Most efficient way to handle AD and non AD users

Hi Kostas,

I had exactly the same question a couple of weeks ago (no-one answered).

In the end, I decided the only way to do it is by assigning certain types of device certain IP addresses, then using these IP address ranges in rules.  This needs a bit more setting up, but works extremely well.

I've done this using fixed addresses and DHCP as follows:

- Servers: 10.2.0.X (fixed IPs)

- Phones/Tablets: 10.2.2.X (DHCP reservations)

- Unrestricted PCs and IoT devices: 10.2.3.X (DHCP reservations)

- Windows PCs: 10.2.4.0 - 10.2.5.255 (DHCP scope, non-reserved).

(Its a bit outside the scope of your question, but we also have ranges for wireless, Guest wireless, other sites on site-to-site VPNs, etc.)

Then, we applied firewall and web policy rules to suit - but the Windows IP ranges have 'match known users' and 'use web authentication' ticked, to prompt an NTLM/Kerberos authentication.  (Of course, the XG needs to be AD-integrated first)

This means any device on the network needs to pass through the IT office to be setup:

- Windows PCs are, of course, joined to the domain by IT staff

- Tablets, phones etc need to have their DHCP reservation setup before they can access the internet (otherwise they receive a  10.2.4/5.X address, which requires authentication for internet access).

I'm writing a blog about how to correctly setup AD authentication - there are some parts that are not explained in the documentation - I can send you a 'Beta' copy if you wish.  

Regards

Adrian

Thank you very much Adrian! I was planning on this setup exactly, however, wanted to check first.

A couple of questions:

1. How did you achieve the AD integration, using STAS?

2. How did you set the rule order for your rules? I guess the Known User rules are in bottom of the IP based rules?

Yes, please sent me the beta copy if you like.

Best regads

Kostas

Hi Kostas,

AD integration is setup in Authentication/Servers, using settings from your Active Directory (in this case 'labnetwork.local').  But first:

- give you XG a hostname that matches your AD, eg 'sophosxg.domain.local' (you will need to create a new certificate later)

- setup a DNS route in the XG for your AD domain, pointing to your AD DNS server

- add a static DNS entry in your AD DNS pointing to 'sophosxg.domain.local'

Then, setup authentication similar to below and click 'test connection' and 'save'.

This will create a computer account in your AD (check by doing a search in AD).  The account is used by the XG to relay NTLM authentications to your DC and obtain a Kerberos TGT from your DC.  If you reboot the XG, you will see two messages in the 'Authentication' logs saying it has established an NTLM and Kerberos connection to AD.

Then, setup AD as the primary, or only authentication mechanism for we users:

Tick here:

Test by logging onto the XG user portal on 'sophosxg.domain.local' and using AD credentials. You should see a user appear in the XG under Authentication/Users.

Then, create a Pilot firewall rule with the IP address of 1 PC for 'http' and 'https' traffic.  Tick 'match known users' and 'use web authentication'.  

Go to the PC and start browsing.  You should see a successful authentication in the XG logs.  If you are adept with Wireshark, you can start capturing on the PC on port 8091. and will see the authentication.  Note the words 'Negotiate' and 'NTLM' from the XG, and the PC responding with a load of data.  This is the authentication occurring.

Hi Kostas, I’ll answer your rules question shortly

Thank you very much!

Best regards

K

Hello! Any news on this please?

Best regards

K

?

?