Access Control not blocking Apple devices

Question

I'm trying to figure out whats going on here with my issue. If this is not the right area, then can someone re-direct me to the right place or solution?

I'd like to understand why is it that in a WiFi system that has 'access control' turned on to' block all new devices from connecting', any apple device can connect without authorization.

Interestingly... yesterday I ttried to disallow '(block)' one of these, and the router responded that I 'cannot block using the same device I'm logged in with' - an android! Yet the device I was blocking was an iPhone identified by MAC association to vendor. But that aside, I cant seem to block any Apple devices using access control.

Apple devices are the only ones that never get blocked in my case.

My setup: WNDR4300 v2 V1.0.0.58 + repeater WN2000RPTV3

schumaku · Answer

@sunnyorlando&nbsp;wrote:I'd like to understand why is it that in a WiFi system that has 'access control' turned on to' block all new devices from connecting', any apple device can connect without authorization.Definitively something very wrong or not working as expected if this is true. What magic WiFi system model and firmware are we facing here?&nbsp;@sunnyorlando&nbsp;wrote:Interestingly... yesterday I ttried to disallow '(block)' one of these, and the router responded that I 'cannot block using the same device I'm logged in with' - an android! Yet the device I was blocking was an iPhone identified by MAC association to vendor.Netgear (and other WiFi device makers!) have either a white list or a black list implemented. If a WiFi system is configured to require a management action on the first connection - allowing a device - it's in white list mode.&nbsp;Thus you can't block any individual device (resp. whatever MAC address was used) into a black list.&nbsp;@sunnyorlando&nbsp;wrote:But that aside, I cant seem to block any Apple devices using access control.Not related to be an Apple device, as explained above. There should be a way to remove it from the white list of allowed devices instead.&nbsp;sunnyorlando&nbsp;wrote:My setup: WNDR4300 v2 V1.0.0.58 + repeater WN2000RPTV3Have both the router and the repeater the white list configured - essentially _three_ times because clients coming in over the repeater get a translated MAC address? Oh and in case the repeater is operating as access point these would bypass such a control (for WiFi!) on the router.

sunnyorlando · Answer

The repeater is set up to mimic the settings of the actual router. I do not have seprate controls for SSID, passwords or Access Control for the repeater - its all based on whatever the settings ar for the router. That is an option you can select when you set up the repeater.

I kind of figure its not an apple issue per se, but it only happens with Apple. All other devices that access the WiFi need to be arpproved via Access Control. And that what Im truing to figure out.

The set up is a WNDR4300 v2 on version V1.0.0.58, with aWN2000RPT v3 on the other side of the house.

schumaku · Answer

sunnyorlando&nbsp;wrote:The repeater is set up to mimic the settings of the actual router. I do not have seprate controls for SSID, passwords or Access Control for the repeater - its all based on whatever the settings ar for the router. That is an option you can select when you set up the repeater.Agree the SSID are taken over from the router, by default with the added _EXT postfix.&nbsp;Strongly doubt there is any integration when it comes to white- and black-list ACLs (as available on the router), while the extender&nbsp;does only support ACL as a back list as per the&nbsp;NETGEAR N300 WiFi Range Extender Model WN2000RPv3 User Manual&nbsp;p.36 "Deny Access to a Computer or WiFi Device".&nbsp;The&nbsp;N300 WiFi Range Extender Model WN2000RPTv3 Quick Start Guide&nbsp;does have a section "I enabled a WiFi MAC filter, WiFi access control, or access control list (ACL) on my router. What should I do when installing the extender?" on p.18. it also explains that the extender does make use of translated MAC addresses which require to be added if using the white list feature on the router.&nbsp;sunnyorlando&nbsp;wrote:I kind of figure its not an apple issue per se, but it only happens with Apple. All other devices that access the WiFi need to be arpproved via Access Control. And that what Im truing to figure out.Somewhere between very unlikely (any kind of overflow on the MAC ACL white list?) and impossible.&nbsp;Please show the example based on the disabled Private Address (read random MAC) "feature" on an Apple (what is very broad), the connected device information on both the router and the extender, and any white list entries on the router - screenshots and more would help.&nbsp;

sunnyorlando · Answer

Attached PDF with screenshots:&gt; '1' is whats connected right now - iPhones are not here now&gt; '2' is what is not connected, but iPhones show as allowed&gt; '3a and 3b' - is what the blocked list - shows the same iPhones that are also in the 'allowed but not connected' list '2'.&nbsp;Thosie iPhones have been blocked several times, then they sho up with differnte MAC and automatically get connected without approvals. I'll have to wait until it happnes again to see them connected to the router AND show up in the not allowed list - by name, not MAC because it changes.And BTW - when connected, its to the main router (wireless3.2.4_OF), not the EXT. You can see the extender listed in the connected devices Image 1 at the bottom. So whatever the EXT functionality is, I don't see it affecting the rules of the main router if nto connected to the EXT. Right?And an iPhone shows a wired??And I don't get how that one IP that shows with 192 IP range. Its a 6c:B:CE MAC and&nbsp; it comes up as a Netgear product but I cant figure what it is, how is that getting a 192 when my private range is 172?&nbsp;

schumaku · Answer

To understand more how these extenders work, please also check (and post) we need also the extender table with the real MAC (used between the client and the and exender radio) and the virtual MAC (useed between the extender and the router radio) - ideally with some example clients connected.&nbsp;sunnyorlando&nbsp;wrote:Thosie iPhones have been blocked several times, then they sho up with differnte MAC and automatically get connected without approvals.&nbsp;That would be not allowed in fact. The access does work based on the MAC address only. Device name or the like does not matter.&nbsp;sunnyorlando&nbsp;wrote:... by name, not MAC because it changes.For a manged environment with MAC ACL, your known users must disable this "privacy" **** for your network (this is by all SSIDs offered) -&gt;&nbsp;Use private Wi-Fi addresses in iOS 14, iPadOS 14, and watchOS 7&nbsp; As you see, beyond of disabling the Private network feature for each SSID, Apple has not really a plan for people intending to use the (in my opinion mostly obsolete MAC security [as a bad guy, I am going to borrow one and wait till it disappears - easy possible with mobile devices]) in home or SMB environments - most have no managed MDM environments.&nbsp;&nbsp;sunnyorlando&nbsp;wrote:And BTW - when connected, its to the main router (wireless3.2.4_OF), not the EXT. You can see the extender listed in the connected devices Image 1 at the bottom. So whatever the EXT functionality is, I don't see it affecting the rules of the main router if nto connected to the EXT. Right?However you have named your router and extender radios - from the&nbsp; "wireless3.2.4_OF" name the name looks constructed of "wireless3" the "2.4" for a 2.4 GHz one, and then "_OF" why ever. If pairing a classic extender like yours would create a name like&nbsp;"wireless3.2.4_OF_EXT". How ever, why ever the networks were named or renamed - impossible to see form outside.&nbsp;Login on the extender and check what is configured there.&nbsp;sunnyorlando&nbsp;wrote:And an iPhone shows a wired??And I don't get how that one IP that shows with 192 IP range. Its a 6c:B:CE MAC and&nbsp; it comes up as a Netgear product but I cant figure what it is, how is that getting a 192 when my private range is 172?This could be directly related. The MAC address is the one from the extender, possibly this device had a different IP, probably it was wired to the router at some point. You can remove it from the list. Same for the Apple device showing up as wired.&nbsp;Bottom line - managing MAC ACL is a pain in general. Managing the classic extenders with the MAC translation makes it more difficult. Allowing this privacy nonsense&nbsp;(you know oyur users, correct?) on your own managed network makes it simply impossible. and last, the unlucky requirement that all radois (connecting to the same network!) have to be configued on dedicaed names/SSIDs. Confusion complete for everyone.

Forum Discussion

Access Control not blocking Apple devices

10 Replies