Solved: Block mac-address in SSID

enedinocastillo · ‎03-02-2019

Hello! I need to block one device on my Wireless Lan. I mean, I need this device not connect to my SSID. Can I do this? Can I to block the mac-address of this device? Thank you!

BrechtSchamp · ‎03-02-2019

Yes, go to the clients list (Network-Wide > Clients), find the device and click on it. The scroll down and change the policy. Set the access to your ssid to blocked.

Mind you that there's a limit to the number of clients which you can block this way (3000).

If the client has not yet connected to the network you can also do it on beforehand from the clients list.

View solution in original post

BrechtSchamp · ‎03-02-2019

Yes, go to the clients list (Network-Wide > Clients), find the device and click on it. The scroll down and change the policy. Set the access to your ssid to blocked.

Mind you that there's a limit to the number of clients which you can block this way (3000).

If the client has not yet connected to the network you can also do it on beforehand from the clients list.

enedinocastillo · ‎03-04-2019

Sorry! I forgot say Thank you! Just today I tried this configuration in the office and it worked perfectly. Thank you!

BrechtSchamp · ‎03-04-2019

Good to hear. Thanks for the thanks.

Nembrey3 · ‎05-02-2019

Works great until they start spoofing their MAC address

jjpathan1 · ‎01-11-2023

I am actually looking for any possible solution to this. Currently running into this exact problem, the solution is useless once they start spoofing the mac address of the IPhone.

BRUCE NEWTON · ‎01-11-2023

Yep, with the randomised MAC addresses that are used by virtually every OS now, this is hard to implement. You have to flip it on its head and ensure you are only permitting the devices you want to access your network, and block everything else.

AnthonyP2 · ‎01-27-2023

Apple Devices use the following:

x2:xx:xx:xx:xx:xx
x6:xx:xx:xx:xx:xx
xA:xx:xx:xx:xx:xx
xE:xx:xx:xx:xx:xx

Anyway to block these specifically?

DainBrammage · ‎09-28-2023

DUDE thats not specific to apple devices. Those second charcters A, E, 2 or 6 indicates an LAMAC, locally administered MAC..

ANYONE can use those Windows Apples, Androids Linux.. wired or wireless makes no difference

AnthonyP2 · ‎09-28-2023

Thanks for the 2 cents. That doesn’t actually provide a useful solution however

DainBrammage · ‎09-29-2023

Your solution is RADIUS EAP-TLS or RADIUS anything would be a good start You will need group policies via Intune to stop windows clients from using LMACS not sure if JAMF allows for this or not for your macs. Also you will want some sort of MDM solution for mobile devices anything else will be highly manual and inherently insecure. If your guest network lock it down with an appropriate solution

Whatever MAC filter you set can be bypassed by anyone with access to Google and a few keystrokes...

If your issue is you are running low on IP space because of LMACS increase DHCP pool size and decrease lease time. That is at least 2000 cents worth. by my count you now owe me $20.02.

jas1066uk · ‎10-07-2023

Hi Bruce/all,

Just seen this post.. this is exactly what I am trying but reverse of this post.

Please could I have some guidance.

Looking have a SSID that is open but blocked but default and I allow specific Macs addresses through. I see the client add them to policy group. But where do I add the default block?? Firewall settings?? Client add bypasses the firewall rules.. which means to can get onto my local network??

Any help appreciated

Jas

Charles Powell · ‎02-16-2024

I believe the proper way to do this would be to put a splash page login on the SSID, and give your allowed clients a policy that allows them to bypass the splash page.

sametkirpat · ‎06-22-2022

Can we do this by using API?

ErikaW · ‎09-28-2023

Is that block limit of 3000 per network, per organization, or something else?