R510: Import MAC address list and limitations

  • 1
  • Question
  • Updated 1 week ago
I'm setting up a new R510. I have 126 MAC addresses in the allow list on my old hardware. I can't see how to import that list on the R510. Please tell me I am not going to have to do this one at a time?!

Also, I think I read in passing there is a limit of 128 MAC addresses per allow / deny rule? Given I am starting at 126 and adding new devices regularly, that doesn't bode well for me if correct. Can I create more than one allow list and have it applied against the same wlan? 
Photo of Matt

Matt

  • 8 Posts
  • 2 Reply Likes

Posted 2 weeks ago

  • 1
Photo of Darrel Rhodes

Darrel Rhodes, Employee

  • 37 Posts
  • 17 Reply Likes
Hi Matt,

Can I as why you are whitelisting MAC addresses?

As a security method, white/black listing MAC addresses is not considered by the Wi-Fi industry as either a secure or scalable solution and as you are finding is very admin-heavy.

Have you considered any alternative solutions such as 802.1X RADIUS based network access control?

Regarding your new R510, what version of firmware is it running?

Regards,
Darrel.


Photo of Matt

Matt

  • 8 Posts
  • 2 Reply Likes
Hi

Thanks for the reply.

I'm simply trying to transpose a setup from an old ZoneDirector 1000. It is set up to use MAC address as a white list for devices given access to the internal network.

I don't really know how to deploy an alternative at this time. I have an AD and two server 2008 DCs to leverage but not clever switch configuration or dedicated auth server (other than the DCs).

Firmware is 200.6.10.1.312

Thanks
Matt


Photo of Matt

Matt

  • 8 Posts
  • 2 Reply Likes
I see under Services AAA there is a choice to use Active Directory...

As I run AD perhaps that would be an easy win? I'd lose sight of the devices coming and going (our BYOD is somewhat of a free for all), but I'd be able to drop the MAC address maintenance, lose the list size limitation and get on with my life...

Thoughts?

To others in the same / similar boat: I've had a response from Ruckus confirming the MAC address list limit is 128 and that you can only have one L2/MAC rule per wlan. The work around would be to define to split out into wlans but thats clearly not ideal, otherwise as per Darrel's post, use a different auth method such as RADIUS.

I'm waiting to hear whether there is a CLI method of importing the MAC addresses given the GUI is not offering an import option.
Photo of Darrel Rhodes

Darrel Rhodes, Employee

  • 37 Posts
  • 17 Reply Likes
Hi Matt,

Apologies I'd not had chance to reply to your earlier email.

However you took the words out of my mouth!  I was going to advise using 802.1X authentication using your AD server (.1X needs NPS and is much easier to setup than LDAP with AD).

It appears that you are using Unleashed firmware - this supports NPS 802.1X integration. 

I'd recommend downloading the Admin guide for Unleashed here: https://support.ruckuswireless.com/documents/2288-ruckus-unleashed-200-6-ga-refresh-user-guide

Thanks,
Darrel.
Photo of Matt

Matt

  • 8 Posts
  • 2 Reply Likes
Thanks for the admin guide link. I couldn't see for looking when I went searching for that earlier!

OK so I have created an AAA entry for AD and pointed it to one of my DC's. I've then modified the relevant places to use it and enabled Zero-IT on my internal wlan.

First test seems OK. Browsed to the activation URL on my Android mobile, got challenged for creds, downloaded small app/installer, ran said app, clicked on the wlan name and bosh! it has connected.

Obs I have to do some more testing before roll out and we also have apple devices and windows pcs. Hopefully the activation process works across the board and isn't a resource problem on the installed devices, or an issue with some kind of injection into the device wi-fi stack causing connectivity issues elsewhere.

I just need to sort out enabling a decent tls level on the old dc os version then I think I'm good to go...?

Am I getting ahead of myself? I'd love to get a win this month! :)


Photo of Darrel Rhodes

Darrel Rhodes, Employee

  • 37 Posts
  • 17 Reply Likes
Hi Matt,

Sounds like you nailed it!  Excellent work sir!

Here's a link to all our Unleashed documentation:  https://support.ruckuswireless.com/products/82-unleashed#documents

Thanks,
Darrel.

Photo of Matt

Matt

  • 8 Posts
  • 2 Reply Likes
Hmmm

I don't think I have actually achieved the desired result.

I've made it easier for users to connect, which is great, but I've lost the device access control.

If a rougue device discovers the wlan key it can connect. Previously that would not have been possible (MAC address spoofing aside), because I was using the L2/MAC allow list...


Photo of Darrel Rhodes

Darrel Rhodes, Employee

  • 37 Posts
  • 17 Reply Likes
Hi Matt,

You should be able to use your NPS server to manage access of specified MAC addresses/ranges:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd...

Darrel.
Photo of Matt

Matt

  • 8 Posts
  • 2 Reply Likes
Thanks Darrel

I'm not sure what to think about that...

I don't want to inadvertently upset the office desktop connectivity by bringing in MAC auth, am unsure whether or not I'd have to buy device CALs for each of the MAC user accounts etc etc.

Perhaps the easiest way for me to protect against a rogue device outside of the domain connecting is to beef up the PSK and change the DoS temp client block to e.g. 600 seconds.

That would at least make it less likely an attacker would bother with techniques like password grinding. It wouldn't help if an attacker were sniffing traffic but they'd have to be determined and extremely lucky to pick up someone connecting by entering the PSK rather than via the ZeroIT method.

I'm looking at getting TLS working on my old dcs today and will also look at sorting out a cert so I'm admin connecting over https.

Thoughts...?

Thanks!

Matt
Photo of arso martiner

arso martiner

  • 3 Posts
  • 0 Reply Likes
https://docs.ruckuswireless.com/unleashed/200.1.9.12/t-CreateNewL2ACL.html Here's a very useful tutorial that i've used back then when i wanted to import Mac adress lists, hope it's gonna help
regards
https://appsync.biz/dafont/ https://downloader.vip/mapquest/ https://appsync.biz/filehippo/
(Edited)