Why clientless users cannot be reactivated after disconnection ?

Slawski,

I noticed this behavior too since beta 5.

In my case the clientless users will reappear when it gets the ip from XG dhcp server scope.

I did not test the behavior with a device with static ip but clientless feature is still a bit confusing.

On v15 each day the XG was reconnecting all the clientless users everyday automatically (there is a my question on it) but now something changed.

We expect more info from Sachin or Prateek.

Hi All,

XG does the accounting of Clientless user daily before midnight 12:00 AM. I also tested this on my device and I was able to reenable the user easily; on version v15 MR3.

Try restarting the tomcat service in XG and verify if the clientless user gets activated.

Thanks

Today I am at the office and I have seen (as Slawski wrote) once you disconnect the Clientless user, it will disappear until the next Firewall reboot.

This is happening since v16.

We will open another thread for Clientless users reporting.

Hi all,

I opened the following thread for the Clientless reporting:

https://community.sophos.com/products/xg-firewall/f/authentication/82096/clientless-users---improve-reporting

Add your comments.

Thanks

I don't agree. You don't need a clientless user just to provide a device access to the Internet (or generally use a policy). You can do it without user identification at all - just configure Network rules for all of those devices.

Clientless user adds the ability to track that specific device network usage but does not require it to authenticate. So, a request (or rather an idea) to detect device activity and track it is not unreasonable in my opinion.

Hi Slawski,

I am starting to agree with your view over this. Great answer. Please post any further reporting suggestions on the thread Luk started separately.

Thanks

Sachingurung,

do you have any update on this behaviour?

Thanks

Hi Slawski, Luk

I have tested this in my local lab. I agree to your view about not creating a clientless user just to provide a device access to Internet. But I also believe that I would want to apply all the policies of the live user on the clientless user by not creating another firewall rule. 

P.S. a clientless user is a live user and its traffic would traverse through the same rule as all other users. For an example, if I create a clientless user for an IP phone, its traffic would pass through the same policies as does my user policies, therefore if any user uses the IP phone computer jack to bridge it to their PC, they would still go through the same policy. Also, if your IP phone is smart with a built-in, you may end up with two different policies and user may access blocked content on the phone browser :)

When you create/add a clientless user to the device, the device will put that user into the live users list (authenticated by default).

When you disconnect the clientless user from the live users list, you are explicitly deleting the live user from the list. The only cases I can think of when you want to disconnect the clientless user is when you want to stop providing Internet access to a particular device/IP, or the device no longer exists in your network. 

Instead of explicitly disconnecting the device, you can 

1. Delete the device from the clientless users list

2. toggle status (Active/Inactive)

P.S. there is no need of a reboot when you toggle status from inactive to active, the clientless user would again appear back in the live users list. (I tested this on my lab on XGv16), please see the screensnaps below

Hope that helps.

Regards,

Thank Varun,

I tested it and it works. In this way we can disconnect a live users form processing traffic and enable it when it is needed.

A disconnected status (even with the time inside the Clientless TAB) will help Admins to understand if the clientless user has been disconnected and who did it.

Searching in the log can be done but for the moment logs go away when XG reboots.

I like this approach, anyway!

Thanks

varunparikh said:

 

1. Delete the device from the clientless users list

2. toggle status (Active/Inactive)

 

Point 1 doesn't make any sense. Why would you delete a user that you want to temporarily disconnect? Just to recreate them again to give them access later on and create extra work for yourself?

Point 2 makes sense and it has always worked correctly for me even when I disconnect a clientless user as I can change status and make a user inactive and active again to bring the user back online. However I think the feature is not working as expected for Slawski and he has to reboot the firewall for it to work. So his point still stands, why have you guys added the disconnect button if you want us to then go back and change the user status to inactive? 

In addition, there could be countless reasons to disconnect a user and not just that you want to delete them permanently but that is not the point of this discussion.

Hello billy

The disconnect button is not just only for clientless users, it can be used for all user types.

I agree there are countless reason to disconnect a user.

Regards,

The log viewer is on the cache, so it goes away with the reboot. 

But you can find these logs in the reports -> Events. 

Regards,

The log viewer is on the cache, so it goes away with the reboot. 

But you can find these logs in the reports -> Events. 

Regards,