How do you use authentication as a Home user?

I use XG in my home, as many do apparently. While the enterprise class features are very nice to have, they sometimes create difficult situations for us non-corporate environments. I'm wondering how those of you in my shoes handle the authentication issue.

For background, I have two little kids just starting to get into computers. They each have tablets and one just got her first laptop. I have a computer illiterate wife who has a phone and tablet and a laptop and, well, another laptop she uses to do bookkeeping for a buddies business. I have several devices myself... more than I care to admit. I also have some servers in a DMZ as well as a plethora of IOT devices and a network printer. The true clientless devices, I have no problem with. Static (or DCHP reservation) and they behave in the home as they do in the office... clientless things that do what they do and nothing more. It's the human users I struggle with.

In an ideal world, the XG authentication client would work perfectly every time, never get kicked off, and survive the never ending cycle of suspend and resume. In a super ideal world, I would be able to link multiple devices to a single user, though IP or MAC or even an installed client that just pinged XG with an identifier (not authentication). As long as I'm dreaming, It would be great to have a kids (or wife's) laptop default to a clientless user linked to a real user that could be over-ridden with the authentication client when I need to log in and install shareware that's normally blocked from download.

But, this is not an ideal world and the unique use cases of the home user are so far off from the corporate environment that I do not expect Sophos to address these issues. It is more than awesome enough they have opened up the XG product to us non-paying people in the first place.

So, I wanted to start this discussion to see what others have done. Have you just gone clientless for everything? Do you use the authentication client and deal with the grumblings of family members who can't access the web because the little CAA icon whent from orange to grey and they didn't notice? Do you just create some mac or IP hosts and use those for rules?

Thanks in advance for any input, advice, or insight!

  • Gary,

    I am using CAA since v15 and now it is quite stable compared to v15 but the problem of closing lid or moving between wi-fi still takes up to 2 minutes and is not fixed. You can use ip-based or mac firewall rule but as soon your users use different devices, they can access or not destination URL and application. CAA is a good balance in a ideal world.

    can you we have an update on this issue/behaviour?

    https://community.sophos.com/products/xg-firewall/f/authentication/92767/caa-and-closing-laptop-lid

    Regards

  • In reply to lferrara:

    Thanks Iferrara. I've been test driving CAA on two of my Win10 devices, and while they usually work fine, it is the occasional hiccup (mostly coming out of sleep, but other odd drops as well) that will NOT make the wife happy. For that matter, the kids won't like it either. But, I'm considering this as an option.

  • In reply to lferrara:

    -Comment Removed-


    FloSupport | Community Support Engineer

  • In reply to FloSupport:

    Hi FloSupport,

    That KB article talks about changing the STAS guest flush timeout. Does your comment imply that it will somehow affect the Client Authentication Agent as well?

    Thanks,

    Gary

  • In reply to Gary Parr:

    Hey  

    My mistake! I was working on a separate issue and confused myself :)

    I believe that this behavior has not changed and still remains the same. A delay of 2 minutes for the Agent to reinitialize the authentication request. I'm going to perform further investigation and inquire if there is any more feedback regarding this.

    Thanks,

    FloSupport | Community Support Engineer

  • Gary,

    I use MAC Hosts for everything.  Wife and 2 kids that each have phones/tablets/laptops, etc.  A pile of streaming devices, cameras, and more.  I have several pages of MAC Hosts and the list is starting to get difficult to manage.  I wish they would implement Mac Host Groups.  I have very few static ip's.  Only devices like the media server or the nas.  User devices are all dynamic.  It makes the reports difficult to follow, showing only ip's.

    It works pretty well.  It always applies the right firewall rules as soon as I add a new MAC Host to the rule.  You just need to be wary of shared devices that may have more internet access than you want the kids to have (xbox or dads tablet).  I've been considering using authentication on shared/dads devices so that they default to limited access, but get more when authenticated.  Depending on the device, this may get difficult and the trouble of authenticating may not be worth it.

  • In reply to Rick Kressin:

    Hi,

    you can use clienteles users with static assigned IP addresses and they show in most reports. You can group clienteles users into groups that you assign to firewall rules.

    Ian

  • In reply to rfcat_vk:

    Ian,

    Thanks for the tip.

    I wish I could take advantage of clientless users with static ip's.  I have two wireless networks and they each have their own dhcp range, managed by XG.  A home network for all our devices and a guest network.  If anyone in our family gets on the guest network, I want the same rules to apply like when it is in the home network.  My problem is that I can't add a static ip address for the same mac address in two different dhcp ranges.  XG enforces only one unique mac address across all dhcp ranges.  I could assign a static ip for a device in the home network, but then in the guest network, they would get an unknown ip address and that's where I lose my clientless user.

    Maybe there's another way around the issue.  I'd like to try clientless users.  I don't think it would be any more work to manage static ip's for all my devices verses managing mac hosts.  A clientless user linked to a mac address or a mac host would be ideal.

  • In reply to Rick Kressin:

    Hi Rick,

    you can use the same DHCP range across all SSIDs. I have a number of SSIDs and 1 LAN and use static IP addressing and clientless to ensure the same rules apply regarding of which SSID they use. Clientless and static IPs ensure that all devices behave themselves. Also I currently have two internet connection and can move devices around using the clientless entries.

    Ian

  • In reply to rfcat_vk:

    rfcat_vk

    you can use the same DHCP range across all SSIDs. 

    Can you possibly expand on how you work this? I also segregate my LAN and GST networks, but I do so using two different access points connected to two different network ports on XG with different subnets. How would you create an isolated GST network using the same DHCP range as on LAN that allows clients to have the same IP regardless of which SSID they connect to?

    Thanks!

    Gary

  • In reply to Rick Kressin:

    Rick Kressin

    I use MAC Hosts for everything.

    I currently setup MAC hosts as well, figuring that was marginally more secure than IP hosts. But, since you can't group MAC hosts I'm now looking again at IP.  What drives me nuts is the lack of "coordination" in XG between the different MAC/IP/Client assignment screens.  If I'm creating a static DHCP assignment to a MAC address in the DHCP screen, why can I not just check a box to have that assignment automatically create an associated host and/or clientless user? Instead I've got to navigate between three different screens to manage a single entity.

    And yes, reports (and the live dashboard screens) are near impossible to work with if you are trying to remember which device is which IP. I've been creating clientless users for every device just so I can read the reports, but (because of my gripe above about multiple screens) it is rather cumbersome trying to keep track of it all. And, what really stinks is that if you have a clientless user setup for the kids laptop but then try to authenticate with CAA so you can install stuff they can't, the CAA won't work... XG doesn't let you register a real user to a device that's clientless. At least, I couldn't get it to work.

    Also, like you I run a guest network and need to keep my kids off of it. Something I'm looking at is keeping the guest AP open (no security) and then using the SMS integration with Guest Users to create temporary guest accounts. There are some really, really dirt-cheap SMS gateways out there that might cost you a few bucks a year for such a low volume or, if you have time to tinker, you can send 100 SMS a month for free with an Amazon AWS account and SNS.

    Anyway, thanks for sharing how you are handling this.

    Gary

  • In reply to Gary Parr:

    Hi,

    I am not sure why you think MAC addressing is more secure than IP addressing. both can be spoofed.

    I understand your frustration with the lack of linking between various functions. The XG network management is very limited, it might have fantastic application and web filtering features but the lack of other features makes it hard to manage.

    Please explain what you are trying to do with real users and clientless assignments? I do't have need to use the various signs functions since my kids left home. I do have names assigned to clientless users though.

    Ian

  • In reply to rfcat_vk:

    Hi Ian,

    When I said "marginally more secure" I should have emphasized the "marginally" part. I suppose I think this way for two reasons. Primary among them is that my kids will figure out how to set a static IP before they will discover what a MAC even is, much less how to change one. Secondary is just basic identifier primacy. If you figure MAC is used to create the IP reservation in the DHCP server, then the MAC is ipso facto the top of the chain. But agreed, they can both be worked around with minimal effort by anyone with enough curiosity to explore their network configuration options.

    As for the whole real user vs clientless thing, it really boils down to the following use cases:

    • devices that are used by both adults and kids at different times of the day for different reasons.
    • tracking use across multiple devices for kids surfing quota restrictions
    • aggregating reports by the actual user

    With clientless, I really can't do any of those. I need individual user identification, but the authentication client has it's own set of issues. Namely that it doesn't always want to reconnect on devices that spend most of their time sleeping. Oh, and it isn't available in the Amazon app store for installation on the kids Fire tablets.

    Anyway, I know there will be no perfect solution for home users. We're just not the target market for this product. So, mostly I'm just looking to see what everyone else does and hopefully uncover some useful nuggets I can incorporate into my own strategy.

    Thanks,

    Gary

  • In reply to Gary Parr:

    Hi Gary,

    with shared machines you have a problem. If you tie a MAC to an IP and use clientless then assign the clientless to groups which have specific firewall rules that will improve your control. The kids would then have to put a static IP address in the range that you have allowed the adult machines to access. Of course threes always the hard solution of installing your own server with AD functions.

    Do not try and use IPv6, the XG is not ready even though it has IPv6 functions, they are very limited when compared two the IP4 functions.

    Ian

  • In reply to rfcat_vk:

    Yeah, right now I'm grouping hosts into things like tablets, phones, IOT, routers, servers, etc. It's just those shared devices as you said. As for AD... even if I could hack STAS to work with OpenLDAP on Linux, I'm still stuck with countless Windows 10 Home machines and various other devices that don't know how to authenticate in that environment. I thought about it though!

    Thanks for the heads up about IPv6... I was actually about to start tinkering with that. Perhaps I'll push it further down the to-do list.