How do I do the mac filter deny?

  • 1
  • Question
  • Updated 3 years ago
  • Answered
Can someone make a tutorial on how to do the mac filter deny? I have tried numerous types of equipment and cannot get our APs to deny connectivity.

Any help will be greatly appreciated.

Note: This topic was created from a reply on the Is there a easier way to black list clients. topic.
Photo of Eric

Eric

  • 15 Posts
  • 1 Reply Like

Posted 5 years ago

  • 1
Photo of Brian Ambler

Brian Ambler

  • 245 Posts
  • 126 Reply Likes
Hi Eric,

With a bit more detail I should be able to help you out. Are you looking to set up MAC filtering on our APs or Branch Routers for wireless clients? Or were you looking for how to set up MAC filtering on our Switches or Branch Routers for you wired clients? Also, we you looking to set up traditional MAC filtering or MAC authentication?

Thanks in advance
Photo of Eric

Eric

  • 15 Posts
  • 1 Reply Like
We are looking for setting up MAC filtering on our hivemanager for our public wireless access. There are several mobile devices that are connecting that needs to be blocked and the only item we have is the MAC.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Remember that MAC filtering is not a security feature as it can be easily nullified by MAC spoofing applications readily available on the Internet.
Photo of Brian Ambler

Brian Ambler

  • 245 Posts
  • 126 Reply Likes
Crowdie is exactly right, MAC filtering is certainly not a viable form of securing your network. However, I will certainly inform you of how to configure the feature for our solution.

1) On the desired Network Policy, click on the SSID on which you with to enable MAC filtering:


2) On the Edit SSID page, expand "DoS Prevention and Filters under "Optional Settings", then click the plus ("+") icon under "Available MAC Filters:


3) Give the new MAC filter a name, then click the plus ("+") icon under "MAC Address/OUI":


4) Give the new MAC Object a name, then enter the desired MAC address under "MAC Entry", then click "Save":
(If more than one MAC address needs to be filtered, repeat steps 3 & 4 as needed)


5) Once you have created the needed MAC objects, select each object individually, then click "Apply":


6) Since we are configuring MAC filtering to block clients from connecting to the SSID, make sure that you set the Action for each object to Deny:


7) Click "Save":


8) Select the MAC filter you just defined (or multiple), then click the single arrow (">") to move the selected filters over from "Available MAC Filters" to "Selected MAC Filters":


9) Since we are blacklisting selected MAC addresses, make sure that you set the "Default Action" under "MAC Address Filters" to Permit:


10) Scroll up to the top of the page, then click "Save":


11) On the Network Policy, click Continue in the upper right hand corner of the page:


12) Select the AP(s) on which you configured the MAC filter(s), click "Update", then "Update Devices":


13) To push the configuration changes out to your AP(s), click "Update":


Hope this helps
Photo of Stefan Sonderegger

Stefan Sonderegger

  • 3 Posts
  • 2 Reply Likes
Additional useful info for that:If you have a lot of MAC-Addresses, you can also import a csv-file.
This option is available when you use the advanced configuration menu.

[Security Policies/MAC Filters]

The import creates for every MAC-Address a MAC Object and of course a MAC-Filter Object with the MAC-Addresses added.
Info and examples about the csv-format can be found here: http://www.aerohive.com/330000/docs/h...

I'm using Version 6.1r2a
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Urgh... it displeases me greatly that MAC addresses are being used and abused in this way.

It is always the wrong thing to do and your design/architecture is instead wrong elsewhere if you feel you need to do it. You don't.
Photo of Brian Powers

Brian Powers, Champ

  • 396 Posts
  • 92 Reply Likes
So to ask a question then. How would you accomplish this? Say you just wanted to stop an "average Joe/Jane" who you employ from using their personal device on your public wifi. Reasons matter not as to why you wish to deny them access.

Securing it and issuing some sort of keys requires to much management overhead, as you dont want to have to give someone a side job of any additional extra work. ID Manager is an added cost that your company doesnt want to pay.

Seems to me this is a pretty simplistic and easy approach to deny the average user who most likely doesnt even know how to spoof their MAC address access to your public wifi...

I'm curious as to how some of you folks handle these situations with customers or your own network you may manage.
Photo of Vince

Vince

  • 1 Post
  • 0 Reply Likes

Brian:  This is my situation exactly, which is how I came upon this post.  In the year since you posed your question, has anyone suggested a better "simple" approach to this problem?

Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
It really comes down to what you are protecting.  If the issue is just some Internet access then utilising the layer seven firewalls in the access points (to block Torrents and other peer-to-peer networking applications) and some rate limiting may be all that you need.  I once had it described to me that nobody is going to spend twenty hours downloading a file when they can download it in three hours via the local McDonalds' free wireless network (although my local McDonalds' wireless network is so slow that you are lucky if the captive portal login screen doesn't timeout).
Photo of Eric

Eric

  • 15 Posts
  • 1 Reply Like
Brian has some excellent points. In our environment, the "powers that be" have a policy that we have to provide a open wireless access for guests, students and etc that is monitored through our web filtering.

The main problem is illicit use of the BYOD, such as porn surfing, pirating, etc. Since the public access cannot have a PSK, and we do not have funding to purchase BYOD management software, MAC filtering is a cost efficient resolution.

MAC spoofing has been around since the '80s, is publicly documented and absolutely not the best security option. I do agree that the common user will not be jailbreaking their iPhone to spoof the MAC.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
I believe there are three parts to any authentication design:

1. What type of authentication is appropriate for the network? (If the wireless client requires access to domain resources does the wireless client/user need to authenticate to the domain?)
2. How to protect the LAN while supporting appropriate wireless connections.
3. How to protect wireless clients while they are connecting to the wireless network and once they are connected.

For this discussion we will assume that part #1 is already resolved.

Open authentication is really authentication with no security. If you deploy a wireless network with open authentication you cannot stop wireless clients connecting and you cannot protect valid wireless clients during their connection.

To explain the second part of the previous comment think for a moment that you are living in an apartment block and you install a wireless router with an SSID called "Wireless". You are happily web surfing away when the people in the next apartment, who have seen your SSID, also install a wireless router with the SSID "Wireless". If both wireless routers are configured for open authentication it is possible for your neighbour to connect to your wireless router and vice versa. If you and your neighbour change the security settings on the wireless routers to WPA2 Personal and utilise unique passphrases then you will not be able to connect to your neighbour's wireless router (as the passphrase used to create the key is unknown to you) and vice versa. So the WPA2 Personal passphrase (that is converted to a key by the wireless router) acts as a barrier to entry and protects your LAN as well as protecting people wanting to connect to it as they won't accidentally connect to your neighbour's wireless router.

The scenario above is all nice but lets assume that your neighbour was nasty and wanted you to connect to his wireless router so he could steal your personal information. To do this all your neighbour has to di is install a wireless router with the same SSID as yours with open authentication. Your neighbour's wireless router has a high gain antenna so appears as a "stronger" signal source than your wireless router so your laptop connects to it. As there is no passphrase (key) required for authentication your laptop will connect to you neighbour's wireless router and your neighbour now has access to your data. This is called a man in the middle attack and is commonly used at Internet Cafes, coffee shops, etc. where captive portals are utilised with open authentication. The cracker just deauthenticates an existing wireless client and the wireless client will automatically reassociate to the cracker's access point as open authentication does not validate the identity of the wireless network. Therefore, open authentication wireless networks cannot protect wireless clients while they are connecting and once they are connected (unless 802.1X is implemented as well but that is a discussion for another day) so fails part #3.

As the wireless client can be compromised and the LAN with trust the wireless client open authentication cannot protect the LAN as it may also fail part #2. You will notice that I said "may also fail" rather than "also fails". This is because the open authentication WLAN may only provide Internet access, for example, and with the use of the layer seven firewall signatures and rate limiting the risk to the organisation is very limited. However, if the open authentication WLAN grants access to the organisation's financial records, for example, then the open authentication WLAN certainly fails part #2. It is all dependent on the risk to the organisation.

If you implement an open authentication WLAN with MAC address filtering it is like letting the fox into the hen house and then trying to catch it once it is inside. If there are no hens in the hen house then you don't have an issue. However, if the hen house is full of hens then you have a problem.
Photo of Richard Pilcher

Richard Pilcher

  • 1 Post
  • 0 Reply Likes
Is there a practical / best practice / performance limit to the length of the list of blocked MACs. I did a simple scrub of my client session report, looking for hostnames that identified as iPod etc, and have come up with 170 devices I want to blacklist.

Cheers