Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 26 replies
  • Answers 1 answer
  • Subscribers 31 subscribers
  • Views 10177 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Best approach for Authentication and Surfing Quotas?

bNaCl

I am struggling to come up with an effective approach for limiting and protecting my kid on my home XG install and looking for ideas/advice.

Scenario:

Would like to apply Surfing Quotas and Web filtering rules to kid devices only. All others will be unrestricted. His devices are all "known" and setup with DHCP reservations and client-less mappings.

Ideally I would apply Quota and Web Filtering rules by device, but my understanding is that Quotas can only be applied to users. Therefore, it seems the captive portal would be the only option given he has a Chromebook and other devices that do not support the agent. What would be the best way to setup the captive portal to only apply to his devices and leave all other "unknown" users/devices without restrictions?

Thanks in advance.

 



This thread was automatically locked due to age.
Parents
  • 0

    Have you looked at the Help in XG?

    This article in particular.

    http://docs.sophos.com/nsg/sophos-firewall/17.5/Help/en-us/webhelp/onlinehelp/nsg/sfos/learningContents/ControllingAccessToWebsites.html

    Also ive just gone through the documentation again myself, you can setup an authentication group for your kids with its quotas ext then setup whats called clientless users for your kids devices.  If you have your Kids devices setup with reserved ips that wont change then clientless users will allow you to add kids users with there own ip address.  That gets around the need for the captive portal or client agents.  You can then setup a seperate firewall User rule which has your kids devices which are setup as clientless users.

    That allows you to have your firewall rules with unrestricted web filtering, ips... and then a rule for your kids restrictions, as far as i can tell clientless users gets around any need for sign in.

  • 0 in reply to john_kenny

    I certainly appreciate everyone's input on this! Yeah this works for Web filtering, but to my knowledge it can't be used to apply Surfing Quotas. For some reason the quota feature requires the user to be authenticated and using a node mapping approach or client-less user doesn't count (although you can apply just about everything else to a client-less user).

    For now I am going to go with a separate rule an apply it only to the sources I have mapped out and check the captive portal. 

  • 0 in reply to bNaCl

    You need to create a group with your Quota settings on it then put the clientless users which are you device ips in that group then you can set everything to those devices via the group.

  • 0 in reply to john_kenny

    Unfortunately clientless users are not able to be added to a group, only actual users. Let me know if I am missing something. 

Reply Children
  • 0 in reply to bNaCl

    Sorry yeah your right, Clientless users can only go into clientless groups.  

    Well that sucks lol

    Im sure there is another way to do this ill have another look through the docs.

    Do you need to use quotas or just Scheduling for times the web can be accessed??  As you can set schedules on the web policies along with safe surfing enforcements, then add those web policies to your firewall rule with the Clientless users assigned to it.  that gives you your web restrictions on a schedule for hours you set as.  Then just clone that rule below and set as a drop / reject rule.

    Then all your other rules you can add below those 2 rules for normal traffic, because you add that cloned rule of the clientless user rule with drop / reject on it as a catch all rule for the clientless users those devices are always restricted to the web schedule then.

    e.g.

    So setup your Clientless users first then add them to a clientless type group, then create a web policy with restrictions on for your kids then create the time constraints in the policy itself i.e. everyday 9am till 5pm, also set the default action to block http so this will only allow web access to whatever contraints you set on the policy.  Set Safe Searching on that policy aswell then you just add that to the kids firewall policy as i mentioned above.

  • +1 in reply to john_kenny

    With firewall rules, you should be able to specify specific source IPs (source network = host).  This will allow you to have a firewall rule only for your kids' device and have captive portal authentication on it, then have a second firewall rule for the rest of your network.

     

    Another option to look at is having captive portal forever logins.

    Go to Authentication, Services, and scroll to bottom.
    Preserve Captive Portal - No
    Use Keepalive - Disable
    Timeout - Unlimited

    My recollection is that you should be able to log in once and then keep it for weeks - basically it stays until the box is restarted.  It is a poor man's clientless user.

  • 0 in reply to john_kenny

    Apologies for the delay, been a heck of a week!

    Yeah I am specifically looking to enforce "Surfing Quotas". As you have mentioned "Access times" can be enforced by device... just wish Quotas could as well! 

  • 0 in reply to Michael Dunn

    Now that second part is interesting.... gonna play with that. Might mitigate the anarchy that will undoubtedly arise when kid has to login multiple times per day.... such a hard life they lead ;-)

  • 0 in reply to Michael Dunn

    Okay so I think I'm losing my mind.... Per your instructions, I am trying to create the rule to apply the captive portal by host. I have the hosts mapped and source network/hosts configured, but cannot figure out how to apply the captive portal to those hosts without using "show CP to unknown users". It seems we can't get around the fact that most features are designed to be applied to users as opposed to devices. Again, the goal is to present the CP only to a select few devices and all others (which are unauthenticated) would not see the CP.

  • 0 in reply to bNaCl

    Rule 1 = Select hosts and show CP to unknown users

    Rule 2 = select all other hosts and don’t show CP to unknow users

    Will the above not work for you. Perhaps I misunderstood the requirement

  • 0 in reply to Paul Digby

    Gotcha, I was over thinking it. Will give it a go and report back.