MAC filtering

Jouni Malinen j at w1.fi
Fri Dec 11 07:14:05 PST 2015


On Fri, Dec 11, 2015 at 02:47:56PM +0100, Nemo Never wrote:
> I'd like to enable MAC address filtering in my WPA-protected hostapd
> and I have a few questions:

What are you trying to achieve with MAC address filtering? It does not
really add any security and the real use cases for it are very limited..

> 1) Is the MAC address checked only once upon authentication, or for
> every frame received by hostapd? I really hope it's the former.

Filtering is done only during the authentication/association attempt. If
the station is not allowed to connect, there won't be an association, so
there is no need to check any other frames.

> 2) What is the max number of MAC addresses that can be included in the
> whitelist (accept_mac_file=...) ?

As far as hostapd is concerned, there is no limit on that apart from
available memory and the time it takes to check the list. That said, if
there driver you are using depends on offloading MAC ACL check into the
driver/firmware implementation, there may be constraints on how many
entries it support.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list