Security Flaw – MAC address filtering

If you’re currently using MAC address filtering just remove a device, and watch it able to join the network again. I do have a case open with Apple about this

This sounds as if you may not have changed the default connection rule in Timed Access from Unlimited Access to No Access.

When you change the default to No Access, the only way that a device can connect to the wireless network is if has a rule specifying that it can connect based on its MAC Address or AirPort ID. The actual times that the device can connect are optional according the schedule that you set up for each device.

If you did not first set up a default rule of No Access for the wireless network, then any wireless device that has the password for the network can join the network.

IF....the default rule in Timed Access is set to Unlimited, then you can remove the "rule" for a device.....and it can still connect to the network at any time.....since it still has the password to connect....and the default for the network is unlimited access.

If you are saying that you did change the default rule in Timed Access to No Access.....and then you removed the connection rule for a client.....and that client was then able to connect to the network......I cannot duplicate that event.

John0001 wrote:

In a nutshell, enabling “time access control,” which is MAC address filtering with the option to set time limits, or removing devices enabled in timed access control does NOT take effect until you forcibly reboot all AirPort devices using the AirPort Utility (unplugging does not work) AirPort Utility > Base Station > Restart.

Yes. This is normal. You have to reboot the Airport in order to allow it to write the changes to its flash memory. Unplugging does not work because it retains all its settings while unplugged - you'd be very unhappy with it if it didn't since a mains drop-out would result in anything up to half an hour's work setting up everything from scratch. When you add or remove a Mac Access restriction you should get an automatic reboot anyway, preceded by a warning that the device will be unavailable for a time.

Yes, i do have the default rule set to no access.

However, I forgot one critical detail where I believe the bug exists.

I use a different SSID for the 2.4 and 5Ghz channels. edit > Wireless > Wireless Options > 5Ghz network name. I do this so only 802.11ac devices are using the 5Ghz channel, and everything else on the 2.4.

When removing a device from timed access control, it will be unable to join the 5Ghz channel, so that's working as intended. However, that device is able to join the 2.4Ghz channel even though it has been removed from timed access control. A software reboot corrects the issue

Thanks for the additional information. I do not use separate 2.4 GHz and 5 GHz network names, but I'll try to set up a test soon to check things out.

The vast majority of users do not set the default rule to No Access, they just set up a device or two like Junior's iPad to keep it off the network at 2 AM.

John0001 wrote:

Apply settings and update configuration, the system will blink amber and be inaccessible for a short period (I think that was what you were getting at)

Yes, that is a reboot and was what I would expect. However you are correct in saying that even if the two bands have different SSIDs the access is to the router, not the specific bands, so removing access should remove it from both.