Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 32 replies
  • Subscribers 30 subscribers
  • Views 39495 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do you use authentication as a Home user?

Gary Parr

I use XG in my home, as many do apparently. While the enterprise class features are very nice to have, they sometimes create difficult situations for us non-corporate environments. I'm wondering how those of you in my shoes handle the authentication issue.

For background, I have two little kids just starting to get into computers. They each have tablets and one just got her first laptop. I have a computer illiterate wife who has a phone and tablet and a laptop and, well, another laptop she uses to do bookkeeping for a buddies business. I have several devices myself... more than I care to admit. I also have some servers in a DMZ as well as a plethora of IOT devices and a network printer. The true clientless devices, I have no problem with. Static (or DCHP reservation) and they behave in the home as they do in the office... clientless things that do what they do and nothing more. It's the human users I struggle with.

In an ideal world, the XG authentication client would work perfectly every time, never get kicked off, and survive the never ending cycle of suspend and resume. In a super ideal world, I would be able to link multiple devices to a single user, though IP or MAC or even an installed client that just pinged XG with an identifier (not authentication). As long as I'm dreaming, It would be great to have a kids (or wife's) laptop default to a clientless user linked to a real user that could be over-ridden with the authentication client when I need to log in and install shareware that's normally blocked from download.

But, this is not an ideal world and the unique use cases of the home user are so far off from the corporate environment that I do not expect Sophos to address these issues. It is more than awesome enough they have opened up the XG product to us non-paying people in the first place.

So, I wanted to start this discussion to see what others have done. Have you just gone clientless for everything? Do you use the authentication client and deal with the grumblings of family members who can't access the web because the little CAA icon whent from orange to grey and they didn't notice? Do you just create some mac or IP hosts and use those for rules?

Thanks in advance for any input, advice, or insight!



This thread was automatically locked due to age.
  • 0 in reply to Rick Kressin

    Rick Kressin said:

    I use MAC Hosts for everything.

    I currently setup MAC hosts as well, figuring that was marginally more secure than IP hosts. But, since you can't group MAC hosts I'm now looking again at IP.  What drives me nuts is the lack of "coordination" in XG between the different MAC/IP/Client assignment screens.  If I'm creating a static DHCP assignment to a MAC address in the DHCP screen, why can I not just check a box to have that assignment automatically create an associated host and/or clientless user? Instead I've got to navigate between three different screens to manage a single entity.

    And yes, reports (and the live dashboard screens) are near impossible to work with if you are trying to remember which device is which IP. I've been creating clientless users for every device just so I can read the reports, but (because of my gripe above about multiple screens) it is rather cumbersome trying to keep track of it all. And, what really stinks is that if you have a clientless user setup for the kids laptop but then try to authenticate with CAA so you can install stuff they can't, the CAA won't work... XG doesn't let you register a real user to a device that's clientless. At least, I couldn't get it to work.

    Also, like you I run a guest network and need to keep my kids off of it. Something I'm looking at is keeping the guest AP open (no security) and then using the SMS integration with Guest Users to create temporary guest accounts. There are some really, really dirt-cheap SMS gateways out there that might cost you a few bucks a year for such a low volume or, if you have time to tinker, you can send 100 SMS a month for free with an Amazon AWS account and SNS.

    Anyway, thanks for sharing how you are handling this.

    Gary

  • 0 in reply to Gary Parr

    Hi,

    I am not sure why you think MAC addressing is more secure than IP addressing. both can be spoofed.

    I understand your frustration with the lack of linking between various functions. The XG network management is very limited, it might have fantastic application and web filtering features but the lack of other features makes it hard to manage.

    Please explain what you are trying to do with real users and clientless assignments? I do't have need to use the various signs functions since my kids left home. I do have names assigned to clientless users though.

    Ian

  • 0 in reply to rfcat_vk

    Hi Ian,

    When I said "marginally more secure" I should have emphasized the "marginally" part. I suppose I think this way for two reasons. Primary among them is that my kids will figure out how to set a static IP before they will discover what a MAC even is, much less how to change one. Secondary is just basic identifier primacy. If you figure MAC is used to create the IP reservation in the DHCP server, then the MAC is ipso facto the top of the chain. But agreed, they can both be worked around with minimal effort by anyone with enough curiosity to explore their network configuration options.

    As for the whole real user vs clientless thing, it really boils down to the following use cases:

    • devices that are used by both adults and kids at different times of the day for different reasons.
    • tracking use across multiple devices for kids surfing quota restrictions
    • aggregating reports by the actual user

    With clientless, I really can't do any of those. I need individual user identification, but the authentication client has it's own set of issues. Namely that it doesn't always want to reconnect on devices that spend most of their time sleeping. Oh, and it isn't available in the Amazon app store for installation on the kids Fire tablets.

    Anyway, I know there will be no perfect solution for home users. We're just not the target market for this product. So, mostly I'm just looking to see what everyone else does and hopefully uncover some useful nuggets I can incorporate into my own strategy.

    Thanks,

    Gary

  • 0 in reply to Gary Parr

    Hi Gary,

    with shared machines you have a problem. If you tie a MAC to an IP and use clientless then assign the clientless to groups which have specific firewall rules that will improve your control. The kids would then have to put a static IP address in the range that you have allowed the adult machines to access. Of course threes always the hard solution of installing your own server with AD functions.

    Do not try and use IPv6, the XG is not ready even though it has IPv6 functions, they are very limited when compared two the IP4 functions.

    Ian

  • 0 in reply to rfcat_vk

    Yeah, right now I'm grouping hosts into things like tablets, phones, IOT, routers, servers, etc. It's just those shared devices as you said. As for AD... even if I could hack STAS to work with OpenLDAP on Linux, I'm still stuck with countless Windows 10 Home machines and various other devices that don't know how to authenticate in that environment. I thought about it though!

    Thanks for the heads up about IPv6... I was actually about to start tinkering with that. Perhaps I'll push it further down the to-do list.

  • 0 in reply to Gary Parr

    Hi Gary,

    the UTM has better IPv6 features than XG. I have a small UTM in front of one my internet connections so I can better manage/understand IPv6 on the XG.

    I put the IoT into their own wifi group because of the lower security functions according to the experts.

    Ian

  • 0 in reply to rfcat_vk

    That's something I need to do... put the IOT into their own subnet isolated from the LAN. Glad you reminded me!

  • 0

    I don't know how to solve any of these problems.  :)

    But, I'm wondering if anyone has looked into the Captive Portal.

    Also specifically, have you considered whether it (web) works differently in Transparent or Standard mode.  For example if you have clientless users and you found that captive portal cannot override the logged in user, have you tried configuring the proxy server so that you are now in standard mode and trying that?

     

    Another possibility could be time-based.  Both Firewall rules and each line within a Web Policy can have time constraints.  So that your more restrictive rules are 3pm-10pm and automatically switch to less restrictive after their bedtime.  Same user, different policy based on time.

    For web you could also change some of the policies from Block to Warn.  Then make sure that your kids know that every time they hit Proceed on a Warn page it gets logged and you can see exactly what they went to that they should not have.

  • 0 in reply to Michael Dunn

    Now THAT is what I'm taking about! Some great ideas there Michael, I'm going to have to play with them and see what might fit into my toolkit.

    -Gary

  • 0 in reply to Michael Dunn

    After some testing, it seems the Captive Portal will override a MAC based clientless user. This solves some of the multi-user issues in a rather simple manner, so THANK YOU for that idea!