Blacklist Multiple MAC Addresses

  • 1
  • Question
  • Updated 4 years ago
  • Answered
I'm currently running HMO 5.1r5a and I'm wondering what's the best way to block multiple MAC addresses? I've read the few threads already on this topic but I still can't seem to get it to work. 

I've created a MAC Object called 'BAN-THESE'
Under that I have about 10 MAC entries, the type being Device Name with one type being global. The MAC entry, value and description are all the MAC addresses. As shown below
Next I go to MAC Filters and I apply that MAC Object to the MAC Filter with the action of Deny as shown below.

Now I go to my Network Policy > SSID > DoS Prevention and Filters and apply the Ban filter with the default action of permit. 
After I apply this to our APs it doesn't work. I tested this with my phone's MAC address and when I apply the settings I can still connect. The only way I can make it not connect is if I change that default action to deny, but then I think all wireless devices can't connect? Is there anything I'm missing or doing wrong here? If I upgrade to the latest HM will there be an easier way to do this?

Thanks.
Photo of Michael Peloquin

Michael Peloquin

  • 18 Posts
  • 1 Reply Like

Posted 4 years ago

  • 1
Photo of J. Goodnough

J. Goodnough, Champ

  • 266 Posts
  • 32 Reply Likes
That filter isn't triggering because the DoS protection isn't being triggered.
Photo of Michael Peloquin

Michael Peloquin

  • 18 Posts
  • 1 Reply Like
So am I black listing these MAC addresses the wrong way? What's the best way to do it?
Photo of J. Goodnough

J. Goodnough, Champ

  • 266 Posts
  • 32 Reply Likes
Actually, my mistake, sorry. I misread your original post, no real suggestion at this time. Apologies!
Photo of BJ

BJ, Champ

  • 374 Posts
  • 45 Reply Likes
Have you pushed the config to your APs?
Photo of BJ

BJ, Champ

  • 374 Posts
  • 45 Reply Likes
Sorry, I overlooked that detail in your post. To create our blacklist, I opened the ssid, "optional settings" and added a mac address filter. In the "SSIDs > Edit 'ieiappwep' > MAC Filters > New" screen, I added each MAC address, applied, and saved. Success after pushing the config.
I'm wondering if creating the object added an unnecessary layer of complexity.    
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Doing this can be a fool's errand as MAC addresses are really trivially changed. Is 802.1X or PPSKs not an option in this deployment?
(Edited)
Photo of Michael Peloquin

Michael Peloquin

  • 18 Posts
  • 1 Reply Like
We have the wireless password protected, but some of the tech students cracked it. If they want to go through the trouble of spoofing the MAC on their phones after I blacklist their MAC...so be it. We do plan to implement another solution down the road this is just a quick fix. I'm going to look into what you said BJ.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Sure, as you no doubt know, you really do not want to be using a single shared key among your clients in the longer term. 802.1X would be your best route to securing things where feasible, PPSKs otherwise or a hybrid of the two on different SSIDs. Good luck with the students! :)
(Edited)
Photo of Michael Peloquin

Michael Peloquin

  • 18 Posts
  • 1 Reply Like
Thanks. Before I started the wireless was completely open for everyone -__-
(Edited)
Photo of Michael Peloquin

Michael Peloquin

  • 18 Posts
  • 1 Reply Like
I was able to get it to work by making individual objects for each MAC address.