Best approach for Authentication and Surfing Quotas?

Although its still in Early Access the User ID sync which has a lot of hoops to jump through right now, your Sophos Central Endpoint Sends the logged on user to XG although ive not tested it in this scenario personally in theory it should work.  But as i say its got a lot of hoops to jump through to get it working so if you want a quick and easy method to do what you want then probably you will be better off doing it via the methods referred to earlier.  But just wanted to put the idea out there if you may have had Sophos Central EDR EAP, as well as the XG Central Management EAP and AD servers setup (lol as a say its got a lot of hoops to jump through to get Syncronised User ID to even work at this stage)

But thinking about your requirements with Just Sophos XG you could still enable Safe Browsing on your existing web protection policies and setup your surfing quota restrictions as your default then just create users for your unrestricted users and utilise either Captive portal or client agent authentication so that you know your kids are always restricted in there web access and then for your unrestricted users they are the ones you create top level firewall user rules for with web protection policies / unrestricted profiles.

Do you get what i mean? 

No change for me, User ID not working. Will be working through with Sophos Support on Wednesday.

Agree with John Kenny2 last reply.

For you, I think the Firewall rule is appropriate, and use Captive portal, (tick in box for unknown users) selecting kids devices (Source Networks and devices), set scheduled time, having provided user and password. Thereby, restricting when can be used and for how long, against the selected devices. For all other users, there will be another rule with unstricted access.

There are some miss information in this Post.

You do not need the Central Management EAP For User ID.

At the current stage, it depends on your Staging Endpoint Group. Some customers do not need the EAP for EDR to get Sync User ID working. Or you already bought EDR, of course, you do not need the EAP for that. 

Would recommend to take a look at those KBA´s:

https://community.sophos.com/kb/en-us/132997

https://community.sophos.com/kb/en-us/123589

Have you looked at the Help in XG?

This article in particular.

http://docs.sophos.com/nsg/sophos-firewall/17.5/Help/en-us/webhelp/onlinehelp/nsg/sfos/learningContents/ControllingAccessToWebsites.html

Also ive just gone through the documentation again myself, you can setup an authentication group for your kids with its quotas ext then setup whats called clientless users for your kids devices.  If you have your Kids devices setup with reserved ips that wont change then clientless users will allow you to add kids users with there own ip address.  That gets around the need for the captive portal or client agents.  You can then setup a seperate firewall User rule which has your kids devices which are setup as clientless users.

That allows you to have your firewall rules with unrestricted web filtering, ips... and then a rule for your kids restrictions, as far as i can tell clientless users gets around any need for sign in.

I certainly appreciate everyone's input on this! Yeah this works for Web filtering, but to my knowledge it can't be used to apply Surfing Quotas. For some reason the quota feature requires the user to be authenticated and using a node mapping approach or client-less user doesn't count (although you can apply just about everything else to a client-less user).

For now I am going to go with a separate rule an apply it only to the sources I have mapped out and check the captive portal. 

You need to create a group with your Quota settings on it then put the clientless users which are you device ips in that group then you can set everything to those devices via the group.

Unfortunately clientless users are not able to be added to a group, only actual users. Let me know if I am missing something. 

Sorry yeah your right, Clientless users can only go into clientless groups.  

Well that sucks lol

Im sure there is another way to do this ill have another look through the docs.

Do you need to use quotas or just Scheduling for times the web can be accessed??  As you can set schedules on the web policies along with safe surfing enforcements, then add those web policies to your firewall rule with the Clientless users assigned to it.  that gives you your web restrictions on a schedule for hours you set as.  Then just clone that rule below and set as a drop / reject rule.

Then all your other rules you can add below those 2 rules for normal traffic, because you add that cloned rule of the clientless user rule with drop / reject on it as a catch all rule for the clientless users those devices are always restricted to the web schedule then.

e.g.

So setup your Clientless users first then add them to a clientless type group, then create a web policy with restrictions on for your kids then create the time constraints in the policy itself i.e. everyday 9am till 5pm, also set the default action to block http so this will only allow web access to whatever contraints you set on the policy.  Set Safe Searching on that policy aswell then you just add that to the kids firewall policy as i mentioned above.

With firewall rules, you should be able to specify specific source IPs (source network = host).  This will allow you to have a firewall rule only for your kids' device and have captive portal authentication on it, then have a second firewall rule for the rest of your network.

Another option to look at is having captive portal forever logins.

Go to Authentication, Services, and scroll to bottom.
Preserve Captive Portal - No
Use Keepalive - Disable
Timeout - Unlimited

My recollection is that you should be able to log in once and then keep it for weeks - basically it stays until the box is restarted.  It is a poor man's clientless user.