Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 24 replies
  • Subscribers 30 subscribers
  • Views 66213 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Why clientless users cannot be reactivated after disconnection ?

Slawski

I tried to cut off network traffic generated by clientless user and clicked "Disconnect". The client was disconnected and no longer was able to use the Policy but... I was not able to reactive that client. Changing status to off and again to on did not help. Clientless "user" had been in Disconnected state until firwall reboot.

Is it a bug or feature ?



This thread was automatically locked due to age.
  • 0

    Slawski,

    I noticed this behavior too since beta 5.

    In my case the clientless users will reappear when it gets the ip from XG dhcp server scope.

    I did not test the behavior with a device with static ip but clientless feature is still a bit confusing.

    On v15 each day the XG was reconnecting all the clientless users everyday automatically (there is a my question on it) but now something changed.

    We expect more info from Sachin or Prateek.

  • 0 in reply to lferrara

    I'm not using static IPs. I have DHCP reservations on SFOS. And yes those devices renew leases but clientless user reappeared only after reboot.

    We have "status" which can be "active" or "inactive" and we have "Disconnect". It seams that we must not use "Disconnect" (so , what was the idea of including it at all ? ).

  • 0 in reply to Slawski

    Slawski,

    I have your configuration too. As soon I go back at office I will check and reply you back.

  • 0

    Have the same issue here - as soon as client is identified, by STAS or Auth Client - i am getting regular disconnections which are quite annoying as they affect Citrix client connectivity.

    XG210 with v16.01.1

  • 0 in reply to SergiyOliynyk

    Sergiy,

    clientless are not controlled by STAS butare client created and managed by the XG, so yours could be another issue.

    Slawski, I disconnected the clientless (printer) and after sometimes (random) the sameclientless reconnected. As I know on v15, clientless users were connected back each day if an administrator disconnected them.

    We need a feedback from Sachin or Prateek

  • 0 in reply to lferrara

    Hi All,

    XG does the accounting of Clientless user daily before midnight 12:00 AM. I also tested this on my device and I was able to reenable the user easily; on version v15 MR3.

    Try restarting the tomcat service in XG and verify if the clientless user gets activated.

    Thanks

  • 0 in reply to sachingurung

    Sachin,

    it is still complicated for us understand this behaviour. Also inside the reporting, clientless users are always connected so the report is not real.

    I know that Clientless users are used for devices that cannot authenticate but you have to find another way to manage them.

    Restarting a service is not a good deal/idea.

    Also Live Users on Dashboard is also misleading many users.

    See this thread I openend long time ago : https://community.sophos.com/products/xg-firewall/f/logging-and-reporting/77108/live-users---wrong-data/296398#296398

    In my case I really like the clientless idea but I do not like how they are reported into reports and how they come online.

    As I said, XG should be able to ping devices (let's say every 5 minutes) and see if they are online (mine is an example) and the live counter can be more real.

    The other option is an integration with Switches where one a client connects to a network, information are passed to XG using SNMP and XG takes the MAC-addresses where it is interested into and update its clientless users.

     

  • 0 in reply to lferrara

    In v15 it worked as described, in v16 - no. ... or at least I have the issue.

    There is no need to "ping" each clientless user, I have a better idea.

    AFAIK there is a feature in the Captive portal which monitors network traffic generated by a specific user and below specified threshold it assumes client has gone and makes the session invalid.

    Why is it not possible to use the exact same mechanism to control clientless users. I know, it is not needed for Policies but it would be very useful for reporting. We would have a better representation how much time the selected device was actively using the Internet (or whatever network).

    ... and clinetless users are also very useful for a small number of mobile phones in the network.

  • 0 in reply to Slawski

    Slawski said:

    In v15 it worked as described, in v16 - no. ... or at least I have the issue.

    There is no need to "ping" each clientless user, I have a better idea.

    AFAIK there is a feature in the Captive portal which monitors network traffic generated by a specific user and below specified threshold it assumes client has gone and makes the session invalid.

    Why is it not possible to use the exact same mechanism to control clientless users. I know, it is not needed for Policies but it would be very useful for reporting. We would have a better representation how much time the selected device was actively using the Internet (or whatever network).

    ... and clinetless users are also very useful for a small number of mobile phones in the network.

     

    I agree with you that the problem is REPORTING. They need to find a way to manage clientless users better.

  • 0 in reply to lferrara

    Hi All,

    Clientless users are configured for devices which should not authenticate, for example- Printer, TV, etc. Hence, making a session invalid by looking into the specified data threshold is not expected.

    As far as reporting is a concern, I think there should be a separate thread on this. Makes it more transparent. 

    Thanks