Home > Uncategorized > MAC Filtering for SSID Access

MAC Filtering for SSID Access

What?!?!?  MAC filtering? Can you be serious?  Why would anyone use MAC filtering in this day and age, when it has been shown to not be a real security measure.  Someone can sniff the wireless and get the MAC addresses of clients that are connecting in the clear.  Then, change the wireless NIC MAC to match, and, voila, they’re on.  Well, it takes a little bit of knowledge and the right tools/devices to do it, but you get the point.  I used to call MAC filtering the 3 foot picket fence around the yard.  It doesn’t keep much out, but it looks nice.  Of course, painting it every couple of years, replacing broken boards, and the like means it takes a lot of maintenance.  MAC filtering takes a lot of care and feeding as well – how often are new devices added and old ones removed, especially now in the age of BYOD?

So why use MAC filtering?  I am seeing more and more situations where a customer will call up and say that their users can’t connect to the wireless.  After some investigation, we see that the DHCP scope for the subnet to which they are connecting has been completely used up.  Many user devices (cell phones, tablets, etc.) will automatically look for SSIDs to join.  Part of the “let’s make connecting easier for the end user” mantra.  So, let’s say that there is an open, broadcast SSID – think guest access.  When that device connects, it requests an IP address.  It doesn’t matter that the end user may not even be trying to get on the network.  The device will use up an address.  Now, picture hundreds or thousands of devices within range doing the same thing.  Bingo!  The DHCP scope is exhausted.

If MAC filtering was in place, then inadvertent connections would not be able to obtain an IP address.  In this case, I’m not using MAC filtering for security (unless you are counting DHCP scope depletion as a type of DoS attack).  Rather, it is being used to ensure that legitimate users can get an IP address.

Are there other ways of doing the same thing?  Certainly.  Using larger DHCP scopes (perhaps a /23 or /22) is one.  Not broadcasting the SSID can help, though I generally recommend broadcasting to better support some clients that can have connectivity issues without it.  Cisco ISE (Identity Services Engine) and other vendor solutions that look at the type of end device and move it to another VLAN/subnet can be used as well, though those tend to be quite a bit more expensive.  I’m sure there are others as well.  It’s just that I’m not looking at MAC filtering with quite the same disdain that I have in the past.

Categories: Uncategorized
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: