Controlling a Dynamic Host’s Network Access by MAC Address

Since DHCP is far more common than static addressing in most networks, it is sometimes difficult to predict the IP address of dynamically configured hosts, particularly in the absence of dynamic DNS updates or reliable hostnames. In these situations, it is possible to use MAC address objects to control a host’s access by its relatively immutable MAC (hardware) address.

Like most other methods of access control, this can be employed either inclusively, for example, to deny access to/for a specific host or group of hosts, or exclusively, where only a specific host or group of hosts are granted access, and all other are denied. In this example, we will illustrate the latter.

Example

Assuming you had a set of DHCP-enabled wireless clients running a proprietary operating system which precluded any type of user-level authentication, and that you wanted to only allow these clients to access an application-specific server (for example, 10.50.165.2) on your LAN. The WLAN segment is using WPA-PSK for security, and this set of clients should only have access to the 10.50.165.2 server, but to no other LAN resources. All other wireless clients should not be able to access the 10.50.165.2 server, but should have unrestricted access everywhere else.

To control a Dynamic Host’s network access by MAC address for above example

1. Create MAC Address Objects.

   1. Navigate to OBJECT | Match Objects > Addresses > Address Objects.

   2. Click the Add icon and create the following MAC address objects (multi-homing is optional).

      

      Once created, if the hosts are present in the firewall’s ARP cache, they will be resolved immediately, otherwise they will appear in an unresolved state in the Address Objects table until they are activated and are discovered through ARP.

   3. Create an address group for the handheld devices according to Adding Address Groups.

2. Create an Access Rule or a Security Policy.

   Classic Mode: Create an access rule on the POLICY | Rules and Policies > Access Rules page. For more information, refer to Configuring Access Rules section in SonicOS 7.1 Rules and Policies Administration Guide for Classic Mode.

   Policy Mode: Create a security policy on the POLICY | Rules and Policies > Security Policy page. For more information, refer to Security Policy section in SonicOS 7.1 Rules and Policies Administration Guide for Policy Mode.

   Sample access rules

   Setting	Access Rule 1	Access Rule 2	Access Rule 3	Access Rule 4
   Allow / Deny	Allow	Deny	Allow	Deny
   From Zone	WLAN	WLAN	WLAN	WLAN
   To Zone	LAN	LAN	LAN	LAN
   Service	MediaMoose Services	MediaMoose Services	Any	Any
   Source	Handheld Devices	Any	Handheld Devices	Any
   Destination	10.50.165.2	10.50.165.2	Any	Any
   Users allowed	All	All	All	All
   Schedule	Always on	Always on	Always on	Always on

   The MediaMoose Services service is used to represent the specific application used by the handheld devices. The declaration of a specific service is optional, as needed.