Back to Airport Tab Up to Airport Index Next

The Access Control Tab

Access control is another feature which will, in theory,
reduce the chances of uninvited guests on your wireless network.

Access Control is another means of keeping casual hackers out of your network. It works by only allowing machines you explicitly specify to connect to your base station. By default, this feature is turned off.

The way that you specify what machine may connect is the so-called MAC address. In theory, there is a unique MAC address for every network device out there, be it ethernet, wireless, etc. Typically, the MAC address will be printed on the device or you can discover it via software.

For example, on base stations, the MAC addresses can be found printed on the underside. On Apple laptops that come with pre-installed internal Airport network cards, Apple typically prints the information inside the battery compartment. However, fear not! The Airport application in OS 9 or the Network Control Panel in OS X also give you that information, so no need to despair!

The MAC address can be identified by a series of hexadecimal numbers that are grouped in two's... Something like 00:30:AB:0A:89:01. In the OS 9 Airport Application, the number is displayed at the bottom of the window. In OS X, open the Network control panel, click on the Airport Tab, and look for the "Airport ID" at the bottom of the TCP/IP page.

Airport Base Station Admin Utility - Access Control Tab

Now that you know how to find the MAC address, here is how you tighten security a little bit with Access Control: First, compile a list of MAC Addresses/Airport IDs you want to allow to access your network. Thankfully, Apple also allows you to assign a name for each access point. Thus, you can sort and identify MAC addresses not only by the hexadecimal number combination but by the name of the user.

Then, enter all the information into this panel using the "Add" button. Note however, that every user will now be required to be listed here or they won't be able to connect. That is, everyone who is not on the list is automatically disallowed. For network administrators, Apple added a neat feature, whereby they can save all the Access Control data and then "Import" it into all the machines on their network. That way, they only have to enter the data once.

In fact, with a RADIUS server, you can not only enable LEAP/WPA encryption and keep the wireless connections secure but also centralize the list of admissible MAC addresses across an entire enterprise. Thus, if you own a RADIUS server, here is your chance to reduce your maintenance headaches. Just enter the necessary data and the ABS should be secure. The rest of us can leave the RADIUS setting on "Not used".

Before we start singing the praises of the enhanced security through Access Control, remember that the "protection" it affords will only keep out casual hackers. Unfortunately, many operating systems allow their users to change the MAC addresses that their network devices transmit. This is a process called "spoofing" and given enough time and network traffic, a hacker will find the combinations that you have left enabled. Thus, access control is pretty useless in the face of determined hackers, sorry!

Click here for Apple's article on Access Control

Unless you're using WDS, You can now hit the "Update" button, watch the ABS status lights do their dance, and start enjoying your ABS. Just don't interrupt it while it is updating its settings or starting back up. Otherwise, you risk creating a paperweight. Folks who use WDS can continue here. Cheers!