Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 32 replies
  • Subscribers 30 subscribers
  • Views 39496 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do you use authentication as a Home user?

Gary Parr

I use XG in my home, as many do apparently. While the enterprise class features are very nice to have, they sometimes create difficult situations for us non-corporate environments. I'm wondering how those of you in my shoes handle the authentication issue.

For background, I have two little kids just starting to get into computers. They each have tablets and one just got her first laptop. I have a computer illiterate wife who has a phone and tablet and a laptop and, well, another laptop she uses to do bookkeeping for a buddies business. I have several devices myself... more than I care to admit. I also have some servers in a DMZ as well as a plethora of IOT devices and a network printer. The true clientless devices, I have no problem with. Static (or DCHP reservation) and they behave in the home as they do in the office... clientless things that do what they do and nothing more. It's the human users I struggle with.

In an ideal world, the XG authentication client would work perfectly every time, never get kicked off, and survive the never ending cycle of suspend and resume. In a super ideal world, I would be able to link multiple devices to a single user, though IP or MAC or even an installed client that just pinged XG with an identifier (not authentication). As long as I'm dreaming, It would be great to have a kids (or wife's) laptop default to a clientless user linked to a real user that could be over-ridden with the authentication client when I need to log in and install shareware that's normally blocked from download.

But, this is not an ideal world and the unique use cases of the home user are so far off from the corporate environment that I do not expect Sophos to address these issues. It is more than awesome enough they have opened up the XG product to us non-paying people in the first place.

So, I wanted to start this discussion to see what others have done. Have you just gone clientless for everything? Do you use the authentication client and deal with the grumblings of family members who can't access the web because the little CAA icon whent from orange to grey and they didn't notice? Do you just create some mac or IP hosts and use those for rules?

Thanks in advance for any input, advice, or insight!



This thread was automatically locked due to age.
Parents
  • 0

    Gary,

    I use MAC Hosts for everything.  Wife and 2 kids that each have phones/tablets/laptops, etc.  A pile of streaming devices, cameras, and more.  I have several pages of MAC Hosts and the list is starting to get difficult to manage.  I wish they would implement Mac Host Groups.  I have very few static ip's.  Only devices like the media server or the nas.  User devices are all dynamic.  It makes the reports difficult to follow, showing only ip's.

    It works pretty well.  It always applies the right firewall rules as soon as I add a new MAC Host to the rule.  You just need to be wary of shared devices that may have more internet access than you want the kids to have (xbox or dads tablet).  I've been considering using authentication on shared/dads devices so that they default to limited access, but get more when authenticated.  Depending on the device, this may get difficult and the trouble of authenticating may not be worth it.

  • 0 in reply to Rick Kressin

    Hi,

    you can use clienteles users with static assigned IP addresses and they show in most reports. You can group clienteles users into groups that you assign to firewall rules.

    Ian

  • 0 in reply to rfcat_vk

    Ian,

    Thanks for the tip.

    I wish I could take advantage of clientless users with static ip's.  I have two wireless networks and they each have their own dhcp range, managed by XG.  A home network for all our devices and a guest network.  If anyone in our family gets on the guest network, I want the same rules to apply like when it is in the home network.  My problem is that I can't add a static ip address for the same mac address in two different dhcp ranges.  XG enforces only one unique mac address across all dhcp ranges.  I could assign a static ip for a device in the home network, but then in the guest network, they would get an unknown ip address and that's where I lose my clientless user.

    Maybe there's another way around the issue.  I'd like to try clientless users.  I don't think it would be any more work to manage static ip's for all my devices verses managing mac hosts.  A clientless user linked to a mac address or a mac host would be ideal.

  • 0 in reply to Rick Kressin

    Hi Rick,

    you can use the same DHCP range across all SSIDs. I have a number of SSIDs and 1 LAN and use static IP addressing and clientless to ensure the same rules apply regarding of which SSID they use. Clientless and static IPs ensure that all devices behave themselves. Also I currently have two internet connection and can move devices around using the clientless entries.

    Ian

Reply
  • 0 in reply to Rick Kressin

    Hi Rick,

    you can use the same DHCP range across all SSIDs. I have a number of SSIDs and 1 LAN and use static IP addressing and clientless to ensure the same rules apply regarding of which SSID they use. Clientless and static IPs ensure that all devices behave themselves. Also I currently have two internet connection and can move devices around using the clientless entries.

    Ian

Children
  • 0 in reply to rfcat_vk

    rfcat_vk said:

    you can use the same DHCP range across all SSIDs. 

    Can you possibly expand on how you work this? I also segregate my LAN and GST networks, but I do so using two different access points connected to two different network ports on XG with different subnets. How would you create an isolated GST network using the same DHCP range as on LAN that allows clients to have the same IP regardless of which SSID they connect to?

    Thanks!

    Gary