Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 27 subscribers
  • Views 2319 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Block traffic from specific machines, unless they are logged in with the client

Alexandre Lemaire

Hi.  I have a set of Mac addresses, for which I'd like to block traffic unless they are logged in.

 

I'd simultaneously like to avoid this setup in the firewall screen:

  • Let authenticated users through (Rule 1)
  • Block all unauthenticated users (Rule 2)

Because I have an army of machines on the network I'd prefer remain unaffected by this condition.

My first instinct was to create a clientless group for these MAC addresses, but it appears that the clientless group supersedes the client-based authentication.  My log was full of:

"User abc failed to login to Firewall through authentication mechanism from 192.168.168.33 because of Already login as clientless user"

Thank you!



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    from your description you are not using a login server or AD network access control? How do you control your user access to network services?

    Ian

  • 0 in reply to rfcat_vk

    Thanks for the help! Appreciated!

     

    Currently, the users are added right into the Sophos Authentication > Users area.

     

    To paint a better picture, these are shared computers used for testing and such tasks in a relatively open area. I want to ensure that users log in using the Sophos client before they work.

     

    So far, I've been able to disable them by:

    • binding their MAC address to specific IP addresses in the DHCP configuration
    • binding those IP addresses to clientless users
    • adding those clientless users to a specific clientless user group
    • creating a firewall rule that denies access to that specific clientless user group

    Unfortunately, it's the re-enabling access part that doesn't seem to work.  

    In the groups area, I am able to set order, I would have thought that this order affects 'authentication' order, but it looks like whatever I try, the user cannot log in since that machine is already logged in as a 'clientless user'.

     

  • 0 in reply to Alexandre Lemaire

    Hi,

    the way to change user status  is in clienteles click the user, change the status, wait a short time, then change the status again that will enable a new connection. You can select a number of individual clientless users by the filter and change their status at the same time.

    I had a play with that reorder function and not sure what the role of that feature is? 

    Ian

  • 0 in reply to rfcat_vk

    Yeah not sure what the ordering feature is for either.

    If I toggle the clientless users as 'inactive', won't that let these machines through the firewall given how I've set things up?

  • 0 in reply to Alexandre Lemaire

    Hi,

    no, that blocks access to the internet eg drops connections. It is the recommended way of stopping and restarting connections otherwise a restart is required.

    Because you have linked the clientless user to a specific firewall rule it will be blocked until you re-enable it.


    Ian

Reply
  • 0 in reply to Alexandre Lemaire

    Hi,

    no, that blocks access to the internet eg drops connections. It is the recommended way of stopping and restarting connections otherwise a restart is required.

    Because you have linked the clientless user to a specific firewall rule it will be blocked until you re-enable it.


    Ian

Children