5

Can somebody explain to me how a wireless AP denies access to the network if the client does not have the correct MAC Address.

Does it not send a probe response when a client has not got a correct MAC. Or when the client tries to authenticate, it gets denied.

please can you include reading sources as well, if you know of any.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Mintuz
  • 273
  • 3
  • 5

1 Answers1

4

It is really that simple, if the AP has a MAC filter, any device which attempts to authenticate that doesn't have a MAC address on the list will just be denied.

However the problem from a security perspective (which is why this should not be used as a security function) is that it is trivial to spoof a valid MAC address (by sniffing them wirelessly and waiting until the valid user has gone - this is a common technique for avoiding usage costs in airports)

Update to show where MAC address denial happens:

Client --------------Probe-------------> AP

AP -------Probe Response----------> Client

Client ---802.11 Auth Request-----> AP

MAC authentication happens in here. If the client MAC is not on the list the following responses will not get sent:

AP ------802.11 Auth Response---> Client

Client --802.11 Assoc Request----> AP

AP -----802.11 Assoc Respons----> Client

Which is then followed by EAP etc.

Community
  • 1
Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • Hi...all these time I thought AP was just a device, an intermediate for clients to connect wirelessly to ethernet and MAC filtering is actually done on the router. I know that a router can be accessed through browser by pointing to its URL, but how can the AP be accessed? how mac filters can be set on AP? If my understanding is correct, can MAC filters be set on both routers and APs? – Abhinav May 03 '17 at 00:46
  • An access point is just a router, @Abhinav. It has an IP address on each interface. It should be treated just like any other router – Rory Alsop May 03 '17 at 06:44
  • I am sorry if this sounds a bit naive, still confused. You mean to say like home routers where AP is contained with in it. What about AP that comes as a separate device ? so in those cases will it be proper to say that MAC filtering is done on routers ? – Abhinav May 03 '17 at 07:06
  • An access point is a router. It is that simple. – Rory Alsop May 03 '17 at 07:08