We help IT Professionals succeed at work.

UniFi MAC address filtering 2008 R2

1,988 Views
Last Modified: 2017-03-24
I'm supporting a school that does not have an IT support staff and they want to use MAC address filtering to protect their network.  Currently they have 5 UniFI APs, a ZyXEL USG40 and a newly installed Windows 2008R2 server.

The UniFi AP controller does not support MAC filtering, this was verified by UniFi.
The ZyXEL USG40 supports MAC filtering if you use their access points..  No Help

Is there are a way to setup wireless MAC address filtering with the UniFi access points and the 2008R2 server?  I am going to move DHCP services to the server this weekend and use the ZyXEL USG40 as a router and a content filter (they have a subscription).

They want students and staff to register their BYOD devices with the librarian before they can have access to the network.  Basically they want a WiFi whitelist for their network.  I really want to make it as simple as possible.  WiFi whitelist...   I also thought about using RADIUS on the server but they want to use MAC address filtering.

Any help would be greatly appreciated!
Comment
Watch Question

Network Architect
CERTIFIED EXPERT
Top Expert 2014
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Berkson WeinTech Freelancer
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Tom CieslikIT Engineer
CERTIFIED EXPERT
Distinguished Expert 2017

Commented:
Like other Experts say before It's not possible to do what you want to do, but...
You can try my idea,

You can create Group for students and set it up with unlimited download and upload bandwidth and set default group to download and upload speed   0.1Kbps
All default connected devices actually will not going to be able to do anything with that speed.

Person who will control connection will add new device to Students group and they will get unlimited bandwidth access, all others who will broke to this WIFI will get 0,Kbps so actually they will be stuck !!!

I know this is not you're expecting to do but it's something !!!

Author

Commented:
Craig, Weinberk & Tom...  Thank you for the quick responses.

I really like the idea of the "guest mode" voucher since the MAC address filtering can be easily spoofed.  Also, it seems like it would be easy to manage and I don't have to worry about wired clients.  The expiration date of the voucher is a big plus, perfect for visiting guests.

The elementary school wanted more control of their wireless clients than just a "password".  Teachers were giving out the wireless password to visiting students, parents and other guest.  We noticed a big bandwidth spike during after school activities...   the elementary, middle & high school building are all connected physically but have separate IT networks.  Middle and high school students would come over after school and ride the faster network.  The password spread like wildfire and so did the traffic usage (always around the same time).  These schools share common area... indoor gym, courtyard, etc.

We don't want anyone from the high school to come over to the elementary school and and perform mischievous activities on the elementary school network.

I am going to visit the school today, update the UniFi APs to the latest firmware and download the latest controller software to their server.  Will leave comments on the progress asap.  Looking forward to seeing what happens and distributing points.
Irwin W.There are a 1000 ways to skin the technology cat.
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Berkson WeinTech Freelancer
CERTIFIED EXPERT

Commented:
I'd also look at segregating networks.   Put up different SSID's on different VLANs.  Teachers get one, students and visitors another so there a reduced risk of exposing systems to those who shouldn't have access to them.

I don't know how big the school is or what firewall/routing is in place, but if there's not a good firewall there now, consider something from Watchguard?
Natty GregIn Theory (IT)
CERTIFIED EXPERT

Commented:
Radius------ plus------Active Directory--------plus------Hot spot--------with TOS------plus----------filtering = security with logging and blocking users for 15 minutes who violates TOS and permanent block after 3rd attempt
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014

Commented:
RADIUS with AD won't control access to specific devices if you use PEAP.
Natty GregIn Theory (IT)
CERTIFIED EXPERT

Commented:
I haven't heard a peep out PEAP for a long time, people still use that. lol
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014

Commented:
Wow what??

It's the most used protocol on wifi networks in enterprise environments because it's easy to deploy.

Author

Commented:
First of all let me say "THANK YOU" to everyone who has participated in this thread.

Here is an update:

  • DHCP has been moved to the server and the ZyXEL USG 40 has been setup as a default gateway / router
  • All UniFi access points have been reset, the latest UniFi contoller software is installed on the server, all UAPs have been adopted/upgraded/labeled
  • Currently everything is up and running, users state that the internet seems faster  : )
  • I can also remote into server now and provide offsite support

I am going to test out the voucher system tonight and if everything works out I can close the ticket and distribute points.  I have talked the school into using the UniFi hotspot/voucher system instead of the MAC address filtering.  There are so many options with the voucher system it just makes sense to go this route.

In the near future I am going to segment the network for better traffic ultilization (vlan 10 = IP phone, vlan 20 = data,  vlan 30 = wireless, etc).  

Thanks again for all of your wonderful comments and I will be in touch soon.

Author

Commented:
Got the voucher system working with the UniFi hotspot feature, works extremely well for our needs.  Thank you to all!

Author

Commented:
Great responses from all active participants.  Solution was implemented and works well.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.