How do you use authentication as a Home user?

Gary,

I use MAC Hosts for everything.  Wife and 2 kids that each have phones/tablets/laptops, etc.  A pile of streaming devices, cameras, and more.  I have several pages of MAC Hosts and the list is starting to get difficult to manage.  I wish they would implement Mac Host Groups.  I have very few static ip's.  Only devices like the media server or the nas.  User devices are all dynamic.  It makes the reports difficult to follow, showing only ip's.

It works pretty well.  It always applies the right firewall rules as soon as I add a new MAC Host to the rule.  You just need to be wary of shared devices that may have more internet access than you want the kids to have (xbox or dads tablet).  I've been considering using authentication on shared/dads devices so that they default to limited access, but get more when authenticated.  Depending on the device, this may get difficult and the trouble of authenticating may not be worth it.

Rick Kressin said:

I use MAC Hosts for everything.

I currently setup MAC hosts as well, figuring that was marginally more secure than IP hosts. But, since you can't group MAC hosts I'm now looking again at IP.  What drives me nuts is the lack of "coordination" in XG between the different MAC/IP/Client assignment screens.  If I'm creating a static DHCP assignment to a MAC address in the DHCP screen, why can I not just check a box to have that assignment automatically create an associated host and/or clientless user? Instead I've got to navigate between three different screens to manage a single entity.

And yes, reports (and the live dashboard screens) are near impossible to work with if you are trying to remember which device is which IP. I've been creating clientless users for every device just so I can read the reports, but (because of my gripe above about multiple screens) it is rather cumbersome trying to keep track of it all. And, what really stinks is that if you have a clientless user setup for the kids laptop but then try to authenticate with CAA so you can install stuff they can't, the CAA won't work... XG doesn't let you register a real user to a device that's clientless. At least, I couldn't get it to work.

Also, like you I run a guest network and need to keep my kids off of it. Something I'm looking at is keeping the guest AP open (no security) and then using the SMS integration with Guest Users to create temporary guest accounts. There are some really, really dirt-cheap SMS gateways out there that might cost you a few bucks a year for such a low volume or, if you have time to tinker, you can send 100 SMS a month for free with an Amazon AWS account and SNS.

Anyway, thanks for sharing how you are handling this.

Gary

Rick Kressin said:

I use MAC Hosts for everything.

I currently setup MAC hosts as well, figuring that was marginally more secure than IP hosts. But, since you can't group MAC hosts I'm now looking again at IP.  What drives me nuts is the lack of "coordination" in XG between the different MAC/IP/Client assignment screens.  If I'm creating a static DHCP assignment to a MAC address in the DHCP screen, why can I not just check a box to have that assignment automatically create an associated host and/or clientless user? Instead I've got to navigate between three different screens to manage a single entity.

And yes, reports (and the live dashboard screens) are near impossible to work with if you are trying to remember which device is which IP. I've been creating clientless users for every device just so I can read the reports, but (because of my gripe above about multiple screens) it is rather cumbersome trying to keep track of it all. And, what really stinks is that if you have a clientless user setup for the kids laptop but then try to authenticate with CAA so you can install stuff they can't, the CAA won't work... XG doesn't let you register a real user to a device that's clientless. At least, I couldn't get it to work.

Also, like you I run a guest network and need to keep my kids off of it. Something I'm looking at is keeping the guest AP open (no security) and then using the SMS integration with Guest Users to create temporary guest accounts. There are some really, really dirt-cheap SMS gateways out there that might cost you a few bucks a year for such a low volume or, if you have time to tinker, you can send 100 SMS a month for free with an Amazon AWS account and SNS.

Anyway, thanks for sharing how you are handling this.

Gary

Hi,

I am not sure why you think MAC addressing is more secure than IP addressing. both can be spoofed.

I understand your frustration with the lack of linking between various functions. The XG network management is very limited, it might have fantastic application and web filtering features but the lack of other features makes it hard to manage.

Please explain what you are trying to do with real users and clientless assignments? I do't have need to use the various signs functions since my kids left home. I do have names assigned to clientless users though.

Ian

Hi Ian,

When I said "marginally more secure" I should have emphasized the "marginally" part. I suppose I think this way for two reasons. Primary among them is that my kids will figure out how to set a static IP before they will discover what a MAC even is, much less how to change one. Secondary is just basic identifier primacy. If you figure MAC is used to create the IP reservation in the DHCP server, then the MAC is ipso facto the top of the chain. But agreed, they can both be worked around with minimal effort by anyone with enough curiosity to explore their network configuration options.

As for the whole real user vs clientless thing, it really boils down to the following use cases:

• devices that are used by both adults and kids at different times of the day for different reasons.
• tracking use across multiple devices for kids surfing quota restrictions
• aggregating reports by the actual user

With clientless, I really can't do any of those. I need individual user identification, but the authentication client has it's own set of issues. Namely that it doesn't always want to reconnect on devices that spend most of their time sleeping. Oh, and it isn't available in the Amazon app store for installation on the kids Fire tablets.

Anyway, I know there will be no perfect solution for home users. We're just not the target market for this product. So, mostly I'm just looking to see what everyone else does and hopefully uncover some useful nuggets I can incorporate into my own strategy.

Thanks,

Gary

Hi Gary,

with shared machines you have a problem. If you tie a MAC to an IP and use clientless then assign the clientless to groups which have specific firewall rules that will improve your control. The kids would then have to put a static IP address in the range that you have allowed the adult machines to access. Of course threes always the hard solution of installing your own server with AD functions.

Do not try and use IPv6, the XG is not ready even though it has IPv6 functions, they are very limited when compared two the IP4 functions.

Ian

Yeah, right now I'm grouping hosts into things like tablets, phones, IOT, routers, servers, etc. It's just those shared devices as you said. As for AD... even if I could hack STAS to work with OpenLDAP on Linux, I'm still stuck with countless Windows 10 Home machines and various other devices that don't know how to authenticate in that environment. I thought about it though!

Thanks for the heads up about IPv6... I was actually about to start tinkering with that. Perhaps I'll push it further down the to-do list.

Hi Gary,

the UTM has better IPv6 features than XG. I have a small UTM in front of one my internet connections so I can better manage/understand IPv6 on the XG.

I put the IoT into their own wifi group because of the lower security functions according to the experts.

Ian

That's something I need to do... put the IOT into their own subnet isolated from the LAN. Glad you reminded me!