How do you setup MAC address filtering on a specific SSID

  • 1
  • Question
  • Updated 1 year ago
  • Answered
Hello - we have a bunch of wireless barcode scanners / printers and some support WPA/WPA2 and some only support WEP.

for a specific SSID i'd like to also use MAC address filtering as another layer of security

Does anyone know how to do this with Aerohive AP's?

Photo of Nathan


  • 1 Post
  • 0 Reply Likes

Posted 5 years ago

  • 1
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
A couple of points here:

  • MAC address filtering is not a security feature. It is not part of any IEEE ratified security standard and was created by wireless vendors.
  • Any person with a wireless sniffer will be able to detect the scanner's MAC address when it transmits and spoof it.
  • WEP is completely cracked so provides almost no protection to your wireless network - although it is better then open (no encyption) authentication.

When you combine the points above you can see that the WEP only scanners are a risk to your network. You need to think if, and when, the WEP/MAC filtering is cracked how vulnerable is the organisation? Would the cracker's access be limited to a warehouse server, for example, or could they gain access to the entire LAN? If the cracker could obtain access to the entire LAN you may want to consider purchasing new wireless scanners to replace the WEP only ones.

To configure MAC filtering on a specific SSID:

  • Configuration -> SSIDs -> [SSID Name]
  • Optional Settings -> MAC Address Filters -> Available MAC Filters -> New
  • In the MAC Filters>New window click on the "New" button next to the "MAC Address/OUI" list
  • Add the MAC Address\MAC Address Range
  • In the MAC Filters>New window select the newly created MAC Address\MAC Address Range and select "Permit" as the Action
  • Save the new MAC Filter
  • On the screen ensure the newly created MAC Filter is in the "Selected MAC Filters" area rather than the "Available MAC Filters" area
  • Ensure the default action (under the "Available MAC Filters" area) is "Deny"
  • Save the change to the SSID profile
  • Update the affected access points

Hope that helps.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
What Crowdie said! It is probably professionally negligent to have such scanners in use today and they simply have to be replaced if they cannot be firmware upgraded.
Photo of Don M

Don M

  • 1 Post
  • 0 Reply Likes
So, the MAC Filter is "Permit" and then the "Selected MAC Filter" is "Deny"?  what would happen if they were both DENY.  Would the Deny of a Deny be a Permit?  Or like 2 wrongs don't make a right?