Sophos Wireless,DHCP and Mobile devices ! Doubts and queries !!

For having other access points getting DHCP from Sophos, I think you'll have to create a new physical interface using the specified 172.16.10.x range and connect this interface to a separate switch (or start using VLAN when you want to use your current switch(es)).

Then every client that connects to this interface will be able to get a DHCP address from the server (in this case Sophos UTM).

Preventing devices from connecting to a specific SSID will be harder, I think this can only be done by maintaining MAC addresses and specify allowed MAC-addresses on both SSID's. If the mobile SSID is used to connect BYOD devices, then this will be a pain in the ass to configure and keep up to date.

For starters you could configure the ABC SSID to use radius authentication which will make it a little bit harder to connect to it since there's not 1 password for all devices. However mobile clients who's users also have an AD account will probably still be able to login to the radius configured SSID.

I don't think AD SSO is possible with mobile devices (maybe on Win10 mobile, but I don't believe it's possible on IOS / Android since you simply don't log on to this device using an AD account. You'd probably either use transparent proxy or a standard proxy with or without authentication.

HTTPS scanning will most likely break some sites even when you have the correct proxy CA certificate trusted, therefore I would recommend against it especially again on the mobile devices that might not even trust your proxy CA certificate.

If have never really tried the device specific web filtering, so anyone who has? I'm also curious in how well this works.

Hi Jeet,

You already have an amazing answer to your question by apijnappels. I just want to refer you one such community question here.

Thanks

On your theoretical question, I think the complete list of options for authenticating wireless users are the following, although I cannot address which ones are supported by Sophos products:

1) MAC filtering at the access point.

2) Login, to a RADIUS or TAKACS+ authentication server, using either the device MAC for both username and password, or a user-entered username and password.   The second approach assumes that the user can boot his device to a point where he can enter the login information, which may not work for some devices.

3) 802.1X authentication, where the device is equipped with an identity certificate which it presents as part of the connection process.   In some implementations, I think it can be combined with user login as well.   This is the most complex and probably the most secure for large organizations that need to support many laptops moving between many locations.

4) Old fashioned WPA2, which only works if you can control knowledge of the WPA2 password.   Since it is very difficult to switch to a new password, it is not really a solution to your question.

apijnappels,

Thank you for your to the point revert on all of my queries.
Makes my doubts quite clear.

apijnappels said:

For having other access points getting DHCP from Sophos, I think you'll have to create a new physical interface using the specified 172.16.10.x range and connect this interface to a separate switch (or start using VLAN when you want to use your current switch(es)).

Initially will go forward with the separation of networks as I see no other option but to physically separate both the networks
Just wonder how Sophos APs can do that being in the same network.

apijnappels said:

Preventing devices from connecting to a specific SSID will be harder, I think this can only be done by maintaining MAC addresses and specify allowed MAC-addresses on both SSID's. If the mobile SSID is used to connect BYOD devices, then this will be a pain in the ass to configure and keep up to date.

Well most of these devices are company allotted so keeping a track would be easier,well if that's the only option !

apijnappels said:

For starters you could configure the ABC SSID to use radius authentication which will make it a little bit harder to connect to it since there's not 1 password for all devices. However mobile clients who's users also have an AD account will probably still be able to login to the radius configured SSID.

Well then, will look for Radius server options !

apijnappels said:

I don't think AD SSO is possible with mobile devices (maybe on Win10 mobile, but I don't believe it's possible on IOS / Android since you simply don't log on to this device using an AD account. You'd probably either use transparent proxy or a standard proxy with or without authentication.

Need more clarity on this will post it in a separate thread !

apijnappels said:

If have never really tried the device specific web filtering, so anyone who has? I'm also curious in how well this works.

Will check out for the threads/topics on this in the forum and get back

Once again thanks for all the pointers !

Thanks Sachin,

Have gone through the post,will ask Balfson for the document he is maintaining for Guest wireless network.

DouglasFoster said:

2) Login, to a RADIUS or TAKACS+ authentication server, using either the device MAC for both username and password, or a user-entered username and password.   The second approach assumes that the user can boot his device to a point where he can enter the login information, which may not work for some devices.

3) 802.1X authentication, where the device is equipped with an identity certificate which it presents as part of the connection process.   In some implementations, I think it can be combined with user login as well.   This is the most complex and probably the most secure for large organizations that need to support many laptops moving between many locations.

Thanks DouglasFoster,

I am definitely looking for RADIUS server authentication which will help me put in another layer of authentication.