Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 9 replies
  • Subscribers 28 subscribers
  • Views 10236 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Captive Portal failed when if a machine used by multiple users

tim toa

Recently I am testing the Captive Portal feature on Sophos XG Firewall (VM).

I have enabled Captive Portal on LAN interface which connected to a sigle Macbook that has multiple local profile for different users.

However I found out that when User A authenticated on Captive Portal then switch local account on Macbook. Surprisingly User B can re-use the authentication session of User A to browse the internet not even need to authenticate on Captive Portal. I suspect the reason because both local account on Macbook also receive the same IP address from DHCP in Sophos firewall.

Is there anyway to have both users authenticate separably even they are using the Macbook?



Edited Tags
[edited by: Erick Jan at 12:09 AM (GMT -7) on 16 Sep 2022]
  • 0

    tim toa,

    the problem is not with MAC but how the authenticaiton works. In OSI layering, User does not exists, so Firewall and other devices build a table where an IP is associated with a User. So, once the XG knows the IP and request authentication in some way, the table is filled up using the information IP and User. What you can do is to force the user to logout using the logout button or use the inactivity timeout under Authentication > Services. Take note that XG does not allow less than 3 minutes which are too many if you consider how much time is required between logoff/login on MAC, Windows, etc...

    Regards

  • 0 in reply to lferrara

    To be honest, the solutions seems not feasible

    1) use the inactivity timeout 

    >>>> will never happen, because switch user only takes seconds, traffic will continue passing

    2) force the user to logout

    >>>> then captive portal will be meaningless because user will easily hijack other session if they know this vulnerability

  • 0 in reply to tim toa

    I know. I cannot say the opposite. I use CAA on MAC.

  • 0 in reply to lferrara

    I thought using CAA is the best way to address this problem but when I tried that out today it wasn't working as expected. 

    The CAA just simply submit the username and password to firewall. The second person can still hijack the session without authentication. 

    Does anyone know how to solve this problem.

  • +1
    Under Authentication \ Services.
    Redirect to a URL after login should be checked.
    URL to redirect is the User requested URL
    Preserve captive portal after login is Yes
    Use keep alive to maintain user session is Enabled.
     
    On the client, may sure you are not blocking pop-ups (or have exception that allows from XG)

    Browse somewhere.
    You should get a captive portal login.
    Log in.
    It should open up a new tab with your destination.
    You should now have a tab to Captive Portal saying you are logged in, plus another to do your browsing.
    You should be able to browse.
    Close the captive portal tab.
    Try to browse - you should now for forced to log in again.
    Basically, your login will only last as long as that tab is open and there is a keepalive to the XG.
     
    Now try with the Mac.
    Have the captive portal currently logged in tab open.
    Switch users.
    Try to browse using new user.
     
    AFAIK because the previous tab (in the background user) is not doing a keep-alive it should think there is no current user and Captive Portal should appear.
     
    Note: This is what happens in Windows.  I've not tested in Mac.
  • 0 in reply to Michael Dunn

    Michael, Thanks for your help.

    Have the captive portal currently logged in tab open.
    Switch users.
    Try to browse using new user.
    >>>> that doesn't work, switch user won't terminate the session
     
    But anyway, preserving the captive portal page is a good short term solution until I find another way. Will ask to the user to logout before switch user on PC/Mac.
  • 0 in reply to Michael Dunn

    I've noticed that in v18 that closing the captive portal with these setting will still allow the user to browse.  Is this a know bug?

    The user is not forced to login again until the timeout. 

    Even after a reboot of the machine the User is still authenticated and other users are able to browser with the previous users profile.  

  • 0 in reply to tim toa

    Is there a way to have a logon script with the CAA so when the user logs in it will automaticlly update the credentials for the CAA session?

  • 0 in reply to TexasRaptor

    TexasRaptor said:

    I've noticed that in v18 that closing the captive portal with these setting will still allow the user to browse.  Is this a know bug?

    The user is not forced to login again until the timeout. 

    Even after a reboot of the machine the User is still authenticated and other users are able to browser with the previous users profile. 

    In v18 we reorganized the configuration to make it clearer but the underlying functionality is the same.

     

    You can configure it many ways, one of which is the behavior you describe.  Other ways of configuring it have different behavior.  Not a bug if you configure it to do that.

    What is it that you want to achieve, and how do you have the options configured to do that (screenshots are helpful)

     

     

Cookie Information Banner