Access control on Device basis (MAC)

[gatorback]

Most access control is performed through username / password, but I have several devices that do not support this model. That being said, I would like to whitelist a small group of MAC IDs to allow them to access a LAN device at a static IP and drop all other traffic. I suspect that this is not a new request and has been done before: I would imagine that there are multiple solutions each with pros and cons.

Hardware / firmware details can be found in my signature

If you have experience with implementing access control, I look forward to an actionable response. Thank you.

 

[System Error Message]

It should be easy to set a whitelist for this but this has to be done on the RADIUS server. Basically you bind the mac address to a user so no login is needed.

 

[sfx2000]

It should be easy to set a whitelist for this but this has to be done on the RADIUS server. Basically you bind the mac address to a user so no login is needed.

The first consumer grade router that includes an embedded RADIUS server I think would be a big seller in the prosumer space - as RADIUS can define many policies, not just WiFi, but LAN and other resource access on a user/group/world basis...

 

[Mokers]

This feature is available in a lot of enterprise firewalls. You are allowed to define address objects based on MAC address and other objects based on IP. Basically you set an allow rule to allow the objects access to your specific host and then a deny rule for everything else. You can probably set the rule to allow traffic only on specific ports as well. The one downside is that the destination and source objects would need to be in a different VLAN / security zone since it works on Layer 2 and you want this to happen even if you have switches in place. Of course MAC address can also be spoofed, so you are still safer with RADIUS. If you have Synology or QNAP, they will both act as a RADIUS server if you have APs that support it.

Not sure how you could do this on your current hardware though.

 

[System Error Message]

If you read what the OP says he says username and password implying he is either using some sort of hotspot feature or RADIUS. Wifi on its own only requires a password. Since he is using merlin firmware it does have a configurable firewall and would obviously have config files. RADIUS and hotspot have whitelists and blacklists by default so if it is not in GUI incase you downloaded the software using entware or optware you will have to look through the files for this. You may also need to read the documentation about the server you're using to find/make the whitelist.

Ofcourse there arent wifi devices that dont support connecting to a wifi AP using a password but some may not support RADIUS/hotspot such as a network printer.

Another thing is that he wants to filter LAN traffic. You may be able to do this on RMerlin firmware but you need to bridge your LAN and apply the filters on the bridge and making it use IP firewall. On routerOS this is easy to filter a bridge by making the layer 2 traffic obey the layer 3 firewall but it might be doable on RMerlin firmware. The problem about using a bridge is that it limits your LAN traffic to 1Gb/s because the switch chip and the CPU are linked by a 1Gb/s bi directional link that will allow a maximum of 1Gb/s simultaneous traffic in your case.

Might be easier to use different IP segments or VLANs since you can have virtual adapters tied to the same physical interface.

 

[Mokers]

Yeah, I read what the OP said, but I assumed they would be open to alternatives and was just brainstorming a little bit. I agree RADIUS is probably more flexible in the long run but depending on what they need to restrict access to, it may be easier to do via VLANs. In any case, I don't think it can happen with just the ASUS w/ Merlin.

 

[Cloud200]

One way you can implement this is by an ACL on a switch.
Bind the ACL to the port the device is connected to.
Add one ACE per device to the ACL that you wish to allow access.
Add one ACE at the end of the list to deny all other traffic that does not match the source.

 

[coxhaus]

With access lists there are usually 2 formats; deny with an ending permit permit and then there is the permit with a deny deny. You can also stack your denys and permits but order makes a difference. Remember the first rule which satisfies the access list condition then the access list is stopped and no more tests are performed.

PS
You can also setup your network to assign IP addresses in a block to the special MACs so you can control the MACs using IP addresses as a class such as a 224 mask (255.255.255.224). I don't know how many MACs you want to control but I would use a mask and work at layer 3. I try to run all my network at layer 3. I just makes it easier for me.

PSS
By blocking all the special MACs you can create 1 line access control list rule. If you don't block the IPs then just create an ACL which includes all special MAC IPs. The ACL would be a permit special MAC IP addresses with a deny deny at the end of the ACL.