damien1234
asked on
Sonicwall WLAN MAC Filter issue
I've got a Sonicwall NSA 240 running the most recent production OS. I have 6 brand new sonicpoints. I have created two WLAN's named VAP-Secure & VAP-Guest. All sonicpoints serve both WLAN's.
I want to use a MAC address filter for access to VAP-Secure WLAN and deny that same list access to the Guest WLAN. At the end of the day this would allow anyone except employees to connect to the Guest WLAN.
Unfortunately it looks like I can't have a separate ACL for each SSID. It's either ONE allow and/or deny list for ALL SSID's! Am I right?
Is my only option for my Secure WLAN to create a group based on MAC addresses and simply deny access via a firewall? How dumb is that? People could still attach to the WLAN but they wouldn't be able to go anywhere. I suppose it's better than nothing but is that really my only option?
I want to use a MAC address filter for access to VAP-Secure WLAN and deny that same list access to the Guest WLAN. At the end of the day this would allow anyone except employees to connect to the Guest WLAN.
Unfortunately it looks like I can't have a separate ACL for each SSID. It's either ONE allow and/or deny list for ALL SSID's! Am I right?
Is my only option for my Secure WLAN to create a group based on MAC addresses and simply deny access via a firewall? How dumb is that? People could still attach to the WLAN but they wouldn't be able to go anywhere. I suppose it's better than nothing but is that really my only option?
ASKER
Basically yes. The networks work fine and they can't talk to each other.
It's just a best practice to use MAC filters for secure WLAN access.
So if I use an ALLOW ACL then no one could access the GUEST WLAN because they are not in the list.
I really need an ALLOW AND DENY ACL for each WLAN/SSID. Unfortunately it looks like you get only one per Sonicpoint which means any one ACL serves all SSID's allowed by the Sonicpoint. IMHO it's a fairly big limitation for this class of device.
It's just a best practice to use MAC filters for secure WLAN access.
So if I use an ALLOW ACL then no one could access the GUEST WLAN because they are not in the list.
I really need an ALLOW AND DENY ACL for each WLAN/SSID. Unfortunately it looks like you get only one per Sonicpoint which means any one ACL serves all SSID's allowed by the Sonicpoint. IMHO it's a fairly big limitation for this class of device.
OK. I see what you are talking about now. I have a client with VAP guest and corp. I looked through the settings and think I have an idea but I can't test without possibly bringing down my wireless network.
The idea: Since you have to assign VAP groups to a Sonicpoint provisioning profile and it's in the provisioning profile that you set the MAC filter, what if you created a VAP group that included your Guest and one that included your corp. Then, create a provisioning profile one for each. This would allow you to set the MAC filter. Thoughts?
I understand why you'd want to set a mac filter, though. It's annoying to have a corp user connect to the wireless and report they can't access network resources. You delete the connection, but they always connect back acting like they don't know why it's happening.
The idea: Since you have to assign VAP groups to a Sonicpoint provisioning profile and it's in the provisioning profile that you set the MAC filter, what if you created a VAP group that included your Guest and one that included your corp. Then, create a provisioning profile one for each. This would allow you to set the MAC filter. Thoughts?
I understand why you'd want to set a mac filter, though. It's annoying to have a corp user connect to the wireless and report they can't access network resources. You delete the connection, but they always connect back acting like they don't know why it's happening.
Seeing the benefit, I tried to implement my theory. I couldn't not get the Guest wireless network to show up. My idea may not be possible. I've done some preliminary searches and I can't see anything that jumps out. Might be time for Sonicwall support to help.
Unless you figure it out and I configured something wrong.
ASKER
Yeah, the provisioning profile only allows one group and the ACL's are applied to the entire group rather than any single VAP/SSID.
The only way I can see around this issue is to deploy one sonic point for each SSID then assign the ACL's based on sonicpoint..... of course that completely defeats the purpose of VAP's.
The only way I can see around this issue is to deploy one sonic point for each SSID then assign the ACL's based on sonicpoint..... of course that completely defeats the purpose of VAP's.
I created two VAP groups, one for guest and one for corp, and tried to create two provisioning profiles. I believe that we can only have one VAP group per sonicpoint. As you say, you'd have to have a sonicpoint per.
It might be possible and support may have a lead.
It might be possible and support may have a lead.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Indeed. I'd thought of the firewall rules myself, but that doesn't really get you anything either. They'd still be able to connect and still be UNABLE to access any network resources. Sigh...guess we'll wait. I'd created a support ticket myself. Guess I'll turn it into an enhancement request!
ASKER
There is no solution. See previous comment.
Corporate:
https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5801
Guest:
https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5798&p=t