on their phones and go “huh…. The WIFI isn’t even showing up…. Dang, I better just move on”…. Because we KNOW WITH CERTAINTY they aren’t going to ask IT or their supervisors for it because then us bosses would know they are trying to get on and waste time when we removed this from them to begin with…

New Member
Posts: 11
Registered: ‎09-25-2014

Re: MAC filtering on UniFi

 

http://community.ubnt.com/t5/UniFi-Feature-Requests/Per-SSID-MAC-Filtering/idc-p/1552610#M4997

 

incomprehensible is the best defininição for this lack of action ! Finally the above topic has been accepted and should be implemented

New Member
Posts: 6
Registered: ‎03-26-2014

Re: MAC filtering on UniFi

JB007Rules very well said.  Agree 100%.  I've been in I.T. for...oh hell 25+ years now the people that will bypass MAC filtering are usually the people that are going to try and bypass whatever else you put in the way of filtering/securing your network.  Simple solutions will work a majority of the time and for a small business.  1 AP?  4 APs?  seriously...these other solutions are involved and not needed just toss in an update and turn this on please.

New Member
Posts: 6
Registered: ‎03-26-2014

Re: MAC filtering on UniFi

verisjuliano,

 

They are finally going to put it in? I'll go check out the link.  I sure hope so.  I've been watching this thread for a couple years now just hoping this would eventually be resolved.

SuperUser
Posts: 9,481
Registered: ‎01-10-2012
Kudos: 5972
Solutions: 386

Re: MAC filtering on UniFi

[ Edited ]

@JB007Rules wrote:

 

Fortunately for me we have ZERO cell coverage inside our main corporate building due to the way it's built that I can just strip WIFI from them and boom, productivity goes way up…. That is until the password makes its way around the office again.


All these people have accounts on some sort of network based directory - probably active directory, right?  If so, it's pretty trivial to throw up a RADIUS server and just have everyone authenticate and then you also put them on notice that there is logging.  Then if they want to be responsible or irresponsible management can decide how to deal with it.  Or simply deny them access.


I have a network with 7 regular users and a handful of part time folks, and I finally set up RADIUS and the users love it.  No longer obnoxious long shared password, it's their normal credentials.  Everyone else goes onto the guest network, and if new temp people come in my trusted admins know how to set up the accounts and when temps rotate out they know how to remove them.  Also cleaned up access issuse we were having to network folders with previously generic shared accounts.

 

It's almost always easier on multiple levels, especially in the long run, to just do things with a bit of rigor then trying to hack/bluff your way thorugh.  

 

If you are dead set on MAC filtering then at this point Unifi is probalby not the solution for you.  If they were interested in supporting it I'm sure they would have put it in a beta or alpha by now.

When you receive a solution to your question/issue, don't forget to mark your thread as solved and to give kudo's to the people who have helped you out!

Having wifi problems? Take a look here first: https://help.ubnt.com/hc/en-us/articles/221029967-UniFi-Debugging-Intermittent-Connectivity-Issues-on-your-UAP
New Member
Posts: 9
Registered: ‎09-24-2014
Kudos: 1

Re: MAC filtering on UniFi

[ Edited ]

For all those experts network administrators who insist on talking about the mac filter is not safe.

Could you focus on it is just "one more option"?
Everyone is free to implement the network "as needed. !!!

If you want to discuss about safety of mac filter, then you should discuss about why Ubiquit not remove the button "block device". Or do you believe that locking method (which already exists in the Unifi) is not a MAC filter?

The Mac Filter already exists in the unifi, but the difference is that you can only add to this "black list" a device that has already been previously connected. Then why can not the other way around? and have before a whitelist of allowed devices only ?.

 

Thanks Ubiquiti for considering this option after so many years of discussion. Thank you for understanding that the discussion is not about making the network safe or unsafe, and that the discussion is about having the freedom to choose the alternative that every network administrator fit your specific needs.

SuperUser
Posts: 9,481
Registered: ‎01-10-2012
Kudos: 5972
Solutions: 386

Re: MAC filtering on UniFi


@dcordovez wrote:

 

Could you focus on it is just "one more option"?


Options that take time to code, test, debug, support....

 

As I said, its been asked for literally since day one - and if they were really interested in throwing resources at it I imagine they would have by now.  They have a small dev team and have to prioritize.  It may be on the list, but so far it hasn't surfaced. 


I do agree it would be nice to know if MAC filtering is something they would ever do or if it's something they have no intention of ever supporting.  Then the folks for which its a "must have" feature can make the appropriate purchashing decision.

When you receive a solution to your question/issue, don't forget to mark your thread as solved and to give kudo's to the people who have helped you out!

Having wifi problems? Take a look here first: https://help.ubnt.com/hc/en-us/articles/221029967-UniFi-Debugging-Intermittent-Connectivity-Issues-on-your-UAP
Reply