Live users - wrong data

Hi Luk,

Clientless User(s) is always active and shown in Live User page. If you change the status their status to inactive, they will be removed from the Live user page. To do that, navigate through System > Current Activity > Live Users> Select the user and change the status. PFA screenshot:

Thanks

Sachin,

thank you for your answer. So why they are called "Live Users" if they are not live users at all.

In my case, the printer is turned off from Monday but for XG is still connected. If XG tracks live users when they connect (also my printer does not use Internet at all) should track even when a user is not connected anymore (pinging the device each minute, check a port, a url).

Really should be called activated addresses. I an issue with reporting on clientless users, how do you get 0.5 of a user?

The same clientless users have been active for months, but do not carry traffic every day.

IanMorehouse said:

Really should be called activated addresses. I an issue with reporting on clientless users, how do you get 0.5 of a user?

The same clientless users have been active for months, but do not carry traffic every day.

Ian,

I am having the same behavior. 0 Kb and users is stil "live". Answers from Sophos?

Hi All,

Clientless users are the users who can bypass the client login to access the Internet and are managed by the device itself. A clientless user can be found on the Live User page because, a client-less user is always connected and will be configured for devices which cannot authenticate on the network and requires to be live all the time, for eg: printers, VoIP box. Alongside, the traffic report for clientless user will be based on the usage, it has no realtion if the user is active and live since a month.

Thanks

Thank you Sachin. Does it gonna change with next release?

"Live users" maybe is not the proper word to use. We have to explain this to customers all the time!

Luk

sachingurung said:

Hi All,

Clientless users are the users who can bypass the client login to access the Internet and are managed by the device itself. A clientless user can be found on the Live User page because, a client-less user is always connected and will be configured for devices which cannot authenticate on the network and requires to be live all the time, for eg: printers, VoIP box. Alongside, the traffic report for clientless user will be based on the usage, it has no realtion if the user is active and live since a month.

As I already wrote in a different thread:

There is no need to create a clientless user if only Internet Access is required, so we should not think about them as a method of assigning a policy to the device.

Clientless users are perfect or maybe would be perfect if only they would be treated by firewall exactly the same as login users. Right now, clientless user is a Live user and is online 24h. This is bad. We already have a mechanism in XG which allows tracking user activity by network traffic threshold. You can activate it as an alternative method in Authentication Settings for Captive Portal. A user is considered "inactive" and logged out if he/she does not generate a minimum defined network traffic. We can apply the same mechanism to clientless users but instead disconnecting the firewall should stop time accounting for them. We would then get correct time and data accounting for clientless users. That would allow us to use clientless for mobile devices which for some reason may have problems with authentication agent. I can also imagine that some admin will want to use this feature for desktop computers in small offices/businesses. We would be able to simplify users' experience without sacrificing reporting and control capabilities.

Slawski, the system does not allow me to give you more than one like.

I think Clientless users is "by-design" working like this and even for me it is not useful. What I am thinking is:

XG tracks IP traffic and report them inside the reports, so if I create a policy rule for 192.168.0.90 (which is a computer for example that does not use any authentication method), inside the report, I will see the current traffic that computer is doing during one day/week and so on.

For clientless users, XG should map IP & Mac Address to a clientless user, so when a traffic generated by that IP & MAC address (all together), that ip is a clientless registered user (that the Admin has previously created).

In this way, no more authentication every 24 hours is needed.

If another computer/device uses the same IP but the MAC-ADDRESS is different, by defaul, traffic is blocked and a log will inform an Administrator (for example).

I do not undestand which this process (mine is an idea) cannot be used.

Really strange! Clientless users at the moment are useless!

lferrara said:

[...]

Really strange! Clientless users at the moment are useless!

Fo reporting,

should reflect exactly the traffic flow and report cannot be "fake". Under Date-wise Usage Report, used time is 1 day (we know why) but the data is wrong.

Clientless users are useful to force authentication for all devices/users, but reporting is another big missing piece (in my opinion)!

Fo reporting,

should reflect exactly the traffic flow and report cannot be "fake". Under Date-wise Usage Report, used time is 1 day (we know why) but the data is wrong.

Clientless users are useful to force authentication for all devices/users, but reporting is another big missing piece (in my opinion)!