Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 32 replies
  • Subscribers 30 subscribers
  • Views 39482 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do you use authentication as a Home user?

Gary Parr

I use XG in my home, as many do apparently. While the enterprise class features are very nice to have, they sometimes create difficult situations for us non-corporate environments. I'm wondering how those of you in my shoes handle the authentication issue.

For background, I have two little kids just starting to get into computers. They each have tablets and one just got her first laptop. I have a computer illiterate wife who has a phone and tablet and a laptop and, well, another laptop she uses to do bookkeeping for a buddies business. I have several devices myself... more than I care to admit. I also have some servers in a DMZ as well as a plethora of IOT devices and a network printer. The true clientless devices, I have no problem with. Static (or DCHP reservation) and they behave in the home as they do in the office... clientless things that do what they do and nothing more. It's the human users I struggle with.

In an ideal world, the XG authentication client would work perfectly every time, never get kicked off, and survive the never ending cycle of suspend and resume. In a super ideal world, I would be able to link multiple devices to a single user, though IP or MAC or even an installed client that just pinged XG with an identifier (not authentication). As long as I'm dreaming, It would be great to have a kids (or wife's) laptop default to a clientless user linked to a real user that could be over-ridden with the authentication client when I need to log in and install shareware that's normally blocked from download.

But, this is not an ideal world and the unique use cases of the home user are so far off from the corporate environment that I do not expect Sophos to address these issues. It is more than awesome enough they have opened up the XG product to us non-paying people in the first place.

So, I wanted to start this discussion to see what others have done. Have you just gone clientless for everything? Do you use the authentication client and deal with the grumblings of family members who can't access the web because the little CAA icon whent from orange to grey and they didn't notice? Do you just create some mac or IP hosts and use those for rules?

Thanks in advance for any input, advice, or insight!



This thread was automatically locked due to age.
Parents
  • 0

    I don't know how to solve any of these problems.  :)

    But, I'm wondering if anyone has looked into the Captive Portal.

    Also specifically, have you considered whether it (web) works differently in Transparent or Standard mode.  For example if you have clientless users and you found that captive portal cannot override the logged in user, have you tried configuring the proxy server so that you are now in standard mode and trying that?

     

    Another possibility could be time-based.  Both Firewall rules and each line within a Web Policy can have time constraints.  So that your more restrictive rules are 3pm-10pm and automatically switch to less restrictive after their bedtime.  Same user, different policy based on time.

    For web you could also change some of the policies from Block to Warn.  Then make sure that your kids know that every time they hit Proceed on a Warn page it gets logged and you can see exactly what they went to that they should not have.

  • 0 in reply to Michael Dunn

    After some testing, it seems the Captive Portal will override a MAC based clientless user. This solves some of the multi-user issues in a rather simple manner, so THANK YOU for that idea!

  • 0 in reply to Ari Doucette

    What is the purpose of doing authentication at home?  What are you trying to achieve?  Do you really need it?  Most home users don't need authentication.

     

    Clientless users are a way of saying everything at this IP is this user.  If using DHCP you can make the IP stay to that MAC address.

    Captive Portal is a way of presenting a tab that has users log in.  You can then set to have it log out if the tab is closed, or if the user is inactive, or never (unless you specifically say to log out).

    Authentication Clients live in the system tray and are available for Windows, Mac, and Linux.  I don't know too much about them, but AFAIK you can have it so that when someone logs into Windows they automatically log into specific local account on the XG.

     

     

    If it is that you want reports to have a username rather than an IP, then use clientless users.  

    If you have personal device (eg phones) that used by one person only, then use clientless users.

    If you have multi users devices (eg laptops) that you want to log or apply different policies for, create local users on the XG and use either the portal login or the authentication client.  I do not know how good either of these are when there a multiple simultaneous logins from the same IP.

    If you have new devices come in, either have policies for unauthenticated or use captive portal.

  • 0 in reply to Michael Dunn

    Hi Michael,

    There have been a few use cases mentioned in this thread, if you read through from the beginning you will see the kinds of issues we are dealing with. It mostly all centers around multiple devices used by multiple people (kids and adults) that just isn't common in the corporate world.  In these scenarios, the different authentication methods don't really work well.

    • Clientless works great when the user of a device doesn't change. In the corporate world, I've got my company assigned asset and I'm the only one using it. At home, I have a few devices that are used by both me, my wife, and my kids. Clientless doesn't work here.
    • Captive Portal is excellent for guest type access where people don't mind a somewhat cumbersome method of getting access to the internet. Any road warrior could probably enter the hotel wifi code into a browser window in their sleep. My wife, however, is of the opinion that opening the browser to "log into the internet" is ten steps backwards in the user-friendly department.
    • The authentication agent... well... I'll give you a pass since you said you don't know much about it. When it drops (which it does) or when it plain refuses to connect (which it does) or when it won't re-connect after resuming from sleep (which it does) then it drives the kids and wife crazy. The only place I've seen the CAA work well (most of the time) is on a laptop that's docked, on a wired connection, and never sleeps. But even that has random drops from time to time where it doesn't automatically try to reconnect.

    Thanks,

    Gary

  • 0 in reply to Ari Doucette

    Hi Ari,

    I'm pretty much using clientless for now on almost everything. When I have to override the kids firewall rules to install software or something I point the browser to the captive portal and log myself in under an adult account. When my wife grabs a kids laptop she usually just puts it back down because she can't remember how to get to the captive portal and the kids firewall rules block some of her social media and shopping sites. When my kids grab my wife's laptop they just hope no one catches them do something they shouldn't.  The only devices that I use the authentication agent on are the ones where I'm the primary user. This is the side effect of my kids and wife not using them often because they hate when the agent drops or doesn't' connect.

    All in all, it's ugly and has lots of holes. I can't use any rules at the user level, kids can bypass their restrictions if they find my wife's laptop, etc. I did find a reasonable solution to grouping all of those clientless agents into reportable groups though. I export all my logs to a graylog server and then report off the elasticsearch backend. I think I read somewhere that the next XG release will have an improved authentication agent. My hope is that this will at least allow me to install it on the wife's laptop.

    Thanks,

    Gary

  • 0 in reply to Gary Parr

    Gary,

    Could one log in to the captive portal with a script that runs at user login? Perhaps if there's some documentation I could just write a powershell script for this.

    Ari

  • 0 in reply to Ari Doucette

    Now that's an interesting idea. I'm sure it could be done, but there may be issues with maintaining the session depending on how you script it and how the captive portal is configured. If the next XG release does not include an improved authentication client, I'll give this a try and let you know how it works out.

     

    Thanks,

    Gary

  • 0 in reply to Gary Parr
    I don't think you will be able to script the captive portal.  You can, however use the XML API.
     
    Go to Backups and firmware, API.  Turn on and allow from the IPs that will send the request.
     
    Google Sophos for <LiveUserLogin>. community.sophos.com/.../123617
     
    Note that passwords sent in XML are plaintext.
     
    Younger kids steal parent's laptops.  Older kids sniff packet.  Problems kid sniff glue.  :)
     
     
    I had to do something like this a long time ago.  Create a Desktop icon that goes directly to the captive portal.  Create a shortcut on the toolbar (put at far left eg first) for the same.  Name these something memorable like "Log in as Parent" or "I am a god" or "Turn off web blocking" or "I love you honey but the kids are in bed and I want to watch netflix".
     
    17.5 now includes web overrides.  The intention is for schools but it might work for home use.
  • 0 in reply to Michael Dunn

    Michael,

    I'm going to wait to see how the CAA behaves with the new version release. If it really does reconnect consistently on wake-from-sleep, then it might just be the solution I'm looking for on all the adult devices. Kids devices can be handled using captive portal to over-ride FW rules when required.

    However, the XML API suggestion was brilliant. If I have to go that route I might take it a step further if I can.  Assuming the API allows you to assign clientless users to clientless groups, I can write a script to run when user-switches occur that re-assigns the device to the appropriate clientless group for the user who just logged in. In theory, this would work for just about any device and be much, much more stable than the authentication client.

     

    Thanks,

    Gary

  • 0 in reply to Gary Parr

    The API is big, almost anything you can do from WebAdmin you can do through the API.

    One thing that I heard from elsewhere is that if you have a Clientless users and you go to the WebAdmin, Current Activities, Live Users and log them off - it doesn't work properly.  The clientless is intended to be more permanent than that.  The correct way is to disassociate the user from that IP is to go to Authentication, Clientless Users, and set them Inactive.  This would be true in the API as well.

    In short - use <LiveUserLogin> to log in/out users that could log in via Captive Portal.  Modify the Clientless users to log in/out clientless users.

     

    Also to future proof yourself.  Perform a Get, modify what you need, do a Set, that is most dynamic.  Pay attention to APIVersion.  If you don't specify you are always using the latest (which means it could change).  If you are less dynamic, code for the latest APIVersion and keep passing that in (the system is backwards compatible).

    https://www.sophos.com/en-us/support/documentation/sophos-xg-firewall.aspx  Download "API Help".

  • 0 in reply to Michael Dunn

    Interesting.  Would you still need to "log out" a clientless user to change their group?  I'm thinking a "kids" and "adults" clientless group and then clientless users like "tablet 1" and "laptop 2" and then just moving the user in and out of the kids/adults group. This way the clientless user itself stays static.

     

    Thanks,

    Gary

  • 0 in reply to Gary Parr

    Gary Parr said:

    Interesting.  Would you still need to "log out" a clientless user to change their group?  I'm thinking a "kids" and "adults" clientless group and then clientless users like "tablet 1" and "laptop 2" and then just moving the user in and out of the kids/adults group. This way the clientless user itself stays static.

    As a QA, I can only say that testing is the only way to be sure.  :)

    If you are only concerned with web policy you could also use API to re-write your web policy.  Create a web policy that has user "tablet 1" with all the kids rules and all the adult rules.  Then use the API to enable/disable the kids web policy rules.  You can even use User Activities to make it so you just have 2 rules total.

Reply
  • 0 in reply to Gary Parr

    Gary Parr said:

    Interesting.  Would you still need to "log out" a clientless user to change their group?  I'm thinking a "kids" and "adults" clientless group and then clientless users like "tablet 1" and "laptop 2" and then just moving the user in and out of the kids/adults group. This way the clientless user itself stays static.

    As a QA, I can only say that testing is the only way to be sure.  :)

    If you are only concerned with web policy you could also use API to re-write your web policy.  Create a web policy that has user "tablet 1" with all the kids rules and all the adult rules.  Then use the API to enable/disable the kids web policy rules.  You can even use User Activities to make it so you just have 2 rules total.

Children