Apple → Re: [Security] MAC address filtering on AirPort Extreme

Like I said in the OP, I like to use multiple security measures to secure my Wi-Fi. I have a neighbor who I know is stealing Internet and he is stealing cable. If I find out he hacked into my Wi-Fi, I will prosecute.

If I use multiple measures (like the MAC filtering in addition to WPA2 and SSID hiding) then they'll have to break through multiple measures before they're in.

Understood. My point remains: if he's serious about breaking in, MAC filtering is no hindrance. If he's not, it's not necessary. Just sayin'

You use one layer of security and two layers of annoyance. Annoying for you and your users, not a hacker. MAC address filtering and hidden SSID can be bypassed in under 30 seconds. WPA2 is the only thing actually protecting your network.

If you still want to make your life harder for some reason, you can download the older version of Airport Utility (version 5.6. Just do a google search). It has MAC filtering. Not sure if the new one does.

I thought MAC address filtering was pretty secure because the AP ignores all except those MAC addresses in your access list. This is not correct? Also, I am using "WPA2 Personal" is that the same as WPA2 security wise?Yes the latest updated one 6.10.31 does have MAC filtering. They put it back. I was using 5.6, but now the new one has the facility. Looks like 5.6 is becoming useless. I recently installed an AirPort Express to run AirPlay, and 5.6 will not work with it at all.

It's fairly easy to set your MAC address to whatever you want and it's also possible to view what the AP and computer are saying to each other and get the computer's MAC address from that. So it really does nothing.

Yes, WPA2 Personal is fine. Enterprise is better, but it's overkill for most people. »www.enterprisenetworking ··· WLAN.htm

Read the article I linked to in my first post above for the gory details why MAC address filtering is useless.

I use all three as well but I use MAC Filtering so I can always have certain devices always have the same IP like my server, set top boxes, etc.

Like someone said WPA2 is the best you can use, hiding the SSID just makes it harder for the average person.

You can do Static Assignments without using MAC filtering.
That's the thing.. The average person isn't going to be breaking into your WPA2 protected network. "Breaking" (really, brute forcing) WPA2 takes time, enormous computing power, and a pretty good understanding of what you're doing. Somebody that has all that, can get your SSID in a matter of seconds.

Here's the breakdown of how I cracked my own WPA2 network w/ hidden SSID and MAC filtering (just for fun):
Hidden SSID - found in ~10 seconds
MAC Address of approved computer - found in ~5 seconds
Changing my MAC address to match - 5 seconds
Waiting to collect the right packet to brute force WPA - around 15 minutes
Brute forcing WPA - 5 days straight, on 3 separate computers (16 cores total) and I knew it was an all numeric password of a certain length (cutting the computation time down significantly).

You are correct that you can do it with static IP, however with a cable set top box if the power goes out I have to set it back up again. This prevents me from having to do this.

I meant you can do static assignments in the AirPort Extreme. The client devices still use DHCP, but they always pull the same IP address based on their MAC address. MAC filtering isn't required for this to work.

FYI, in airport utility it is referred to as DHCP reservations instead.