Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 1019 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Best way for identify users without sign in into firewall

Wellidy Almeida

Hi all.

I want to create firewall user rules, but I don't want to authenticate everyone to the firewall. My environment has smartphones and Mac books connected to the main network and they will continue to access the Internet without any authentication. Other devices are Windows desktops connected through Active Directory and for those devices I want to create specific rules.
So how can I identify users without affecting those who aren't on the Active Directory?

Thanks in advance



This thread was automatically locked due to age.
  • 0

    There are smart solutions like radius WPA2 Enterprise to do this. So you are logging into the Wireless and the radius server accounting information provides the firewall the needed information about the user. 

    Otherwise you could use a captive portal to achieve this. 

  • 0 in reply to LuCar Toni

    I don´t want to show anything different to the users. Captive portal isn´t a option. STAS is a way? With STAS I´m not  sure what happens with devices connected and who aren´t on the Active Directory, for example, they will loose access to the Internet?

  • 0 in reply to Wellidy Almeida

    Hello Wellidy,

    Adding to what Luca mentioned, if you use STAS all the subnets you monitor will have to have an AD account or they won’t be allowed to navigate when using your base user Firewall rules unless you show them the Captive Portal and they authenticate based on a Local user created in the Firewall.

    If those devices are always the same, you could create Clientless users access, in this case, you would use the MAC address of those devices, set a static IP, and then you can create User Base Firewall rules using the Clientless username.

    Note: This authentication would be more Device-specific and no user-specific, meaning if I use "Mac_one", and  then borrow to user 2, then the XG will still register all the access as "Mac_one"

    Regards,

  • 0 in reply to emmosophos

    You would also have to turn off 'Private Address' on iPhones to be able to assign static IPs for Clientless user access.