Why clientless users cannot be reactivated after disconnection ?

Slawski,

I noticed this behavior too since beta 5.

In my case the clientless users will reappear when it gets the ip from XG dhcp server scope.

I did not test the behavior with a device with static ip but clientless feature is still a bit confusing.

On v15 each day the XG was reconnecting all the clientless users everyday automatically (there is a my question on it) but now something changed.

We expect more info from Sachin or Prateek.

Hi All,

XG does the accounting of Clientless user daily before midnight 12:00 AM. I also tested this on my device and I was able to reenable the user easily; on version v15 MR3.

Try restarting the tomcat service in XG and verify if the clientless user gets activated.

Thanks

Sachin,

it is still complicated for us understand this behaviour. Also inside the reporting, clientless users are always connected so the report is not real.

I know that Clientless users are used for devices that cannot authenticate but you have to find another way to manage them.

Restarting a service is not a good deal/idea.

Also Live Users on Dashboard is also misleading many users.

See this thread I openend long time ago : https://community.sophos.com/products/xg-firewall/f/logging-and-reporting/77108/live-users---wrong-data/296398#296398

In my case I really like the clientless idea but I do not like how they are reported into reports and how they come online.

As I said, XG should be able to ping devices (let's say every 5 minutes) and see if they are online (mine is an example) and the live counter can be more real.

The other option is an integration with Switches where one a client connects to a network, information are passed to XG using SNMP and XG takes the MAC-addresses where it is interested into and update its clientless users.

In v15 it worked as described, in v16 - no. ... or at least I have the issue.

There is no need to "ping" each clientless user, I have a better idea.

AFAIK there is a feature in the Captive portal which monitors network traffic generated by a specific user and below specified threshold it assumes client has gone and makes the session invalid.

Why is it not possible to use the exact same mechanism to control clientless users. I know, it is not needed for Policies but it would be very useful for reporting. We would have a better representation how much time the selected device was actively using the Internet (or whatever network).

... and clinetless users are also very useful for a small number of mobile phones in the network.

Slawski said:

In v15 it worked as described, in v16 - no. ... or at least I have the issue.

There is no need to "ping" each clientless user, I have a better idea.

AFAIK there is a feature in the Captive portal which monitors network traffic generated by a specific user and below specified threshold it assumes client has gone and makes the session invalid.

Why is it not possible to use the exact same mechanism to control clientless users. I know, it is not needed for Policies but it would be very useful for reporting. We would have a better representation how much time the selected device was actively using the Internet (or whatever network).

... and clinetless users are also very useful for a small number of mobile phones in the network.

 

I agree with you that the problem is REPORTING. They need to find a way to manage clientless users better.

Hi All,

Clientless users are configured for devices which should not authenticate, for example- Printer, TV, etc. Hence, making a session invalid by looking into the specified data threshold is not expected.

As far as reporting is a concern, I think there should be a separate thread on this. Makes it more transparent. 

Thanks 

Today I am at the office and I have seen (as Slawski wrote) once you disconnect the Clientless user, it will disappear until the next Firewall reboot.

This is happening since v16.

We will open another thread for Clientless users reporting.

Hi all,

I opened the following thread for the Clientless reporting:

https://community.sophos.com/products/xg-firewall/f/authentication/82096/clientless-users---improve-reporting

Add your comments.

Thanks

I don't agree. You don't need a clientless user just to provide a device access to the Internet (or generally use a policy). You can do it without user identification at all - just configure Network rules for all of those devices.

Clientless user adds the ability to track that specific device network usage but does not require it to authenticate. So, a request (or rather an idea) to detect device activity and track it is not unreasonable in my opinion.

Hi Slawski,

I am starting to agree with your view over this. Great answer. Please post any further reporting suggestions on the thread Luk started separately.

Thanks

Sachingurung,

do you have any update on this behaviour?

Thanks

Sachingurung,

do you have any update on this behaviour?

Thanks

Sophos XG SFOS 16.05.7 MR-7

Still have the same issue with clientless users. They will not re-activate until the firewall is rebooted, a really impractical way to operate.

Business is active during the day. Clientless user deactivated in the morning. Why must i wait until after hours to re-enable that clientless user? Can only restart the firewall when the business is closed causing me to have to work late.