CAA to Prevent Internet Usage for Non Authenticated Users

If all users/devices on the network were using CAA, then I can see how using a firewall rule that would only allow matched known users access to the WAN from LAN. However, not all users on the network will be using CAA and we won't be using CAA on mobile phones on the network. What is a firewall rule strategy that would allow some users that are not using CAA to have Internet access at all times, but would still allow me to control Internet access times for users/devices that are using CAA?

Hi,

I would suggest you investigate clienteles users and groups. You would then create firfewall rules with match users (clienteles group). You also need to assign static IP addresses in the XG DHCP to make this work reliably.

Ian

I will give that a try. Alternatively, I guess I could have multiple LAN to WAN rules where one of them is LAN to WAN that matches known users and the other is LAN to WAN without matches known users checked, and also has exclusions for certain MAC IDs that I want to match on the first LAN to WAN match known users rule. Hopefully, clientless group will do the trick instead.

Hi Patrick,

if you want control of access to specific rules then you will need to use matched user groups. Your car users can be in a group.

ian

With Clientless Users and Groups, is it possible to still enforce Surfing quota, Access time and Network traffic? Under Authentication, Groups, when I create a Clientless group, I lose the ability to configure Surfing quota, Access time and Network traffic options.

Hi Patrick,

you can apply time policies to the firewall rule.

ian

Hi Patrick,

you can apply time policies to the firewall rule.

ian