Enable MAC filtering (AirPort Extreme - 5th Gen)

If you are using AirPort Utility 6.0 some of the options are either not available or they are not obvious. MAC address filtering is missing in AU 6.0.

To enable it download a different version of AirPort Utility:

Lion: AirPort Utility 5.6.

Leopard, Snow Leopard: AirPort Utility 5.5.3.

I think you will find MAC address filtering easily enough with AU 5.6.

AU 5.6 was released concurrently with AU 6.0.

It is not an earlier version. As I wrote,

AU 5.6 was released concurrently with AU 6.0.

No problem. At present AU 6.0's functions are a subset of 5.6. It's not very useful for my purposes.

The security settings are the same for both bands. You will find it in Airport Utility on the AirPort pane > Wireless tab.

Hi MJMP1,

the latest AirPort Utility for Extreme, 6.1 (610.31), under the Network Tab, -> Enable Access Control -> Timed Access Control, Click + to add Mac Address filtering. Hope this helps.

Cheers!

do we type in the ip address... in my case... of the Imac-my main computer. Then I presume it is secure with MAC filtering so others could not gain entry. I ask because occasionally, when I got to do a reboot or shutdown, say for sysyem install update, I am asked do you want to shut off... there are 5 users connected. There should not be. Howver, my Imac is ethernet connected tomy Airport extreme.

Thanks.

Message was edited by: Moncrief

This isn't MAC Address Filtering, at all. Timed Access Control, simply limits the times clients can connect.

MAC Address Filtering allows you to block all MAC Addresses from connecting, all the time, except for the MAC Addresses you add to the approval list.

MAC Address Filtering is one of the easiest to use and most effective security tools. Even without knowing anything about WEP or WPA, MAC Address Filtering, blocks the connection of any machine, whose MAC Address is not on the list. If Apple has removed the ability to configure MAC Address Filtering, they have crushed the value of Apple's ENTIRE networking line.

FYI: I feel the same way about WEP. Many issues still exist with WPA/WPA2 WIFi security, sometimes preventing devices from connecting, even though they may support WPA/WPA2. In these cases WEP is a much better option. I know WEP isn't the best of the industry standards for wireless security, however, using WEP and MAC Address Filtering, is way STRONGER than any WPA/WPA2 configuration, not using MAC Address Filtering.

using WEP and MAC Address Filtering, is way STRONGER than any WPA/WPA2 configuration, not using MAC Address Filtering.

This is not true.

WEP is easily cracked with any number of free utilities available on the Internet and any beginning hacker knows how to clone a MAC Address. If he wants on your network, it will not take him long.

MAC filtering: This is like handing a security guard a pad of paper with a list of names. Then when someone comes up to the door and wants entry, the security guard looks at the person's name tag and compares it to his list of names and determines whether to open the door or not.

Do you see a problem here? All someone needs to do is watch an authorized person go in and forge a name tag with that person's name. The comparison to a wireless LAN here is that the name tag is the MAC address. The MAC address is just a 12 digit long HEX number that can be viewed in clear text with a sniffer. A sniffer to a hacker is like a hammer to a carpenter except the sniffer is free.

Once the MAC address is seen in the clear, it takes about 10 seconds to cut-paste a legitimate MAC address in to the wireless Ethernet adapter settings and the whole scheme is defeated. MAC filtering is absolutely worthless since it is one of the easiest schemes to attack.

The shocking thing is that so many large organizations still waste the time to implement these things. The bottom line is, MAC filtering takes the most effort to manage with zero ROI (return on investment) in terms of security gain.

http://www.zdnet.com/blog/ou/the-six-dumbest-ways-to-secure-a-wireless-lan/43

ZDNET can be a good place for information, but I think the person that wrote this artical is... well... overlooking a few things, to say the least.

First of all, when it comes to networks and the internet, "SECURITY" is a falicy, a figment of the imagination! I'm very aware of the first lesson in Network Security 101 is: A Single Method to Ensure a 100% Secure Network, Does Not Exist! If a malicious intruder wants in, they can find a way... just ask all those hacked by Anon over the last year.

Personally, I choose not to broadcast my SSID (Service Set Identifier or the publicly visible wireless network name). This doesn't do much against hacking either, that is, if the hacker knows what the name of my wireless network is and when my wireless network is in range. But, then again, that is just Step 1 in my security profile. Then, normally, I'd have MAC Address Filtering turned on. So, assuming a "beginning" hacker, knew enough to look for my hidden wireless network and knew where to look, then they'd have to know which MAC Address belonged to me and my network, before they'd even know where to start. Then, assuming the "beginning" hacker figured all that out, they'd have to beat my WPA2 security, which I change regularly. After all this, they could find out, I'm using a RADIUS server, enforcing other requirements as well.

Most people, buying Apple equipment, aren't trying to get that complicated, otherwise, Apple's user interface development would simply be a huge waste of time.

People are looking for simple and efficient - lets face it, they want EASY. So, while I wouldn't recommend a major company, using only MAC Address Filtering and WEP for their WiFi security, it is plenty good for most residential scenarios.

Now, add in all the problems, other "residential" equipment has, connecting to WPA-secured networks, MAC Address Filtering and WEP is better than nothing, which is what generally happens when some poor sap can't get their kid's WII to connect to their wireless network.

I never was able to get my WII to work correctly over a WPA secured wireless connection. I have a 50x25 connection, and it acted like it was on dial-up, all the time. The area I live, has a lot of wireless networks around, but none of them are close enough, or strong enough to be a major cause of interferance. Yet, when I bring up a WEP secured AP, on Channel 1, the WII's connection is lightning fast. So, I keep a non-Apple, WEP-enabled, AP, on a separate subnet, just so my WII has stable internet access.

Finally, back to the ZDNET article...

Sure, if any one of those six security measures were used, by themselves, the wireless network wouldn't be very secure. However, each of the listed security measures could still be considered viable, if they are part of a larger, network security P&P.

So, Mr. Timmons, I did mis-speak (mis-type) when I said: "using WEP and MAC Address Filtering, is way STRONGER than any WPA/WPA2 configuration, not using MAC Address Filtering." What I meant to convey is: "using WEP and MAC Address Filtering, is way STRONGER than no WPA/WPA2 configuration and no MAC Address Filtering." Is that an acceptible 'retraction' and re-statement?

Personally, I choose not to broadcast my SSID (Service Set Identifier or the publicly visible wireless network name).

Your decision on that. I assume that you are aware that there are free and low priced utilities readily available on the Internet will reveal the name of your network in seconds. The reason for this is that the SSID is always being broadcasted as long as your wireless router is on.

"Hiding" the name of your network will probably keep casual users and honest neighbors from seeing your network name, but I don't think they are the guys that you need to worry about. The guys in the van have all the tools they need to get on your network if they really want to.

I did mis-speak (mis-type) when I said: "using WEP and MAC Address Filtering, is way STRONGER than any WPA/WPA2 configuration, not using MAC Address Filtering."

Thanks for taking the time to clarify on that.

What I meant to convey is: "using WEP and MAC Address Filtering, is way STRONGER than no WPA/WPA2 configuration and no MAC Address Filtering."

I would agree.

Yes, this is MAC address filtering. The default entry is No Access, All of the Time. This means that, unless the device's MAC address is entered as a separate entry, the router will deny access all of the time to all wireless devices.

The default entry is No Access, All of the Time.

This is not correct. The default setting is Unlimited Access.

If the "default" setting on the router is now set to No Access, the setting has been edited by someone and the change has been saved.

After a Factory Default Reset, any AirPort router will look like this: