top of page


Jayden Brown
Jayden Brown

Wireless MAC Address Bypass

A short sketch of my situation before I formulate my question: I am on a large home network, which is privately administered by a couple of admins. The network consists of a lan and a wireless lan, and controls access centrally by filtering mac addresses (and denying/allowing based on whether they allow that specific mac address).

Wireless MAC Address bypass

I have two computers that I have registered and use (and pay for monthly) on this network, one wireless connection (laptop) and one cable connection (desktop). So I have two mac addresses that are allowed on the network, and are allowed access to the internet through the network.

The problem is that the wireless access is very unreliable, and is unusable for me. The admins of the network don't have a lot of time and are a little lax, so they won't help me with my wireless access problems, even after repeated complaints. They basically told me to fix it myself. Which leaves me with a connection that I'm paying for, but unable to use. I don't have control over the main routers, so I am kind of cut off from the internet on my laptop because of this, which is very frustrating.

Fortunately, the mac address filtering is rather simple. The wireless mac address that I've registered does not allow me to access the cable lan part of the network. So I have only one valid mac address (from the desktop) that is allowed on the cable lan part of the network.

What I have done is patch a small router (E-Tech RTVP03) to the main network, change it's mac address to the allowed (desktop) mac address, and patch my computer and laptop to the router. This sort of works (internet access works), but there are some problems that I wasn't able to fix:

So basically, what I want the router to do, is be as transparent as possible, and only change the mac address information that is passed to the main network (to bypass the mac filtering), and to allow me to share one connection over two computers.

Get a box that's DD-wrt/open-wrt capable and change the MAC address to the one of your desktop or just get them to insert the MAC address of your router. After that you can just use your own router as WIFI AP and physical internet AP. No you won't be able to discover other devices.

You are unable to see the rest of the network now because you have connected a router between and you are now basically on a 'separate' network --- check the IP addresses --- if they are not all in the same CLASS then you are on different networks and cannot see everything, although, technically everything is connected together. Secondly, a mac address is an unique equipment identifier and cannot be changed.. only an IP address can be changed. I don't believe that without the admins help you will actually be able to do what you want successfully. It could be that there is too much interference in the room from where you are... or if perhaps you are too far from the router---what kind of walls are between...etc.. I would weigh the pros and cons and then either deal with it the way it is; tell them you don't want the wireless anymore and use only the lan connection (better to not pay for something you can't get) or do away with their services and get your own. Good luck!

This is quite a while after, but hopefully other people might read this and be helped.But anyways, after my (mis)adventures with WiFi in a college dorm room, I found often times routers have an "Use Only as Access Point" function built-in to them. You must have a separate router, unplugged from the LAN/ISP to start.On your computer, find the subnet mask. (Usually 255.255.x.x)Second, you plug your computer into the router and change the settings for your WiFi (name, password, etc), once they are set it is a pain to re-set them.Third, find the option to clone your computer's MAC address. (You might have to search the help for the router to do this.) (Oh and the reason this works is because it's the outbound/facing MAC address for the router. Your computer sees something else.)Set your router's subnet mask to the mask your found earlier.Then, find the "Use as Access Point" feature and enable it.Plug in your router to the wired internet connection. Connect via WiFi to the router. Your computer should now be connected as if the router weren't even there.Sometimes the other computers still aren't visible. Dunno why :/But good luck!

Have your router setup, as you have it, using your PCs MAC address on the WAN Port.And additionally configure port forwarding on the router (if the router is capable of port forwarding), for network shares//network discovery..

First of all, you have to remember that the Internet connection can only take place through the IP address. Besides, even though both computers have the same MAC address it doesn't matter, so all you have to do is to manually change the IP address of one of the computer and it will really solve the problem.

Recently we deployed Clearpass as Radius server. There is some IAPs for wireless. We deployed 802.1x authentication for SSID. It works great. But my question is : Is it possible to deploy Mac-address bypass before 8021.x with the same SSID?

If I am not mistaken, it is possible with wired solution. For example, IP telephones can pass authentication with mac-address and computer which is connected to ip telephone can pass with 802.1x. I wondered that if there is same solution with wireless.

With MAB, the switch uses the MAC address database to verify the user/device identity before granting access. When RADIUS MAC auth Bypass is enabled, MAB takes 3 steps of authentication to provide device/user access.

As a default setting, MAB supports one device per switch port and a violation is flagged if more than one MAC address source is detected. This can, however, be changed. The following modes can be set up in MAB. The modes can be set up at the switch and do not involve any RADIUS setting.

Multi-Domain Authentication Host Mode allows two source MAC addresses to be authenticated, one through the voice VLAN and the other through the data VLAN. This is useful when a VOIP phone and a PC are connected through the same switch port. In this mode, a violation will be flagged if more than 2 MAC addresses are identified.

This mode allows access to multiple source MAC addresses by authenticating the first source MAC address. The other source MAC addresses are automatically permitted access after the authentication of the first source.

MAC auth bypass when used with MAC address Filtering can help bring these otherwise unmanaged devices under the purview of network security by first making them traceable and then limiting their access to their needed level in the network with the help of dynamic access.

Configuring a port for the MAC authentication bypass access policy authenticates devices against the configured RADIUS servers using the MAC address of the device connected to the port. This access policy does not challenge devices for credentials.

The Hybrid authentication access policy leverages both the 802.1X and MAC authentication bypass authentication. A port configured for hybrid authentication will attempt to use 802.1X to authenticate the connected device to the configured RADIUS servers, but will failover to MAC authentication bypass if the connected device does not send any EAP traffic.

Wireless-capable MX or Z-series devices have the option to authenticate wireless users with a RADIUS server. If this RADIUS server exists on the other side of a VPN tunnel, it will be important to note which IP address the MX/Z-series device will use when sending its Access-request messages. This article explains how to determine the source IP address used by a wireless-capable MX or Z-series device for RADIUS authentication.

What you could do is, create a MAC filtering SSID with no L2 Auth and RADIUS or ISE NAC and if it is the printer then just send an access accept, if it is another device redirect to a web-page for authentication. This is basically CWA but bypassing the printer so it does not get redirected to the portal.

MAC-based authentication restricts wireless access to specific client devices but traditionally requires a RADIUS server. For smaller deployments, it is easier to configure MAC-based authentication using a Sign-on Splash Page.

Adding machines to the allow list allows them to bypass the splash page requirement. To add an existing device to the allow list, find that machine on the Network-Wide > Clients page. Check the box to the left of their device name, and use the Apply policy dropdown to allow list that machine. Click here for more information about adding clients to the allow list or block list.

If a specific device should be added to the allow list but has not connected to the SSID, add the device to the Network-Wide > Clients page. Select Add clients on the right to add to the clients list by MAC address and add the client to the allow list.

Once the Fedora system connects with the Ethernet or WiFi profile, the cloned MAC address is used to request an IP address, and the captive portal loads. Enter the credentials needed and/or select the user agreement. The MAC address will then get authorized.

For a Linux laptop or IOS device that could work. This article addresses the issue when a device will not load the captive portal. Devices like the Switch, PS4, and other gaming consoles do not always load the portal page and need a little help. A Fedora system can provide that help.

You can enable MAC address bypass authentication for terminals (such as printers) on which the 802.1X client software cannot be installed or used. After MAC address bypass authentication is configured, the device performs 802.1X authentication and starts the delay timer for MAC address bypass authentication. If 802.1X authentication fails after the value of the delay timer is reached, the device starts the MAC address authentication process for the users.

On an interface where MAC address bypass authentication is enabled, if the terminal on which the 802.1X client software cannot be installed or used requires fast authentication, MAC address authentication is performed first during bypass authentication. Then the device first starts the MAC address authentication process for users, and triggers 802.1X authentication only if MAC address authentication fails.




bottom of page