Reply
New Member
Posts: 1
Registered: ‎11-19-2015

Re: MAC filtering on UniFi

UP.

 

I'd like to see whitelist capabilities on Unifi AP too.

New Member
Posts: 1
Registered: ‎12-17-2015

Re: MAC filtering on UniFi

I am also struggling to find a way out to allow only some MAC addresses.

Veteran Member
Posts: 4,842
Registered: ‎06-13-2015
Kudos: 1314
Solutions: 229

Re: MAC filtering on UniFi

[ Edited ]

To anybody looking for mac filtering (blacklist and whitelisting, time dependant); would there be an interest for a custom external portal which can provide this functionality? After having given it some thought I believe this can be done, but it would take some time and effort to implement this together with a good looking and robust managment portal page.

 

Such a solution would preferably be PHP/MySQL based. Of course, you will also have to acknowledge the fact that mac filtering is not the most secure approachIcon Wink...but I do not wish to join that debate.

Art of WiFi
Check out our UniFi API browser tool on GitHub. The PHP API client which it uses, can be found here on GitHub.
The thread on our UniFi Device Search tool can be found here, also check out our Captive Portal solutions for UniFi.
New Member
Posts: 1
Registered: ‎02-13-2016

Re: MAC filtering on UniFi

I'd really like to see a MAC address white-list added to the controller. This is a pretty standard feature even on ISP supplied home routers these days so I was very surprised to find it wasn't available in the Unifi range. Come on Ubiquity, this should be a simple addition for you to make!
New Member
Posts: 5
Registered: ‎02-16-2016

Re: MAC filtering on UniFi

I would also like to use MAC filtering.

 

I wonder if anyone from Ubiquiti is listening to us?

Ubiquiti Employee
Posts: 4,424
Registered: ‎06-18-2015
Kudos: 1332
Solutions: 401

Re: MAC filtering on UniFi

I'm afraid MAC filtering is unlikely going to be added as it's inherently insecure.  If you want per-device filtering, it's much better to implement WPA2 Enterprise with a Radius server, which UniFi does support.

UBNT_Alternate_Logo.png
Ubiquiti Networks Enterprise Support Team


UniFi Protect: UniFi Protect Help Center | Frequently Asked Questions

UniFi Video 3: UniFi Video Help Center | UFV3 User Guide


New Member
Posts: 17
Registered: ‎07-16-2013
Kudos: 5

Re: MAC filtering on UniFi

Thank you for the reply Cody. A few points:

 

"If you want per-device filtering, it's much better to implement WPA2 Enterprise with a Radius server, which UniFi does support."

Agree that RADIUS is better - but we're just asking for you to give us the option, and let us decide on a client by client/site by site basis.

 

"I'm afraid MAC filtering is unlikely going to be added as it's inherently insecure."

For argument's sake, since WEP is also considered insecure, are we going to see it removed from Unifi devices?

 

 

At my clients I don't need the overhead and complexity of a RADIUS server. I just want company/school allowed devices on this SSID, and employee/student devices on that SSID. As it is, I can keep the two separate for a while, but eventually the company/school SSID gets out and I have to change the keys (again).

 

MAC address filtering would prevent this.

 

Todd

 

New Member
Posts: 5
Registered: ‎02-16-2016

Re: MAC filtering on UniFi

We also have some legacy devices that only have WEP security. We want to implement the MAC filtering in conjunction with WEP to provide at the very least a little more seciruty than they would otherwise have.

 

I'm disappointed with the response. It sounds like it's gone into the 'too hard' basket. 

New Member
Posts: 3
Registered: ‎10-23-2015
Kudos: 1

Re: MAC filtering on UniFi

Well, after ALL THIS TIME! 

Finally a response from Ubiquiti - Wow, I have no words.

Unfortunately it was a rather terse thought, with a childlike and extremist response.

"Do it all or Do nothing" seems to be the message.

 

Who could argue that it would be better to install a Radius server ?

Oh, were it that ALL your customers were in an enterprise environment, Life would be so easy.

 

There is not a single other Router or AP that I have ever run into that has the requirement of setting up a RADIUS.

It seems that most of THEM acknowledge that there is a middle ground, though it be imperfect, it is better than nothing. That is why they DO employ MAC filtering, because it is better than a non-RADIUS system without it.

The myopia of Ubiquiti is only exceeded by their incredible response time to issues in their own forums.

Cody, I will write your response off to the impetuousness of youth, at least you DID respond.

Any chance that we can get to a level 2 agent ?

New Member
Posts: 9
Registered: ‎09-24-2014
Kudos: 1

Re: MAC filtering on UniFi

UBIQUITI, please understand that the discussion is not about "filtering by MAC is safe or unsafe."
MAC filtering is a feature that is useful and UBIQUITI not have implemented on their devices.
You must provide the tools and settings on their devices. Then we (the clients) decided what kind of configuration and security level we want or need to implement.
 
In Unifi we can block client already connected (and the block is byMAC), Why should we wait for it to connect at least once to block? .. Do not believe it is more optimal preset only allowed MAC?.
Ubiquiti Employee
Posts: 4,424
Registered: ‎06-18-2015
Kudos: 1332
Solutions: 401

Re: MAC filtering on UniFi

I apologize if my response sounded insensitive - all I meant was to offer a much better alternative to the two recent posters.  I haven't said MAC white/blacklisting will never be added - it could be added in the future, but at this time I don't know of any immediate plans to add it.

 

As for WEP, as was mentioned earlier there are many legacy devices which outright require WEP and as such it's included - but we still strongly advise against using it unless there are no other options.  We also don't offer 

 

That said, if you are one that needs filtering, I'd recommend voting for the feature request that's posted here as development is strongly influenced by input in that section: http://community.ubnt.com/t5/UniFi-Feature-Requests/Per-SSID-MAC-Filtering/idi-p/608893

UBNT_Alternate_Logo.png
Ubiquiti Networks Enterprise Support Team


UniFi Protect: UniFi Protect Help Center | Frequently Asked Questions

UniFi Video 3: UniFi Video Help Center | UFV3 User Guide


New Member
Posts: 17
Registered: ‎07-16-2013
Kudos: 5

Re: MAC filtering on UniFi

Thank you Cody. We appreciate you replying back and understand where you're coming from. 

 

When people find this thread and post, do we need to direct them to the Feature Request thread instead?

Ubiquiti Employee
Posts: 4,424
Registered: ‎06-18-2015
Kudos: 1332
Solutions: 401

Re: MAC filtering on UniFi

While we monitor both the forum and the Feature Requests, the number of votes on the Feature Requests section is a strong indicator as to what we should prioritize development on.

UBNT_Alternate_Logo.png
Ubiquiti Networks Enterprise Support Team


UniFi Protect: UniFi Protect Help Center | Frequently Asked Questions

UniFi Video 3: UniFi Video Help Center | UFV3 User Guide


New Member
Posts: 3
Registered: ‎10-23-2015
Kudos: 1

Re: MAC filtering on UniFi

Sometimes you just have to throw your hands outstretched above your head and run around the room screaming, just before you throw yourself off the balcony to be rid of the insanity. That Ubiquiti would need us to post ANYWHERE to ask for what is commonplace on any competitors product fits the above scenario. That it wasn't integrated into the ORIGINAL product fits that bill as well. That ANY conversation is required other than "UBIQUITI, You'd sell a lot more of your stuff and get a lot less of it back" fits the bill too. I feel I am trapped in a South Park episode about the movie Ground Hog Day.
Veteran Member
Posts: 4,728
Registered: ‎03-11-2013
Kudos: 1480
Solutions: 88

Re: MAC filtering on UniFi

If you are going out on the balcony please close the door after you and don'yt scare the horses

 

 

New Member
Posts: 11
Registered: ‎09-25-2014

Re: MAC filtering on UniFi

Unifi implemented the solution about 3 years around the group of dealers totaling 20 dealers from Honda , Hyundai and Volkswagen .. At first we were definitely disappointed by a solution Unifi be as good and at the same time does not have such a simple feature! Since then we are eagerly awaiting this feature !! Unfortunately many of our partners failed to implement Unifi not have this feature .. Since then we are eagerly awaiting the release of the same ... " The door of our house must be closed , and we decide who comes ! "

New Member
Posts: 6
Registered: ‎03-26-2014

Re: MAC filtering on UniFi

Been watching this thread for a LONG time now...still hoping something like this will show up.

New Member
Posts: 31
Registered: ‎06-16-2009
Kudos: 4

Re: MAC filtering on UniFi


@slooffmaster wrote:

After having given it some thought I believe this can be done


Supposedly it can be done with RADIUS. I had a go with FreeRADIUS:

 

http://wiki.freeradius.org/guide/mac-auth

 

but wasn't able to get anywhere. All that support could tell me was to use something other than FreeRADIUS.

 

If Ubiquiti aren't going to add MAC black/whitelists, they could at least give examples of how to do it with RADIUS.

 

New Member
Posts: 7
Registered: ‎02-27-2016
Kudos: 5

Re: MAC filtering on UniFi

So I realize this is a bit old, but I thought I'd offer some perspective on this kind of pentest/security assessment scenario where you spoof or steal an existing user's MAC address and somehow miraculously break WPA2 and get access to their network. There is a pretty high liklihood that the duplication of IP's and MAC's will result in the other host having connectivity issues which will most often get the attention of network sysadmins and or security.

 

This has significant ramifications beyond what I just described as extremely noisy and loud behavior. MAC filtering is not a panacea, but it has it's prescence. It's like having a lock on the front door of your business and the door is glass. Everyone knows you can smash the glass and get in, but the deliberate act of doing so makes you culpable of intentionally breaking into a network without authorization. There's no way to say, "oops, I accidentally connected to the network".  Your level of intentional illegal activity and therefore intent has significantly increased.

 

So the point is that it demonstrates intent, and in a court of law, intent will make the difference between a slap on the wrist and a much more serious set of charges. There are always other features that are designed to mitigate this, but the combined effect is simply to make it just a bit more difficult and slow down your adversary and give you time to respond. 

 

@wolrah - just some unsolicited advice, don't call people idiots and stupid when you haven't walked in their shoes for a while. You may be technicall correct in your statement. You may one day find yourself in that position and you'll appreciate it when someone very technical explains the issues in a considerate fashion. It fosters a conversation that may lead to furthering your understanding of the issues in ways you might have never understood. But hey, you may just have to learn that the hard way.

 

My vote is to put the feature in, and put a footnote that this is not a panacea and that there are attacks to bypass it. Ever wonder why WEP is even a feature in them to begin with? We all know it's not secure, but it still there. I'm sure there's a reason but you don't see everyone bashing Ubiquiti on it do you? 

 

Veteran Member
Posts: 4,728
Registered: ‎03-11-2013
Kudos: 1480
Solutions: 88

Re: MAC filtering on UniFi

Most of the people agonising over MAC filtering and making lengthy demands appear to have missed that Apple is doing with MAC addresses. Behaps in the light of this they may like to revise exactly what they are asking for.

 

For those who do need blacklists and whitelists, the open source Univention server  offers Radius working with Blacklists and Whitelists. And it is free..... and configured .........and ready to go

 

R+C

Reply