Connectivity Issues with TP-Link AX90: Hidden SSID and Access Control Conflict

I recently upgraded my home network with the TP-Link AX90 router. To enhance security, I enabled two features: hiding the SSID and implementing an Access Control whitelist.

Hiding the SSID prevented my Wi-Fi network's name from being publicly broadcasted, adding an extra layer of security by reducing visibility to potential intruders.

The Access Control whitelist allowed me to specify trusted devices that were granted permission to connect to my network.

Initially, everything seemed to work perfectly. The devices listed in the Access Control whitelist connected seamlessly to the Wi-Fi network. However, I encountered a problem when one of these trusted devices was disconnected and tried to reconnect.

To my surprise, the device couldn't establish a connection. I attempted various solutions, such as changing Wi-Fi channels and forgetting/reconnecting to the network, but the issue persisted.

Eventually, I reached out to TP-Link Support for assistance. After troubleshooting and investigation, the support team informed me that the simultaneous use of the hidden SSID and Access Control whitelist features was the cause of the problem. They explained the technical reasons behind this conflict, shedding light on the intricacies of Wi-Fi client connections when the SSID is hidden.

When connecting to a hidden SSID, Wi-Fi clients go through two stages:

1. Probe Request: The client sends out messages to detect surrounding Wi-Fi network information. To protect user privacy, mobile device manufacturers use randomized MAC addresses during this stage. This prevents the leakage of private information while probing for networks, and it has become a standard practice for Wi-Fi-enabled devices.
2. Connection: When a device attempts to connect to a specific Wi-Fi access point, it can utilize a randomly generated virtual MAC address. This further conceals the device's identity and provides an additional layer of privacy.

Users have some control over their device's behavior during the connection stage. For example, on Android devices, users can choose whether to use a randomized MAC or the device's MAC address when connecting to a new Wi-Fi network. They can also disable the use of randomized MAC addresses through the Wi-Fi settings.

However, enabling both the hidden SSID and Access Control whitelist on the TP-Link router creates a conflict. Devices already connected and listed in the whitelist can maintain their connection because they have disabled the use of randomized MAC addresses during the connection stage. However, if any of these devices forget the network and attempt to reconnect, they are unable to do so. This is because during the Probe Request stage, these devices use a randomized MAC address that the router does not recognize. With Access Control whitelist enabled, the router simply ignores Probe Requests from devices not on the list. Since the randomized MAC address cannot be disabled during the Probe Request stage on the client's side, the router does not respond to the scanning process.

Though disappointed by this limitation, I appreciated the support provided by TP-Link. With their guidance, I made an informed decision to use only the Access Control whitelist feature and stop hiding the SSID. By doing so, I ensured that my trusted devices could seamlessly reconnect to the Wi-Fi network, providing uninterrupted internet access.

Hope it helps for other users!