BLUE Access - What to use instead of MAC filtering if the MAC is anonymized?

So when using BLUE you have to add Wifi devices as they connect to the network, I think this is default behaviour, at least I did nothing to change that.

You adding the MAC address in the menu for this in - Blue Access

But how do you solve MAC filtering when this anonymization of MAC addresses needs to be active, at least as recommended security measure… ? Is there any other way?

1 Like

Ehm, never mind.

It is a per network setting. Connection to Wifi A can use hardware address while connection to Wifi B uses a randomized one.

I thought it was a global setting.

Answer in short: no.

You need some sort of identification. This in the ethernet based area ( 802.11 belongs to it ) the MAC address.
If there is another unique id which can be used, the concept of security with MAC anonymization is useless, IMO.


Agreed, this is also a news related to this issue.


That was actually what spurred my question, after reviewing some of my settings for this.
Since Android, and Windows, also have this functionality, albeit perhaps without the issues depicted in the article, I found it necessary to check how this actually works.

1 Like

I’ve always wondered about the same thing.

And not only an issue for Blue Access but also for Firewall Rules. How do I block something that is always changing?!?

1 Like

Jon, is a per network setting in the device.

You never need to block what you do not want in, only allow what you recognize, but , as I understand it, once you let a device with a randomized MAC in, it will hold the same MAC for that network. It will not change again.

Device A on Network A will always show MAC A.
On Network B it will show MAC B.
On Network C it will show MAC C.

You should be able to verify this by looking at the MAC, as I did, on different connected networks and check if it changes from one connected session to the next.


Hmmm… I’ll have to check this out. It doesn’t sound right to me. I currently have 28 expired dynamic leases and if the above was true, then I would have much less.

I know if the second character from the left is 2, 6, a, e then that is a randomized MAC. And 13 of those expired dynamic leases are randomized MAC.

Anyway, time to experiment!


This is so cool - it does stay the same! I learned LOTs of new stuff today!


@jon , could you please specify the source of your table.

This could be an interesting information for the wiki.

1 Like

I do not know anything about the website or the info. in other words I did not confirm my sources…

1 Like

Thankyou very much for verifying and providing some docs to support and inform about it.


@bbitsch Yes, absolutely to the wiki. I am sure it may help others when pondering the same questions.

What a great Monday morning reading about this…! :crazy_face:

BTW Arista is a major actor in networking and Firewall products in the US, among other places…

They even have their own OS for appliances and I was pondering signing up for them before I found IPFire.


Interesting article.
The complete table contains a row “SSID Profile Forget and Reconnection”, which shows a significant difference between smartphone OSs and Windows. Windows generates a new MAC!

Therefore using the feature with mobile devices may be OK, but beware to use it with Windows clients.

1 Like

Thanks for pointing that out.

That would only become an issue if people clean/forget their Wifi connections periodically, or if a GPO or similar policy is in place to do that.

Other than that particular circumstance I see no reason for concern.