G3100 MAC Authentication and Firewall Policies

My teenagers can bypass parental controls by editing their MAC address. I'd like to configure MAC Authentication but can't find a description of the Access List and Device Access toggles. What functionality do they provide? Also, is there an effective limit to the number of hosts in the list? I've read that in the past 10+ entries could be added but the router only provides access to the first 10.

Would a better approach be to define a Network Object for everything except the teen pcs and create a firewall policy that denies all internet access between specific times to all devices except the network object?

Accepted answers

Cang_Household

Sorry, I actually forgot MAC-based allow list is possible on WiFi radios. My previous message regarding the limitation of the Verizon routers (and many other consumer routers) might only apply if the kids' devices are hardwired to the router.

...

I just briefly tested on the work bench, it seems you need to have BOTH Access List and Device Access checked to limit the specified MAC addresses to connect and require these MAC-addressed clients to present the correct password.

I put 12 MAC addresses into the Allowed list, so the 10-device limit does not apply here. It is applied to DHCP reservations and static routes only, I believe.

......

Once you lock your "junior network engineers'" devices to a set of MAC addresses, you could then either use the Access Control under the Firewall to limit their Internet access according to a schedule, OR use the DHCP reservation to further lock a specific IP address to each device. Then the IP address could then be effectively subjected to Parental Controls settings.

All comments

Cang_Household

Wow, this sounds like you have junior network engineers at home... The way they got around MAC-based authentication is called MAC address spoofing.

Access Control under the Firewall could only block certain MAC addresses, which renders useless if the client decides to swap to another MAC address. IOS does this on WiFi automatically now days for privacy protection. If the client uses a Desktop computer, you could setup a restricted account on the computer that would not allow them to spoof the MAC address.

Or, you need some sort of addon appliance that do deny-by-default MAC address filtering. A used Cisco managed switch from Ebay would do ($30). You can configure Access Control List set to block a non-matched MAC address by default. Then the clients cannot circumvent the MAC address binding.

Womz

Thanks for the update. I'll try configuring the Access Control List.

When I select Primary Network, MAC Authentication, Edit List there are two toggle switches - Access List and Device Access. Is there a description of how to use them? Seems like the first is "have an allowlist" and the second is "prevent all device access except those in the list".

Is there a way to view the current list? Finally, based on prior research, is there a limit to the number of entries in the list?

Womz

Is there a User Guide that explains MAC authentication?

Cang_Household

...

I put 12 MAC addresses into the Allowed list, so the 10-device limit does not apply here. It is applied to DHCP reservations and static routes only, I believe.

......