MAC Authentication Bug in router firmware version 20.19.8
APD2
Enthusiast - Level 2

Since having FIOS installed a little more than a year ago, I have used MAC address authentication (filtering) in the FIOS router on my premises to limit wireless access to only the two computers in my home.  While trying to diagnose an Internet access problem on January 17, Verizon tech support updated the router firmware to version 20.19.8 (Jul 2 2011).  Since that time, I haven't been able to add more than one MAC address to the ACL (list of accepted MAC addresses).  The configuration page appears to put two or three addresses in the list when I ask it to, but if I revisit the list after applying the change, only the first address in the list is still there.

I tried to report this to Verizon tech support, but was told that MAC authentication is an "advanced" feature and is supported only for customers who buy "expert" tech support.  I'm not anxious to pay extra for the privilege of telling Verizon that they have a bug.  Anybody have any suggestions?  Is there a way I can report this bug to Verizon without being stonewalled by tech support?

Re: MAC Authentication Bug in router firmware version 20.19.8
jackmcgann
Specialist - Level 1

@APD wrote:

I tried to report this to Verizon tech support, but was told that MAC authentication is an "advanced" feature and is supported only for customers who buy "expert" tech support.


   This wasn't tech support. This was "predatory" marketing. They were trying to upsell you to another level of support. MAC address filtering is basic, not advanced, and to tell the truth, not even as secure as WPA security. Shame on them.

Re: MAC Authentication Bug in router firmware version 20.19.8
jumpin68ny
Master - Level 2

I must ask the question, why do you want to use MAC authentication.  MAC authentication is worse than WEP.  It doesn't take much for anyone to spoof a MAC address.

Why not use WPA instead?  What makes WPA a better choice is its more secure than MAC auth or WEP and you can select your own passcode to use to connect devices onto your wlreless LAN.  Also, with WPA if anyone sniffs the wireless network that traffic is not readable by anyone with a sniffer with MAC authentication anyone can view it.

Jim

0 Likes
Re: MAC Authentication Bug in router firmware version 20.19.8
PistolPete13
Enthusiast - Level 3

I could be completely wrong here but doesn't MAC authentication work in conjunction with WPA/WEP?  In other words, if your MAC address isn't in the defined router list, you are stopped cold from connecting to the wireless access point and don't even get to authenticate.

Sure it's easy to spoof a MAC, but it'll be one extra step to crack before attempting to crack the WPA encryption.

I always thought the most locked down configuration would be.

1. Restrict to 802.11 b/g/n mode (depending on your adapter)

2. No SSID broadcast

3. MAC authentication

4. WPA2 encryption

0 Likes
Re: MAC Authentication Bug in router firmware version 20.19.8
PistolPete13
Enthusiast - Level 3

To the original poster.  I assume Verizon has asked you to do a complete router reset to see if that works, right?

Looking at my VZ router (40.19.22), I see an option under the advanced settings to do a Firmware Restore.  Hopefully when the FW was upgraded, the old copy was kept as backup.

If this is indeed a firmware bug, the only option is to back out one revision.

Hard to believe such a basic feature will get mangled but I've seen worse things happen during upgrades.

Good luck.

0 Likes
Re: MAC Authentication Bug in router firmware version 20.19.8
jumpin68ny
Master - Level 2

PistolPete

1. Restrict to 802.11 b/g/n mode (depending on your adapter)

Not sure what that buys you.  Most adapters today support G which is backwards compaptible with B.  The adapter can detect the radio type and adjust accordingly.  Personally I lock mine to G since I want all my devices to connect at the fastest speed

2. No SSID broadcast

No SSID broadcast prevents the teenage hacker.  Any simple wireless tool will detect the wireless LAN.  If someone wants in to your network they can hack in even with SSID no broadcast.

3. MAC authentication

Its a poor method of authentication. I have not done this but  If you turn WEP authentication on then turn off wep authentication you can still add MAC authentication without the need for WEP/WPA.  In conjunction with WPA sure, just don't see what it buys you since you only give out the pre-shared key from WPA to devices you know about.  Certainly doesn't hurt to have this.  I'm not aware if it adds any overhead to the wireless, probably not.

4. WPA2 encryption

WPA2 is the best available.  AES is better than TKIP.

Re: MAC Authentication Bug in router firmware version 20.19.8
APD2
Enthusiast - Level 2

Hi PistolPete13. I hadn't noticed the firmware option under "Advanced," or at least I had forgotten it.  On my router, there's only "firmware Upgrade," not "Firmware Restore."  I could use this to restore the firmware from a file, but I see no way to save the current firmware from the router, and even if there were, it's too late now.  The only firmware I can find for download is the latest version.  I've saved a copy of it in case things get worse in a future version, but for now I don't think I can revert.

Meanwhile, I'm attempting an end run around Verizon tech support by sending an e-mail directly to ActionTec tech support.  I think they're the OEM for Verizon's firmware.  Maybe they'll take pity on me and fix the bug.

0 Likes
Re: MAC Authentication Bug in router firmware version 20.19.8
smith6612
Community Leader
Community Leader

Don't use WPA2 with TKIP. There's really no point as you're defeating the reason why WPA2 is seen as secure. TKIP is easier to crack over AES. Also, most devices will operate much faster with a stronger, AES encryption than TKIP. This is especially true with N-Spec compliant devices.

MAC addresses are sent to the Access Points out in the clear. They can be spoofed with anyone running Wireshark on a Wireless card set to listen in on all traffic it can receive. Pretty easy to grab it as the MAC is sent in the clear during initial association before the Encryption kicks in. Once the data's encrypted it's a little harder to get the MAC, but either way, if they get a way to decrypt the Wireless key, getting the MAC address is a piece of cake.

0 Likes
Re: MAC Authentication Bug in router firmware version 20.19.8
APD2
Enthusiast - Level 2

ActionTec tech support replied almost immediately to my e-mail.  Their response is that the router allows MAC filtering to be configured only from a wired connection, not a wireless one.  I doubted this, since I've had no trouble in the past configuring MAC filtering from a wireless connection, and even now I can do so as long as I don't try to put more than one MAC address in the ACL.  However, we dutifully hauled a computer down to the basement and reconfigured it with a wired Ethernet connection to the Verizon router.  Lo and behold, in this configuration we could put two MAC addresses in the ACL without problem.  Being on a wired connection does make a difference!

So, based on my experience, it seems that MAC filtering can be turned on or off and a single MAC address can be placed in the ACL from a wireless connection, but to put more than one MAC address in the ACL requires a wired connection to the router.  This seems weird to me, but it's hard for me to imagine them doing this by accident.  They must have designed it this way on purpose.

Anyway, I now have the MAC authentication configuration back the way I want it.  I should be OK until the next time FIOS fails and Verizon makes me do a factory reset on the router before they'll believe the problem is at their end.

And I'll look into WPa, since the consensus of those posting here is that it's stronger than WEP, which is what I've been using.

Re: MAC Authentication Bug in router firmware version 20.19.8
jumpin68ny
Master - Level 2

Don't use WPA2 with TKIP. There's really no point as you're defeating the reason why WPA2 is seen as secure.

-------------------------------------------

WEP, WPA, WPA2, 802.1X etc. and I will even add MAC Address are methods for authenticating.


TKIP and AES are the ways the traffic is encrypted.  Traffic that is encrypyed cannot be read by a sniffer.

In a public hotspot that is open there is no encryption and thus anyone in the area can watch your traffic using a sniffer.

0 Likes