client auth per API without password

Marco,

you can use clientless users to authenticate users. What you have to do is to create a clientless users under Authentication and assign them username/email/ip address.

Make sure to configure a static mapping inside the DHCP server.

Email is still mandatory on this release. :-(

Clientless users can be created using API.

See the AppendixE from Sophos XG online help:

http://docs.sophos.com/nsg/sophos-firewall/v16011/Help/en-us/webhelp/onlinehelp/index.html#page/onlinehelp%2FAppendixGGuides.html%23

Hope it helps!

That is not a solution for me, because clientlessuser can't mapped to active directory users.

Ok...

If you are using AD, I do not think you can import users using API.

You can find users Chapter Under System > Authentication >Users from API document.

The other option is to use RADIUS server for authentication. You can configure RADIUS server role on your server and manage users accesses from there.

On XG you only need to add RADIUS server as Authentication Server and make sure that you add it inside Authentication > Services.

Hope this helps!

Ok...

If you are using AD, I do not think you can import users using API.

You can find users Chapter Under System > Authentication >Users from API document.

The other option is to use RADIUS server for authentication. You can configure RADIUS server role on your server and manage users accesses from there.

On XG you only need to add RADIUS server as Authentication Server and make sure that you add it inside Authentication > Services.

Hope this helps!

I didn't want to import users. I want to authenticate an exists user on firewall for user firewall policy. the problem is, i didn't have a password from user, so i want to authenticate it by an separate (admin) role to do this. in the api documentation i have not found a call for authenticate or logoff an user.

I have only a username, ip and a mac address.

ip and mac address can be dynamically

additional an user can have more connection so i have multiple ip/mac combinations.

Marco,

this is not possible I think. The only one you have is to you RADIUS.

It was an option for me to use a Radiusserver.

But i didn't understand how it will prevent passwort input?

Marco,

using RADIUS, authentication will be managed by RADIUS Server (where you can add users/groups)

https://community.sophos.com/kb/en-us/123164

On XG you can the users to Firewall rules. Users do not need to enter a password. AD and RADIUS will manage the authentication transparently.

we will try... an report :D

We have try some tests, the big problem is, that no device send ip address in radius information. only mac will provide.

So i have build my own config to add ip address.

How can i submit an mac address? At the moment the mac address is empty from Radius SSO