Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 32 replies
  • Subscribers 30 subscribers
  • Views 39482 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do you use authentication as a Home user?

Gary Parr

I use XG in my home, as many do apparently. While the enterprise class features are very nice to have, they sometimes create difficult situations for us non-corporate environments. I'm wondering how those of you in my shoes handle the authentication issue.

For background, I have two little kids just starting to get into computers. They each have tablets and one just got her first laptop. I have a computer illiterate wife who has a phone and tablet and a laptop and, well, another laptop she uses to do bookkeeping for a buddies business. I have several devices myself... more than I care to admit. I also have some servers in a DMZ as well as a plethora of IOT devices and a network printer. The true clientless devices, I have no problem with. Static (or DCHP reservation) and they behave in the home as they do in the office... clientless things that do what they do and nothing more. It's the human users I struggle with.

In an ideal world, the XG authentication client would work perfectly every time, never get kicked off, and survive the never ending cycle of suspend and resume. In a super ideal world, I would be able to link multiple devices to a single user, though IP or MAC or even an installed client that just pinged XG with an identifier (not authentication). As long as I'm dreaming, It would be great to have a kids (or wife's) laptop default to a clientless user linked to a real user that could be over-ridden with the authentication client when I need to log in and install shareware that's normally blocked from download.

But, this is not an ideal world and the unique use cases of the home user are so far off from the corporate environment that I do not expect Sophos to address these issues. It is more than awesome enough they have opened up the XG product to us non-paying people in the first place.

So, I wanted to start this discussion to see what others have done. Have you just gone clientless for everything? Do you use the authentication client and deal with the grumblings of family members who can't access the web because the little CAA icon whent from orange to grey and they didn't notice? Do you just create some mac or IP hosts and use those for rules?

Thanks in advance for any input, advice, or insight!



This thread was automatically locked due to age.
Parents
  • 0

    I don't know how to solve any of these problems.  :)

    But, I'm wondering if anyone has looked into the Captive Portal.

    Also specifically, have you considered whether it (web) works differently in Transparent or Standard mode.  For example if you have clientless users and you found that captive portal cannot override the logged in user, have you tried configuring the proxy server so that you are now in standard mode and trying that?

     

    Another possibility could be time-based.  Both Firewall rules and each line within a Web Policy can have time constraints.  So that your more restrictive rules are 3pm-10pm and automatically switch to less restrictive after their bedtime.  Same user, different policy based on time.

    For web you could also change some of the policies from Block to Warn.  Then make sure that your kids know that every time they hit Proceed on a Warn page it gets logged and you can see exactly what they went to that they should not have.

  • 0 in reply to Michael Dunn

    After some testing, it seems the Captive Portal will override a MAC based clientless user. This solves some of the multi-user issues in a rather simple manner, so THANK YOU for that idea!

  • 0 in reply to Gary Parr

    Gary,

    What solution did you end up implementing for Sophos XG authentication at home?

    I assume there are a lot of users doing same with a mix of Windows, Linux, Android, and iOS devices.

    Thanks,

    Ari

  • 0 in reply to Ari Doucette

    What is the purpose of doing authentication at home?  What are you trying to achieve?  Do you really need it?  Most home users don't need authentication.

     

    Clientless users are a way of saying everything at this IP is this user.  If using DHCP you can make the IP stay to that MAC address.

    Captive Portal is a way of presenting a tab that has users log in.  You can then set to have it log out if the tab is closed, or if the user is inactive, or never (unless you specifically say to log out).

    Authentication Clients live in the system tray and are available for Windows, Mac, and Linux.  I don't know too much about them, but AFAIK you can have it so that when someone logs into Windows they automatically log into specific local account on the XG.

     

     

    If it is that you want reports to have a username rather than an IP, then use clientless users.  

    If you have personal device (eg phones) that used by one person only, then use clientless users.

    If you have multi users devices (eg laptops) that you want to log or apply different policies for, create local users on the XG and use either the portal login or the authentication client.  I do not know how good either of these are when there a multiple simultaneous logins from the same IP.

    If you have new devices come in, either have policies for unauthenticated or use captive portal.

  • 0 in reply to Michael Dunn

    Hi Michael,

    There have been a few use cases mentioned in this thread, if you read through from the beginning you will see the kinds of issues we are dealing with. It mostly all centers around multiple devices used by multiple people (kids and adults) that just isn't common in the corporate world.  In these scenarios, the different authentication methods don't really work well.

    • Clientless works great when the user of a device doesn't change. In the corporate world, I've got my company assigned asset and I'm the only one using it. At home, I have a few devices that are used by both me, my wife, and my kids. Clientless doesn't work here.
    • Captive Portal is excellent for guest type access where people don't mind a somewhat cumbersome method of getting access to the internet. Any road warrior could probably enter the hotel wifi code into a browser window in their sleep. My wife, however, is of the opinion that opening the browser to "log into the internet" is ten steps backwards in the user-friendly department.
    • The authentication agent... well... I'll give you a pass since you said you don't know much about it. When it drops (which it does) or when it plain refuses to connect (which it does) or when it won't re-connect after resuming from sleep (which it does) then it drives the kids and wife crazy. The only place I've seen the CAA work well (most of the time) is on a laptop that's docked, on a wired connection, and never sleeps. But even that has random drops from time to time where it doesn't automatically try to reconnect.

    Thanks,

    Gary

Reply
  • 0 in reply to Michael Dunn

    Hi Michael,

    There have been a few use cases mentioned in this thread, if you read through from the beginning you will see the kinds of issues we are dealing with. It mostly all centers around multiple devices used by multiple people (kids and adults) that just isn't common in the corporate world.  In these scenarios, the different authentication methods don't really work well.

    • Clientless works great when the user of a device doesn't change. In the corporate world, I've got my company assigned asset and I'm the only one using it. At home, I have a few devices that are used by both me, my wife, and my kids. Clientless doesn't work here.
    • Captive Portal is excellent for guest type access where people don't mind a somewhat cumbersome method of getting access to the internet. Any road warrior could probably enter the hotel wifi code into a browser window in their sleep. My wife, however, is of the opinion that opening the browser to "log into the internet" is ten steps backwards in the user-friendly department.
    • The authentication agent... well... I'll give you a pass since you said you don't know much about it. When it drops (which it does) or when it plain refuses to connect (which it does) or when it won't re-connect after resuming from sleep (which it does) then it drives the kids and wife crazy. The only place I've seen the CAA work well (most of the time) is on a laptop that's docked, on a wired connection, and never sleeps. But even that has random drops from time to time where it doesn't automatically try to reconnect.

    Thanks,

    Gary

Children
No Data