12-19-2015 05:42 AM - edited 12-19-2015 05:46 AM
To anybody looking for mac filtering (blacklist and whitelisting, time dependant); would there be an interest for a custom external portal which can provide this functionality? After having given it some thought I believe this can be done, but it would take some time and effort to implement this together with a good looking and robust managment portal page.
Such a solution would preferably be PHP/MySQL based. Of course, you will also have to acknowledge the fact that mac filtering is not the most secure approach...but I do not wish to join that debate.
02-13-2016 06:20 AM
02-17-2016 01:04 PM
I'm afraid MAC filtering is unlikely going to be added as it's inherently insecure. If you want per-device filtering, it's much better to implement WPA2 Enterprise with a Radius server, which UniFi does support.
02-17-2016 04:42 PM
Thank you for the reply Cody. A few points:
"If you want per-device filtering, it's much better to implement WPA2 Enterprise with a Radius server, which UniFi does support."
Agree that RADIUS is better - but we're just asking for you to give us the option, and let us decide on a client by client/site by site basis.
"I'm afraid MAC filtering is unlikely going to be added as it's inherently insecure."
For argument's sake, since WEP is also considered insecure, are we going to see it removed from Unifi devices?
At my clients I don't need the overhead and complexity of a RADIUS server. I just want company/school allowed devices on this SSID, and employee/student devices on that SSID. As it is, I can keep the two separate for a while, but eventually the company/school SSID gets out and I have to change the keys (again).
MAC address filtering would prevent this.
02-17-2016 04:52 PM
We also have some legacy devices that only have WEP security. We want to implement the MAC filtering in conjunction with WEP to provide at the very least a little more seciruty than they would otherwise have.
I'm disappointed with the response. It sounds like it's gone into the 'too hard' basket.
02-17-2016 05:28 PM
Well, after ALL THIS TIME!
Finally a response from Ubiquiti - Wow, I have no words.
Unfortunately it was a rather terse thought, with a childlike and extremist response.
"Do it all or Do nothing" seems to be the message.
Who could argue that it would be better to install a Radius server ?
Oh, were it that ALL your customers were in an enterprise environment, Life would be so easy.
There is not a single other Router or AP that I have ever run into that has the requirement of setting up a RADIUS.
It seems that most of THEM acknowledge that there is a middle ground, though it be imperfect, it is better than nothing. That is why they DO employ MAC filtering, because it is better than a non-RADIUS system without it.
The myopia of Ubiquiti is only exceeded by their incredible response time to issues in their own forums.
Cody, I will write your response off to the impetuousness of youth, at least you DID respond.
Any chance that we can get to a level 2 agent ?
02-17-2016 05:32 PM
MAC filtering is a feature that is useful and UBIQUITI not have implemented on their devices.
You must provide the tools and settings on their devices. Then we (the clients) decided what kind of configuration and security level we want or need to implement.
02-17-2016 06:09 PM
I apologize if my response sounded insensitive - all I meant was to offer a much better alternative to the two recent posters. I haven't said MAC white/blacklisting will never be added - it could be added in the future, but at this time I don't know of any immediate plans to add it.
As for WEP, as was mentioned earlier there are many legacy devices which outright require WEP and as such it's included - but we still strongly advise against using it unless there are no other options. We also don't offer
That said, if you are one that needs filtering, I'd recommend voting for the feature request that's posted here as development is strongly influenced by input in that section: http://community.ubnt.com/t5/UniFi-Feature-Requests/Per-SSID-MAC-Filtering/idi-p/608893
02-20-2016 07:29 AM
Thank you Cody. We appreciate you replying back and understand where you're coming from.
When people find this thread and post, do we need to direct them to the Feature Request thread instead?
02-22-2016 11:46 AM
While we monitor both the forum and the Feature Requests, the number of votes on the Feature Requests section is a strong indicator as to what we should prioritize development on.
02-22-2016 11:55 AM
02-22-2016 12:51 PM
Unifi implemented the solution about 3 years around the group of dealers totaling 20 dealers from Honda , Hyundai and Volkswagen .. At first we were definitely disappointed by a solution Unifi be as good and at the same time does not have such a simple feature! Since then we are eagerly awaiting this feature !! Unfortunately many of our partners failed to implement Unifi not have this feature .. Since then we are eagerly awaiting the release of the same ... " The door of our house must be closed , and we decide who comes ! "
02-22-2016 01:40 PM
After having given it some thought I believe this can be done
Supposedly it can be done with RADIUS. I had a go with FreeRADIUS:
but wasn't able to get anywhere. All that support could tell me was to use something other than FreeRADIUS.
If Ubiquiti aren't going to add MAC black/whitelists, they could at least give examples of how to do it with RADIUS.
02-28-2016 12:49 PM
So I realize this is a bit old, but I thought I'd offer some perspective on this kind of pentest/security assessment scenario where you spoof or steal an existing user's MAC address and somehow miraculously break WPA2 and get access to their network. There is a pretty high liklihood that the duplication of IP's and MAC's will result in the other host having connectivity issues which will most often get the attention of network sysadmins and or security.
This has significant ramifications beyond what I just described as extremely noisy and loud behavior. MAC filtering is not a panacea, but it has it's prescence. It's like having a lock on the front door of your business and the door is glass. Everyone knows you can smash the glass and get in, but the deliberate act of doing so makes you culpable of intentionally breaking into a network without authorization. There's no way to say, "oops, I accidentally connected to the network". Your level of intentional illegal activity and therefore intent has significantly increased.
So the point is that it demonstrates intent, and in a court of law, intent will make the difference between a slap on the wrist and a much more serious set of charges. There are always other features that are designed to mitigate this, but the combined effect is simply to make it just a bit more difficult and slow down your adversary and give you time to respond.
@wolrah - just some unsolicited advice, don't call people idiots and stupid when you haven't walked in their shoes for a while. You may be technicall correct in your statement. You may one day find yourself in that position and you'll appreciate it when someone very technical explains the issues in a considerate fashion. It fosters a conversation that may lead to furthering your understanding of the issues in ways you might have never understood. But hey, you may just have to learn that the hard way.
My vote is to put the feature in, and put a footnote that this is not a panacea and that there are attacks to bypass it. Ever wonder why WEP is even a feature in them to begin with? We all know it's not secure, but it still there. I'm sure there's a reason but you don't see everyone bashing Ubiquiti on it do you?
02-28-2016 10:22 PM
Most of the people agonising over MAC filtering and making lengthy demands appear to have missed that Apple is doing with MAC addresses. Behaps in the light of this they may like to revise exactly what they are asking for.
For those who do need blacklists and whitelists, the open source Univention server offers Radius working with Blacklists and Whitelists. And it is free..... and configured .........and ready to go