Reply
New Member
Posts: 6
Registered: ‎04-03-2008
Kudos: 7

MAC filtering on UniFi

G'day team,
Any chance that Mac filtering might be incorporated in the UniFi product sometime soon ? Just a more convenient method for Enterprise security.

Thanks
Established Member
Posts: 2,301
Registered: ‎07-30-2009
Kudos: 266
Solutions: 1

Re: MAC filtering on UniFi

G'day team,
Any chance that Mac filtering might be incorporated in the UniFi product sometime soon ? Just a more convenient method for Enterprise security.

Thanks


finally was able to open all the 3packs of unifi i received a few weeks back today, i am setting the first one up tomorrow. Surprised mac filtering isn't already there.
Dallas Gray
CCNP, CCNA, CCDA, CWTS, UACA, NET+, A+, CXFF
Ubiquiti Employee
Posts: 991
Registered: ‎05-04-2009
Kudos: 527
Solutions: 17
Contributions: 1

Re: MAC filtering on UniFi

G'day team,
Any chance that Mac filtering might be incorporated in the UniFi product sometime soon ? Just a more convenient method for Enterprise security.


UniFi provides a feature called Blocked Devices where you can black-list clients by their MAC addresses. Are you thinking about a feature where you define allowed MAC?

Either approach doesn't scale very well, though. How many users do you think there will be in the deployment?
New Member
Posts: 2
Registered: ‎03-16-2011

Re: MAC filtering on UniFi

We also just got a a 3-pack to play with and were surprised that MAC authentication isn't available. We're looking to replace some Avaya AP-7's which can authenticate MAC addresses using RADIUS. This is really useful (and scales nicely) because we can tie the RADIUS server into our asset database to only allow trusted computers on the employee network without having to manually update the trusted MAC list on the access points.
Ubiquiti Employee
Posts: 991
Registered: ‎05-04-2009
Kudos: 527
Solutions: 17
Contributions: 1

Re: MAC filtering on UniFi

We also just got a a 3-pack to play with and were surprised that MAC authentication isn't available. We're looking to replace some Avaya AP-7's which can authenticate MAC addresses using RADIUS. This is really useful (and scales nicely) because we can tie the RADIUS server into our asset database to only allow trusted computers on the employee network without having to manually update the trusted MAC list on the access points.


That makes sense. We'll look into this. A quick question, is the RADIUS configured just for wireless authentication purpose or it's part of a inventory / IT system?

(I.e. if we implement it in UniFi, who should be doing the MAC authentication)
New Member
Posts: 2
Registered: ‎03-16-2011

Re: MAC filtering on UniFi

That makes sense. We'll look into this. A quick question, is the RADIUS configured just for wireless authentication purpose or it's part of a inventory / IT system?

(I.e. if we implement it in UniFi, who should be doing the MAC authentication)


We're using two separate RADIUS servers in our case: one for client authentication and a Freeradius server with a MySQL back-end for MAC addresses. The access point sends a packet like this:

User-Name = "34:15:9e:8f:99:0d"
User-Password = "constant_shared_secret_here"
Called-Station-Id = "00-20-a6-55-fd-7b:MySSID"
Calling-Station-Id = "34-15-9e-8f-99-0d;MySSID"
NAS-Port = 2
NAS-Port-Type = Wireless-802.11

The User-Name attribute is the client's MAC address. Freeradius responds with an "Access-Accept" packet. We are doing this with some HP Procurve switches, too, so I think this is somewhat standard...?
Senior Member
Posts: 3,082
Registered: ‎09-28-2010
Kudos: 501

Re: MAC filtering on UniFi

I'm not unsurprised that MAC filtering is not available, as it's trivial these days for a client to change its MAC address to an arbitrary MAC. MAC filtering is not any security at all with so many easy to use tools out there for 802.11g/n chipsets on Linux to spoof a MAC. It's only marginally more difficult in Windows, you need to change 1 registry string...
If you have a particularly unique or challenging project, professional consulting services are available in central Asia, south Asia (AF, PK, IN, BD) and the Vancouver, BC area. Please contact me for more details.
New Member
Posts: 2
Registered: ‎08-02-2012
Kudos: 1

Re: MAC filtering on UniFi

Any update on incorparating MAC filtering in UniFi yet? We just bought three of these devices and our security policy stipulates that only 'allowed' MAC addresses are allowed to connect. Are there any plans to incorprate this?
SuperUser
Posts: 21,761
Registered: ‎11-20-2011
Kudos: 7932
Solutions: 233

Re: MAC filtering on UniFi

I'm not unsurprised that MAC filtering is not available, as it's trivial these days for a client to change its MAC address to an arbitrary MAC. MAC filtering is not any security at all with so many easy to use tools out there for 802.11g/n chipsets on Linux to spoof a MAC. It's only marginally more difficult in Windows, you need to change 1 registry string...


Most Windows drivers allow you to do it natively(sp?) from the device properties.


isp builder | linux sorcerer | datacenter automation conjurer | blog: blog.engineered.online
link to our slack channel on the blog
New Member
Posts: 2
Registered: ‎08-02-2012
Kudos: 1

Re: MAC filtering on UniFi

IMO MAC filtering is still worthwhile as another layer of defence. Sure you can spoof a MAC address but you need to know what MAC address to spoof.
Emerging Member
Posts: 64
Registered: ‎11-19-2009
Kudos: 12
Solutions: 1

Re: MAC filtering on UniFi

You can do MAC filtering following this:
wiki.freeradius.org/Mac-Auth
We are just doing this, the example uses Mac-Auth for if(!EAP-Message) just change this for if(EAP-Message) and you will be doing MAC RADIUS auth with EAP
hope it helps
New Member
Posts: 16
Registered: ‎01-17-2013
Kudos: 3

Ditto for MAC allow list

I just want to jump in and say I would also like to see a MAC allow list added to the software.

It would be nice to have simple database that had a field for the user's name, the device since some people have more than one wireless device, and the MAC address to be allowed for that device.

This is extremely important for instance when an employee is terminated. Icon Exclaim
New Member
Posts: 17
Registered: ‎07-25-2012
Kudos: 9

Re: MAC filtering on UniFi

We also need basic "Allowed List" type MAC filtering. We use this because we need a few of our company laptops to be able to access the WPA secured network, however we do NOT want our employees also connecting their iPhones, Androids, and whatever else to this particular.
The allowed list MAC filtering works perfectly for this.
New Member
Posts: 34
Registered: ‎07-04-2011
Kudos: 7

Re: MAC filtering on UniFi

It would be great if MAC authentication, combined with 802.1x will be available in a new software release.

At the moment I'm testing Unifi at the office and I'm about to order 20 Pro's ;-)

We still use HP Procurve for it at the moment.
The authentication is done via two MS Radius servers and all the "MAC Users" are in AD.

Elmar
wireless always starts wired ;-)
New Member
Posts: 17
Registered: ‎07-25-2012
Kudos: 9

Re: MAC filtering on UniFi

We also need basic "Allowed List" type MAC filtering. We use this because we need a few of our company laptops to be able to access the WPA secured network, however we do NOT want our employees also connecting their iPhones, Androids, and whatever else to this particular.

The allowed list MAC filtering works perfectly for this.



I would think this should be somewhat easy to implement on the UBNT devices considering every cheap Dlink and Linksys AP I have ever used has MAC address white-listing capabilities.
New Member
Posts: 6
Registered: ‎04-18-2013
Kudos: 1

Re: MAC filtering on UniFi

and yet as of 3.1.1 i dont see this option. the above poster was correct that MAC filtering does add a layer of security as you *do* need to know what mac to spoof, and good luck breaking into a WPA2 encrypted network to find that out. 

 

mac filtering by itself, without encryption, is worthless however as the MACs can be sniffed from the air w/o encryption.

New Member
Posts: 5
Registered: ‎11-07-2012
Kudos: 1

Re: MAC filtering on UniFi

MAC Authentication/filtering is not only a security thing but can also be used to dispose the clients location.

see:

http://coova.org/node/4170

 

New Member
Posts: 4
Registered: ‎05-27-2013
Kudos: 5

Re: MAC filtering on UniFi

I really don´t care HOW secure MAC filtering are or not! I have not yet found a network I can´t get into, unless you don´t lock in all your cables - so PLEASE concentrate on the question! Mad2

 

Is it possible to get a MAC-allow list? This is ONE of the security credentials we have on our company and I´m about to buy at least 20 to start with - if you can solve the problem.

New Member
Posts: 19
Registered: ‎03-28-2013
Kudos: 7

Re: MAC filtering on UniFi

Is this still not a basic feature of UniFi?  I just purchased a UAP-AC to test before recommending this brand to my clients and I cannot find this simple feature anywhere in the settings which both astonishes and disappoints me.

 

It is a very helpful feature to keep users in the office from jumping on the network whenever they would like with their mobile devices (cell phones) just by gaining access to the key from a fellow employee.  Sure, there are other methods, but it works well for us and has been a good deterrent for the average user.

New Member
Posts: 36
Registered: ‎10-06-2009
Kudos: 63

Re: MAC filtering on UniFi

[ Edited ]

Wow, I sure hope I never have to deploy a network where I work with some of you guys.  Not knowing is one thing, but those of you who seem to understand how useless MAC filtering is and yet still ask for it are just blowing my mind.

 


@nickwi wrote:
IMO MAC filtering is still worthwhile as another layer of defence. Sure you can spoof a MAC address but you need to know what MAC address to spoof.

And how hard is it to identify the MAC of a device in use on a network?  Answer: Literally the most trivial thing that can be done.  Any time that device transmits it is revealing its MAC to anyone listening.  Almost every "stumbler" type application used for WiFi scanning will list all the MACs seen on any APs it finds.

 


@simonstenlund wrote:

I really don´t care HOW secure MAC filtering are or not! I have not yet found a network I can´t get into, unless you don´t lock in all your cables - so PLEASE concentrate on the question! Mad2

 MAC filtering is literally weaker than WEP.  It's at least theoretically plausible that an attacker doesn't have the ability to transmit raw WiFi frames, which significantly slows WEP attacks, but anyone who can connect to WiFi can see enough to bypass a MAC filter.

 

Basically MAC filtering is like having a password to get in the door at a party, but having everyone yelling the password non-stop so those outside can clearly hear it.  If you think it adds any security at all you do not understand security and should not be advising others on such topics.

 

Stop asking for this garbage "feature", it is a good thing it's not there because it prevents those who may not know better from using it and thinking they've secured anything.  It also prevents people like apparently some of those here from doing something that adds more maintenance load with zero security benefit.

 

So let's recap.  MAC filtering makes you manually add every new legitimate device to your approved list, while doing absolutely nothing at all to prevent illegitimate users from gaining access to your network.  If you think you need it, you are wrong.  If you are forced by policy to use it, your policy is wrong and those who created it are incompetent.  Period.

If you are using any security at all, even the trivially broken WEP, you gain absolutely nothing from adding MAC filtering.  The only time it is acceptable to use at all is if you absolutely MUST NOT use encryption on a network due to some legacy device that doesn't support it but want to prevent random users from accidentally connecting to the network.  You will not gain any security, even the lowest level of intentional attacker can trivially bypass it, but you will prevent the average Joe User from clicking on your network and connecting.  Again, if and only if you are forced by irreplaceable hardware to use an open network which is not intended to actually be open.  If you have any real security at all, even the trash that is WEP, MAC filtering only adds administrative hassles and absolutely nothing else.

 

 

Let me guess, next up in Bad Wireless Advice, disabling SSID broadcasts.... -_- Mad2

Reply