Topic: MAC Filtering FAIL

[MacGyver]

I started to put this in the Tech Forum since I'm really just venting, but then I thought it might save someone else someday.  We were configuring a load of new ThinkPads and had some issues with a wireless card.  I think most of us have been to that place where this wireless access point connects with every other computer just fine, and this computer connects to every other access point just fine, but the two won't play well together.  Well I really thought that is what I had here; but then it got wierd.

So get this, the WAP is using MAC Filtering, so I open the MAC Filter and let the WAP capture the MAC so I know that what's printed on the card is really the MAC.  I verify time after time, and it's correct.  I open the filter, it connects.  I enable the filter, and no joy.  Then on a fluke I start sniffing packets and watching how long it's taking before it gives up.  This WAP, a Cisco E4200 as 32 MAC Filter slots.  This computer was going into slot 29.  On a hunch I move it to slot 1, and slot 1 to slot 29.  Yep, you guessed it.  I played with it a little more and apparently the processor is too slow to process all 32 slots before the device trying to connect times out.  Nothing on this WAP past 28 is usable.

 

[silversam]

Trace -

I originally set up Mac filtering on my home router (based on the idea that it was more secure then wpa2 [not sure if that's right or not..])

Anyway, it worked flawlessly till Hurricane Sandy when my house looked like a college fraternity. At some point my (newer) guests wifi did not work. I discovered there was a magic cut off point (I no longer remember what it was. 12? 15? 20?) Anyway, any number beyond that would not work. Undocumented anywhere.

I switched to WPA2. All was well.

Sam

[MacGyver]

I discovered there was a magic cut off point (I no longer remember what it was. 12? 15? 20?) Anyway, any number beyond that would not work. Undocumented anywhere.

Thanks Sam.  At least now I know it has happened to someone else because you're right.  There seems to be a complete lack of documentation.  We use MAC Filtering at every location, even if WPA is enabled as well.  That way we control what's on the network.  I do it at the house also, and that way once someone leaves, I take their MAC out of the table.  It also keeps kids from sharing the password. 

Do you remember what brand access point you were using?

[tonyburkhart]

Yes, you are not crazy! I have had MAC blacklist table issue before. Two things on that:

1. For security purposes, MAC filtering is not (by its self) any measure of security. You can spoof a MAC address in under a minute. It is only security through obfuscation.

2. Trace... you said it - Cisco. LOL. Anytime I can crack on Crisco, I have to, sorry :)

We use the open-mesh units and get them at volume discount. We have never had any problems with MAC blacklist/whitelist tables on them. For what its worth.

[MacGyver]

Thanks for the input Tony.  True, spoofing a MAC is easy, but they need to sniff a MAC that's in the table first. ;)

Thanks for the endorsement on the Open Mesh units.  I'll put one out on our next opportunity and start playing with it.

[tonyburkhart]

Trace, we have plenty of back up units, if you want me to ship you one for eval.

[MacGyver]

Thanks Tony.  That's a very generous offer and I truly appreciate it, but I'm going to order one in on a client account for R&D purposes.  Do you have a favorite model you like for range, speed, and reliability?

[silversam]

Trace, it wasn't an AP, just the standard Fios router. (My house isn't that big that I need an AP  )


Sam

[MacGyver]

Trace, it wasn't an AP, just the standard Fios router. (My house isn't that big that I need an AP  )

 

My bad, Sam.  I tend to use the term AP for any device being used to wirelessly attach, even if it's the router or modem.  Where you live my guess is smaller is smarter.  Dirt isn't cheap up there. 

[silversam]

Trace, it wasn't an AP, just the standard Fios router. (My house isn't that big that I need an AP  )

 

 Dirt isn't cheap up there. 

I had to buy dirt for the wife's garden! And then drag it home! (What was wrong with the dirt we already had, I have no idea.... )

On a positive note, I feel that the tomatoes she's grown haven't cost us more than $3 or $4 each 

Seriously though we had a bumper crop of jalapeños and I pickled a batch of them (with some carrots) and they've been excellent!

Sam

[MacGyver]

I get it, Sam.  It's like going hunting or fishing.  You can't harvest it for what you can go buy it for at the store.   

We harvested some great okra and jalapenos for pickling though, so I understand your plight.

[Kumba]

I hate Cisco, or at least anything that is part of their SOHO line. The bigger stuff just annoys the hell out of me but tends to work once you figure out what weird quirk that firmware and combination of modules has.

Last time I tried to do anything with Cisco it pissed me off so bad that I just replaced with with a Linux machine and some Ubiquiti Access Points.