Why clientless users cannot be reactivated after disconnection ?

Slawski,

I noticed this behavior too since beta 5.

In my case the clientless users will reappear when it gets the ip from XG dhcp server scope.

I did not test the behavior with a device with static ip but clientless feature is still a bit confusing.

On v15 each day the XG was reconnecting all the clientless users everyday automatically (there is a my question on it) but now something changed.

We expect more info from Sachin or Prateek.

Hi All,

XG does the accounting of Clientless user daily before midnight 12:00 AM. I also tested this on my device and I was able to reenable the user easily; on version v15 MR3.

Try restarting the tomcat service in XG and verify if the clientless user gets activated.

Thanks

Sachingurung,

do you have any update on this behaviour?

Thanks

Hi Slawski, Luk

I have tested this in my local lab. I agree to your view about not creating a clientless user just to provide a device access to Internet. But I also believe that I would want to apply all the policies of the live user on the clientless user by not creating another firewall rule. 

P.S. a clientless user is a live user and its traffic would traverse through the same rule as all other users. For an example, if I create a clientless user for an IP phone, its traffic would pass through the same policies as does my user policies, therefore if any user uses the IP phone computer jack to bridge it to their PC, they would still go through the same policy. Also, if your IP phone is smart with a built-in, you may end up with two different policies and user may access blocked content on the phone browser :)

When you create/add a clientless user to the device, the device will put that user into the live users list (authenticated by default).

When you disconnect the clientless user from the live users list, you are explicitly deleting the live user from the list. The only cases I can think of when you want to disconnect the clientless user is when you want to stop providing Internet access to a particular device/IP, or the device no longer exists in your network. 

Instead of explicitly disconnecting the device, you can 

1. Delete the device from the clientless users list

2. toggle status (Active/Inactive)

P.S. there is no need of a reboot when you toggle status from inactive to active, the clientless user would again appear back in the live users list. (I tested this on my lab on XGv16), please see the screensnaps below

Hope that helps.

Regards,

Thank Varun,

I tested it and it works. In this way we can disconnect a live users form processing traffic and enable it when it is needed.

A disconnected status (even with the time inside the Clientless TAB) will help Admins to understand if the clientless user has been disconnected and who did it.

Searching in the log can be done but for the moment logs go away when XG reboots.

I like this approach, anyway!

Thanks

varunparikh said:

 

1. Delete the device from the clientless users list

2. toggle status (Active/Inactive)

 

Point 1 doesn't make any sense. Why would you delete a user that you want to temporarily disconnect? Just to recreate them again to give them access later on and create extra work for yourself?

Point 2 makes sense and it has always worked correctly for me even when I disconnect a clientless user as I can change status and make a user inactive and active again to bring the user back online. However I think the feature is not working as expected for Slawski and he has to reboot the firewall for it to work. So his point still stands, why have you guys added the disconnect button if you want us to then go back and change the user status to inactive? 

In addition, there could be countless reasons to disconnect a user and not just that you want to delete them permanently but that is not the point of this discussion.

Hello billy

The disconnect button is not just only for clientless users, it can be used for all user types.

I agree there are countless reason to disconnect a user.

Regards,

The log viewer is on the cache, so it goes away with the reboot. 

But you can find these logs in the reports -> Events. 

Regards,

Bill,

I think that the disconnect button makes sense...let me give an example, you are running out of bandwidth, so the first thing you do is to use Connection list or Flow Monitor (Sophos we need this back) and see who is consuming this bandwidth. In one place you have all the users and devices so a Disconnect button makes sense,otherwise you have to type down the most consuming users on a notepad and go to Authentication > Users/Clientless users and change the status.

Also this is time consuming and you do not have the real situation (gap exists between the time you look at the Connection list and time to change the status).

What I am complaining is that Sophos did not explain the clientless behaviour in any documentation if they are disconnected, when they are reconnected again?

On v15, everyday, if you have disconnected a clientless user is disconnected, they are automatically authenticated after 24 hours.

On v16, if you disconnect a clientless user, this user is disconnected forever. If you reboot XG, all clientless are automatically authenticated.

I like the behaviour on v16, but without the Varun answer, we did not know how to reconnect them.

Sophos has to pay attention on that! There are some threads on Clientless users and live users because no one has explained or written inside the documentation.

Look at the online doc:

http://docs.sophos.com/nsg/sophos-firewall/v16011/Help/en-us/webhelp/onlinehelp/index.html#page/onlinehelp%2FLiveUserManage.html%23

http://docs.sophos.com/nsg/sophos-firewall/v16011/Help/en-us/webhelp/onlinehelp/index.html#page/onlinehelp%2FClientLessUserManage.html

So Sophos please make sure to integrate this behaviour inside the documentation into next build/release.

Thanks

Thanks for the answer, but you haven't addressed the main issue. In the current development state "disconnect" button is virtually useless because you don't have any means of reverting its action and you can do everything you need without that button.

If you want to disable the user - change its status - that's ok. If you want to delete the user completely - then go and delete it. But what function has "Disconnect" button which is not in the previous ones ?

In my opinion the current behaviour is just a bug. It was supposed to work on "Live Users" - we are talking about Current Activity -> Live Users view. We can "disconnect" normal users and they may reconnect, but somebody has forgotten that "clientless users" are not able to log in again. In v15 - it worked as it should. Disconnect is a disconnect and the clientless user will reappear after midnight (or 24h - I don't rememeber). But in V16 it is badly broken.

On the other hand, if you want to compare clientless and normal users, please have a look at their properties. There are lots of things you can't set for Clientless and you can for normal user. I think clientless users should function exactly the same way as normal and the only difference should be that firewall "authenticates" them just by IP used.

I stopped using v15 very early so apologies for not understanding the the exact differences. I get exaclty what Slawski is saying now. The disconnect button for clientless user is a permanent action in v16. In v15 the clientless users came back and reconnected after 24 hrs (midnight) without any further interaction from the firewall admin. So disconnection was like a temporary ban till midnight in v15. 

In v16 disconnect is functioning like disable button for clientless users, they will not reconnect unless the firewall is rebooted. I agree that this is a bug and needs to go back to v15 behavior. Otherwise the disconnect button in clientless users case is functionally identical to disable button.

I also agree about the intentionally handicapped functionality of clientless users. There should be absolutely no difference between clientless and regular users other than the way that they authenticate.

Regards

Bill

Sophos XG SFOS 16.05.7 MR-7

Still have the same issue with clientless users. They will not re-activate until the firewall is rebooted, a really impractical way to operate.

Business is active during the day. Clientless user deactivated in the morning. Why must i wait until after hours to re-enable that clientless user? Can only restart the firewall when the business is closed causing me to have to work late.

Sophos XG SFOS 16.05.7 MR-7

Still have the same issue with clientless users. They will not re-activate until the firewall is rebooted, a really impractical way to operate.

Business is active during the day. Clientless user deactivated in the morning. Why must i wait until after hours to re-enable that clientless user? Can only restart the firewall when the business is closed causing me to have to work late.