Sonicwall WLAN MAC Filter issue

damien1234
damien1234 used Ask the Experts™
on
I've got a Sonicwall NSA 240 running the most recent production OS.  I have 6 brand new sonicpoints.  I have created two WLAN's named VAP-Secure & VAP-Guest.  All sonicpoints serve both WLAN's.

I want to use a MAC address filter for access to VAP-Secure WLAN and deny that same list access to the Guest WLAN.  At the end of the day this would allow anyone except employees to connect to the Guest WLAN.

Unfortunately it looks like I can't have a separate ACL for each SSID.  It's either ONE allow and/or deny list for ALL SSID's!  Am I right?

Is my only option for my Secure WLAN to create a group based on MAC addresses and simply deny access via a firewall?  How dumb is that?  People could still attach to the WLAN but they wouldn't be able to go anywhere.  I suppose it's better than nothing but is that really my only option?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2010

Commented:

Author

Commented:
Basically yes.  The networks work fine and they can't talk to each other.

It's just a best practice to use MAC filters for secure WLAN access.

So if I use an ALLOW ACL then no one could access the GUEST WLAN because they are not in the list.

I really need an ALLOW AND DENY ACL for each WLAN/SSID.  Unfortunately it looks like you get only one per Sonicpoint which means any one ACL serves all SSID's allowed by the Sonicpoint.  IMHO it's a fairly big limitation for this class of device.
Top Expert 2010

Commented:
OK. I see what you are talking about now. I have a client with VAP guest and corp. I looked through the settings and think I have an idea but I can't test without possibly bringing down my wireless network.

The idea: Since you have to assign VAP groups to a Sonicpoint provisioning profile and it's in the provisioning profile that you set the MAC filter, what if you created a VAP group that included your Guest and one that included your corp. Then, create a provisioning profile one for each. This would allow you to set the MAC filter. Thoughts?

I understand why you'd want to set a mac filter, though. It's annoying to have a corp user connect to the wireless and report they can't access network resources. You delete the connection, but they always connect back acting like they don't know why it's happening.
JavaScript Best Practices

Save hours in development time and avoid common mistakes by learning the best practices to use for JavaScript.

Top Expert 2010

Commented:
Seeing the benefit, I tried to implement my theory. I couldn't not get the Guest wireless network to show up. My idea may not be possible. I've done some preliminary searches and I can't see anything that jumps out. Might be time for Sonicwall support to help.
Top Expert 2010

Commented:
Unless you figure it out and I configured something wrong.

Author

Commented:
Yeah, the provisioning profile only allows one group and the ACL's are applied to the entire group rather than any single VAP/SSID.

The only way I can see around this issue is to deploy one sonic point for each SSID then assign the ACL's based on sonicpoint..... of course that completely defeats the purpose of VAP's.
Top Expert 2010

Commented:
I created two VAP groups, one for guest and one for corp, and tried to create two provisioning profiles. I believe that we can only have one VAP group per sonicpoint. As you say, you'd have to have a sonicpoint per.

It might be possible and support may have a lead.
The official SonicWall support response:

Thank you for updating us for this feature request. As of now it is not support but soon will be introduce. As, you have mention; there is always restrict the traffic using firewall access rule. Also, users/intruder can not connect to wireless network without wireless key.

Gotta love tech support from halfway around the globe....
Top Expert 2010

Commented:
Indeed. I'd thought of the firewall rules myself, but that doesn't really get you anything either. They'd still be able to connect and still be UNABLE to access any network resources. Sigh...guess we'll wait. I'd created a support ticket myself. Guess I'll turn it into an enhancement request!

Author

Commented:
There is no solution.  See previous comment.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial