MAC Access Control

Operation Reference > Authentication > MAC Access Control

MAC Access Control is a mechanism to authenticate a wireless client by its MAC address when the client wants to associate to an AP.
There are two methods for MAC Access Control to check the validity of clients' MAC addresses. One is using RADIUS servers, and the other is using MAC Address Lists configured with the AWC Plug-in.
When you use the AWC Plug-in's MAC Address List, you can assign a single MAC Address List to each AP Profile. If an AP Profile has more than one VAP configured, you can choose whether to use the single MAC Address List on all VAPs, or to use the MAC Address List on some VAPs and use separate RADIUS servers on other VAPs.

Note
MAC Access Control is not supported in combination with Dynamic VLAN.

Note
While MAC Access Control checks the validity of a client, it does not improve the security level of the wireless communication itself. It is recommended that WPA Personal or WPA Enterprise is used for authentication and encryption in addition to the client validation by MAC Address Authentication.
If you use WPA Enterprise along with MAC Access Control, RADIUS attributes used for determining client VLANs should be configured as the ones for WPA Enterprise, not for MAC Address Authentication.

To use MAC Access Control, enable "MAC Access Control" on a VAP. Please refer to Configure AP Profiles for more details.

Use MAC Address List on AWC Plug-in

The configuration procedure for MAC Access Control is broadly divided into the following two types, depending on the model of the AP.

TQ6403 GEN2, TQm6403 GEN2, TQ6602 GEN2, TQm6602 GEN2, TQ6702 GEN2, TQm6702 GEN2, TQ6702e GEN2, TQ7403

In these models, A separate MAC Address List can be selected for each VAP.

First, you have to create a MAC Address List. Refer to Configure MAC Address Lists for more details.
You have to choose an action, either "Allow" or "Deny" for a new MAC Address List to create.
- "Allow" creates an allowlist, which only permits traffic from the MAC addresses in the list and blocks all other traffic.
- "Deny" creates a blocklist, which only blocks traffic from the MAC addresses in the list and permits all other traffic.
You can create multiple MAC Address Lists if needed.
Next you have to create an AP Profile. Refer to Configure AP Profiles for details.
- In the "VAP (Multiple SSID) Configuration" section, select "MAC Address List" for each VAP on which you want to use MAC Access Control using the list.
  When "MAC Address List" is selected, an additional item "Selected List" will appear.
  Clicking on the "Selected List" drop-down list displays the "Select MAC Address List" dialog box. Click a MAC Address List for use with VAPs defined in the AP Profile and click "Select".
  
  To apply MAC Address Lists to multiple VAPs, specify a MAC Address List for each VAP.
- When using Channel Blanket together, select the MAC Address List to be commonly applied to all CB VAPs in the "Detail" of the "Basic Configuration" of AP Profile.
  
  Clicking the "MAC Address List" drop-down list shows the "Select MAC Address List" dialog box. Click a MAC Address List for use with VAPs defined in the AP Profile and click "Select".
  Displays the total number of MAC address entries in the MAC Address List specified in the "Basic Configuration" and "MAC Access Control" in the "VAP (Multiple SSID) Configuration".
  The total number of MAC address entries in the configurable MAC address list is capped at 3072. If the number of entries exceeds the cap, any of the MAC address list specification must be removed or the number of entries in the MAC address list must be reduced.
  If the same MAC address is duplicated in different MAC address lists, it is counted as one entry. It does not consider whether the action of a MAC address list with duplicate entries is allowed or blocked.

Note
If a MAC address list is specified in both the "MAC Address List" in the "Basic Configuration" and the "Selected List" in the "MAC Access Control" of the "VAP (Multiple SSID) Configuration", the "Selected List" in the "MAC Access Control" of the "VAP (Multiple SSID) Configuration" takes priority (VAP 2 in the table below).

Table 1
VAP Number AP Profile Application Result

Basic Configuration VAP Configuration

MAC Address List MAC Access Control Applied MAC Access List

VAP 1 List 1 (unspecified) => List 1

VAP 2 List 2 List 2

Table 1
VAP Number	AP Profile		Application Result
Basic Configuration	VAP Configuration
MAC Address List	MAC Access Control	Applied MAC Access List
VAP 1	List 1	(unspecified)	=>	List 1
VAP 2	List 2	List 2

Note
When using the MAC address list feature, if the firmware applied to the AP does not support per-VAP MAC address lists, please specify the same MAC address list for both the "MAC Address List" in the Basic Configuration and the "Selected List" for each VAP under "MAC Access Control" in the VAP (Multi-SSID) Configuration.
It is not supported to specify only one of the items or to assign different types of MAC address lists.

Combined Use of Channel Blanket and MAC Address List

When using MAC Address List together with Channel Blanket, select the MAC Address List to be commonly applied to all CB VAPs in the "Detail" of the "Basic Configuration" of AP Profile.
Clicking the "MAC Address List" drop-down list shows the "Select MAC Address List" dialog box. Click a MAC Address List for use with VAPs defined in the AP Profile and click "Select".

In addition, in the CB Profile, "MAC address list" must be selected in "MAC access control" for CB VAPs to controll with MAC address lists.

The relationship between the two "MAC Address List" settings in the AP Profile, i.e., the "MAC Address List" settings for "Basic Configuration" and "MAC Access Control" for "VAP (Multiple SSID) Configuration" is as follows.

There is no selection item to be applied in the "MAC Address List" of "MAC Access Control" in the CB Profile.
As mentioned above, when applying a MAC Address List to a Channel Blanket, it is necessary to apply the MAC Address List in the AP Profile that are applied in conjunction with the CB Profile.

Table 2
VAP Number	AP Profile			CB Profile		Application Result
	Basic Configuration	VAP Configuration		CB VAP Configuration		Application Result
	MAC Address List	MAC Access Control		MAC Access Control		Type of Created VAP	Applied MAC Access List
VAP 1	(unspecified)	(unspecified)	+	Select "MAC Address List"	=>	CB VAP	Not Applied
VAP 2		(unspecified)		Select "MAC Address List"		CB VAP	Not Applied
VAP 3		(unspecified)		Select from other than "MAC Address List"		CB VAP	Not Applied
VAP 4		(unspecified)		Select from other than "MAC Address List"		CB VAP	Not Applied
VAP 5		(unspecified)		(not created)		Multi-channel VAP	Not Applied
VAP 6		(unspecified)		(not created)		Multi-channel VAP	Not Applied
:

When any MAC Address List is selected in the "MAC Address List" of "Basic Configuration" in the AP Profile, the MAC Address List is applied to all CB VAPs for which the "MAC Access Control" method is set to "MAC Address List" in the CB Profile (VAP 1 and VAP 2 in the table below).
If "MAC Access Control" is set to a method other than "MAC Address List" or "Disable" is selected in the CB Profile, MAC Address List is not applied to CB VAPs (VAP 3 and VAP 4 in the table below).
For VAPs (multi-channel VAPs) that have not created a CB VAP, the "MAC Address List" setting in the "Basic Configuration" is not applied (VAP 5 and VAP 6 in the table below).

Table 3
VAP Number	AP Profile			CB Profile		Application Result
	Basic Configuration	VAP Configuration		CB VAP Configuration		Application Result
	MAC Address List	MAC Access Control		MAC Access Control		Type of Created VAP	Applied MAC Access List
VAP 1	List 1	(unspecified)	+	Select "MAC Address List"	=>	CB VAP	List 1
VAP 2		(unspecified)		Select "MAC Address List"		CB VAP	List 1
VAP 3		(unspecified)		Select from other than "MAC Address List"		CB VAP	Not Applied
VAP 4		(unspecified)		Select from other than "MAC Address List"		CB VAP	Not Applied
VAP 5		(unspecified)		(not created)		Multi-channel VAP	Not Applied
VAP 6		(unspecified)		(not created)		Multi-channel VAP	Not Applied
:

When any MAC Address List is selected for "Selected List" in "MAC Access Control" of "VAP (Multiple SSID) Configurations" in the AP Profile, the MAC Access Control method is applied to the CB VAPs with the same VAP number and "MAC Access Control" set to "MAC Address List" in the CB Profile.
If a MAC address list is specified in both the "MAC Address List" in the "Basic Configuration" and the "Selected List" in the "MAC Access Control" of the "VAP (Multiple SSID) Configuration", the "Selected List" in the "MAC Access Control" of the "VAP (Multiple SSID) Configuration" takes priority (VAP 2 in the table below).

Table 4
VAP Number	AP Profile			CB Profile		Application Result
	Basic Configuration	VAP Configuration		CB VAP Configuration		Application Result
	MAC Address List	MAC Access Control		MAC Access Control		Type of Created VAP	Applied MAC Access List
VAP 1	List 1	(unspecified)	+	Select "MAC Address List"	=>	CB VAP	List 1
VAP 2		List 2		Select "MAC Address List"		CB VAP	List 2
VAP 3		List 3		Select from other than "MAC Address List"		CB VAP	Not Applied
VAP 4		(unspecified)		Select from other than "MAC Address List"		CB VAP	Not Applied
VAP 5		(unspecified)		(not created)		Multi-channel VAP	Not Applied
VAP 6		List 3		(not created)		Multi-channel VAP	List 3
:

If you want to apply a different MAC Address List to each CB VAP, you do not need to use the "MAC Address List" in the "Basic Configuration" of the AP Profile.
In this case, create a VAP for each VAP number in "VAP (Multiple SSID) Configuration" in the AP Profile, and select the MAC Address List to be applied in "Selected List" in "MAC Access Control" respectively.

Table 5
VAP Number	AP Profile			CB Profile		Application Result
	Basic Configuration	VAP Configuration		CB VAP Configuration		Application Result
	MAC Address List	MAC Access Control		MAC Access Control		Type of Created VAP	Applied MAC Access List
VAP 1	(unspecified)	List 1	+	Select "MAC Address List"	=>	CB VAP	List 1
VAP 2		List 2		Select "MAC Address List"		CB VAP	List 2
VAP 3		List 3		Select from other than "MAC Address List"		CB VAP	Not Applied
VAP 4		(unspecified)		Select from other than "MAC Address List"		CB VAP	Not Applied
VAP 5		(unspecified)		(not created)		Multi-channel VAP	Not Applied
VAP 6		List 3		(not created)		Multi-channel VAP	List 3
:

TQ1402, TQm1402, TQ3403, TQm3403, TQ5403, TQm5403, TQ5403e, TQ6602, TQ6702 GEN2-R, TQ7403-R, TQ7613

In these models, you cannot use separate MAC Address Lists for VAPs configured on a single AP Profile.
The same MAC address list is applied to all VAPs for which "MAC Address List" is selected as the MAC Access Control method in the "VAP (Multiple SSID) Configuration".
If you want to use a different set of MAC Addresses for each VAP, you have to use external RADIUS servers.

Also, when using Channel Blanket together, the same MAC Address List is applied to all VAPs for which "MAC Address List" is selected as the MAC access control method in "VAP (Multiple SSID) Configuration" in the CB Profile.

First, you have to create a MAC Address List. Refer to Configure MAC Address Lists for more details.
You have to choose an action, either "Allow" or "Deny" for a new MAC Address List to create.
- "Allow" creates an allowlist, which only permits traffic from the MAC addresses in the list and blocks all other traffic.
- "Deny" creates a blocklist, which only blocks traffic from the MAC addresses in the list and permits all other traffic.
Next you have to create an AP Profile. Refer to Configure AP Profiles for details.
- Specify a MAC Address List to use in the "System" section's "MAC Address List".
  Clicking the "MAC Address List" drop-down list shows the "Select MAC Address List" dialog box. Click a MAC Address List for use with VAPs defined in the AP Profile and click "Select".
- In the "VAP (Multiple SSID) Configuration" section, select "MAC Address List" for each VAP on which you want to use MAC Access Control using the list.
  When you select "MAC Address List", the MAC Address List selected in the "Basic Configuration" section will be shown in the "Selected List" field.

Use External RADIUS Server

Next you have to create an AP Profile. Refer to Configure AP Profiles for details.
In the "VAP (Multiple SSID) Configuration" section, select "External RADIUS" for each VAP on which you want to use MAC Access Control via RADIUS servers.

When performing MAC Address Authentication, the AWC Plug-in sends a client's MAC address to the RADIUS server as a username. Therefore, you have to use the same MAC address format on both the AWC Plug-in and the RADIUS server.

Note
Refer to the RADIUS server's documentation for detailed instructions of how to configure the server.

Table 6: Configuration for MAC Address Format in RADIUS attributes
Item Name	Description
User-Name Format Separator	Specify an octet delimiter to use in a User-Name attribute from "Hyphen", "Colon" and "None". The default is "Hyphen".
User-Name Format Letter Case	Specify which case to use in a User-Name attribute from "Upper" and "Lower". The default is "Lower".
User-Password Format	Specify what is used for a User-Password attribute when a client MAC address is sent to the RADIUS server for authentication. The default is "User Name". If you select "Fixed Password", a string specified in "User-Password Format Password" is always used as the value of the User-Password attribute. If you select "User Name", the same string as the User-Name attribute (MAC Address) is sent to the RADIUS server as the value of the User-Password attribute.
User-Password Format Password	Specify a fixed password string which is used when "User-Password Format Type" is set to "Fixed Password".

By default (where "User-Name Format Delimiter" is "Hyphen", "User-Name Format Case" is "Lower" and "User-Password Format Type" is "User Name"), authentication credentials (User-Name and User-Password attributes) of a client will be sent to the RADIUS server as follows:

Table 7: MAC Address Format with the Default Configuration
Attribute Name	Attribute Value	Comment
User-Name	Full Name	MAC Address. Lower Case, Delimited by hyphen (eg. ab-cd-ef-12-34-56)
User-Password	Password	Same as the User-Name. (eg. ab-cd-ef-12-34-56)

Configure RADIUS Server

To use Dynamic VLAN, you have to add the APs to the RADIUS server's database as RADIUS clients.

Table 8: RADIUS Client Information to configured on the RADIUS Servers.
Item Name	Description
RADIUS Client's IP Address	Wireless AP's IP Address (Example) 192.168.1.230
Secret	Wireless AP's Password (Example) "MyPassword"

Note
Because client users are authenticated by APs, you have to add all APs to the RADIUS client database.

Use both MAC Address List and External RADIUS server

TQ1402, TQm1402, TQ5403, TQ5403e, TQm5403, TQ6403 GEN2, TQm6403 GEN2, TQ6602, TQ6602 GEN2, TQm6602 GEN2, TQ6702 GEN2, TQm6702 GEN2, and TQ7403 can use both the AP's own MAC Address List and MAC Access Control via an External RADIUS server.
In the VAP (Multiple SSID) Settings of the AP Profile, set MAC Access Control to "MAC Address List + External RADIUS" and configure the MAC Address List and RADIUS server settings in the same way as when configuring each individually.
When using both the MAC Address List and an External RADIUS Server, the MAC address of the wireless client is queried in the order of MAC Address List and External RADIUS Server, and the wireless client is allowed to communicate if it is allowed to connect by either methods. This means that if the connection is refused by both, the client will not be able to communicate.

Combination of MAC Access Control and Captive Portal

In the VAP (Multiple SSID) Configuration of AP Profile, if any authentication method other than "None" is specified for both Captive Portal and MAC Access Control, then these authentication methods can be used together. In this case, the authentication prosess will be performed in the order of MAC Access Control, and then Captive Portal, and only the wireless clients which are successfully authenticated through both methods will be able to commuicate via the relevant VAP.

Also, when you are using TQ5403/5403e with firmware version 6.0.3-0.1 or later, you can choose to grant 2-step authentication to a client with either or both MAC Access Control or Captive Portal.
If any authentication method other than "None" is specified for both Captive Portal and MAC Access Control, the "Two-step auth with Captive Portal" option is displayed below the MAC Access Control options.

Table 9: Additional Options for MAC Access Control in AP Profile VAP (multiple SSID) Configuration
Item Name	Description
Two-step auth with Captive Portal	When any authentication method except "None" is selected for Captive Portal, the authentication will be performed in two steps: Captive Portal and MAC Access Control. When you select "Enable", only the wireless clients which succeeded authenticating with MAC Access Control and Captive Portal, will be able to communicate via the relevant VAP. When you select "Disable", the wireless clients which have succeeded authenticating with either MAC Access Control, or Captive Portal separately will be able to communicate via the relevant VAP. When AMF Application Proxy is selected, only "Enable" is displayed for the option of Two-step auth with Captive Portal. Note This item is displayed when "AT-TQ7613", "AT-TQ3403 / AT-TQm3403", "AT-TQ7403", "AT-TQ6403 GEN2 / AT-TQm6403 GEN2", "AT-TQ6702 GEN2 / AT-TQm6702 GEN2 AT-TQ6602 GEN2 / AT-TQm6602 GEN2", "AT-TQ6702e GEN2", "AT-TQ5403 / AT-TQm5403", or "AT-TQ5403e" is selected as the Model.

TQ5403/5403e, AT-TQm5403 with firmware older than the above will operate as "Enabled" regardless of the above setting. In other words, to communicate through the VAP in question, the wireless client must successfully authenticate with both Mac Access Control and Captive Portal.

C613-04207-00 Rev A

10 Nov 2025 11:47