Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Anyone got MAC filtering to work at the AP level?

LitBobOnLitBobOn Newbie ✭

I'm trying to deny a MAC to specific SonicWAVE 231c access points but it's not working. I've created the MAC object, I've put it in a new object group, I've chosen the group in the 2.4 Radio Basic settings page under Deny List, yet the clients keeps showing up on AP's with the filtering.

I've opened a ticket asked an engineer for help and trying to get it escalated. He's saying it's not possible yet the setting is right there on the page.

He wanted me to do mac exclusions on the SSID profile. Huh? The client is programmed to connect to one SSID. That's when I said, please escalate.

Waiting for a call back.

Category: SonicWave
Reply

Answers

  • MitatOngeMitatOnge Cybersecurity Overlord ✭✭✭

    Hi @LitBobOn


    What is your sonicwall firewall Version?

    and VAP topolgy? do you use Sonicwall Hotspot or external authantication system? can you share screenshot

  • LitBobOnLitBobOn Newbie ✭

    Hi, It's on 7.01xxx, latest with a hotfix to cure random reboots.

    They have 8 VAP objects on one VAP profile and one SonicWAVE profile.

    Within each AP setting is the option to do mac filtering, and so I either create a group or use the Default Deny group. Either way the address object (mac, tied to on the specific wireless VLAN) it is ignored and the device will still connect to that AP.

    Best practices... well, I shouldn't do it this way and I should instead adjust channels and power. I get that but the option is there in settings of each AP. Like many things by SonicWALL we have no whitepaper to explain how it was intended to be used. My guess is it was not intended to be used by AP's in a VAP group.

  • MitatOngeMitatOnge Cybersecurity Overlord ✭✭✭

    there are a few options for this.

    1) Device/ Access Points/ Settings/ AccessPoint Provisining Profiles/ ACL settings.

    2) Each Access Point Objects / submenu ACL settings for each Radio. .

    3) Device/Access Points/Virtual Access Point/ VAP ACCESS POINT object/ each Object ACL settings

    4) Device/Access Points/Virtual Access Point/ VAP ACCESS POINT Profiles/ ACL settings

    5) For security you can use "DYNAMIC VLAN ID ASSIGNMENT" via radius eap authantication.

    6) my suggestion is to test step by step only on one accesspoint. and check ACL Global enable and disable.


    If you have radius server, assign authantication profile via dynamic vlan id and assign blocked zone (zombi zone for unauthanticated mac) best option.

  • LitBobOnLitBobOn Newbie ✭

    My understanding is if you use ACL's it will not stop the device from connecting it will just not be able to pass traffic.

Sign In or Register to comment.