Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Assigning a local user based on MAC address


Hopefully I can explain myself fully.

I have the TZ470 and I want to make use of the content filtering. My initial idea was to have a number of Virtual Access Points and then to have different devices connect to a relevant network and apply the CF based on that - but that feels like a nightmare to administrate and I want to make use of a single WIFI network and identify who is connecting based on the user. This is fine for devices but doesn't work so well for TVs and speakers. Is there a way to have users allocated to a MAC address? My current thinking is to have 2 separate wifi networks but would prefer to have just the one. I hope this ramble makes sense!


Category: Entry Level Firewalls


  • BWCBWC Cybersecurity Overlord ✭✭✭

    @MattHooper you could create Address Objects of type MAC for the devices with no authenticated users (if we're talking SSO or Web Authentcation?). Then just create a new CFS rule for this group of Address Objects with the needed CFS Policy and have this Rule above your CFS Rule requiering Authentication.

    If you're using SSO (which I assume) you could assign a static User for unauthenticated sessions and having this user assigned to your CFS Policy, that might work as well.


  • MattHooperMattHooper Newbie ✭

    Thanks @BWC - I did create Address Objects using the MAC address - and that was my intention but I created an access rule with the following:

    Source: WLAN / Any / Any

    Destination: WAN / Any / Any

    User: Include Trusted Users / Exclude None

    But the TV etc is unauthenticated so doesn't work.

    But as I type this, I could statically assign those devices and ensure they are outside the DHCP range and for the source use the following:

    WLAN / DHCP Range / Any

    Would that work?

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @MattHooper if you're non authenticated devices getting static IPs would be probably the best approach. Not sure if this possible, but it's not a requirement.

    The Access Rule for your authenticated users looks good to me, for the non authenticated devices I would use the mentioned Address Objects and put them in a Group called Bypass SSO. On the SSO Enforcment settings you can add this group as a Bypass.

    Additionally you need a 2nd Access Rule allowing this Bypass SSO Group the required services from WLAN to WAN, you have to put this bypass rule before the authentication rule.

    This should do the job.


Sign In or Register to comment.