Sophos AP/APX users may experience issues registering to Sophos Central. More info available here: Central Wireless
We'd love to hear about it! Click here to go to the product suggestion community
Hi. I have a set of Mac addresses, for which I'd like to block traffic unless they are logged in.
I'd simultaneously like to avoid this setup in the firewall screen:
Because I have an army of machines on the network I'd prefer remain unaffected by this condition.
My first instinct was to create a clientless group for these MAC addresses, but it appears that the clientless group supersedes the client-based authentication. My log was full of:
"User abc failed to login to Firewall through authentication mechanism from 192.168.168.33 because of Already login as clientless user"
from your description you are not using a login server or AD network access control? How do you control your user access to network services?
In reply to rfcat_vk:
Thanks for the help! Appreciated!
Currently, the users are added right into the Sophos Authentication > Users area.
To paint a better picture, these are shared computers used for testing and such tasks in a relatively open area. I want to ensure that users log in using the Sophos client before they work.
So far, I've been able to disable them by:
Unfortunately, it's the re-enabling access part that doesn't seem to work.
In the groups area, I am able to set order, I would have thought that this order affects 'authentication' order, but it looks like whatever I try, the user cannot log in since that machine is already logged in as a 'clientless user'.
In reply to Alexandre Lemaire:
the way to change user status is in clienteles click the user, change the status, wait a short time, then change the status again that will enable a new connection. You can select a number of individual clientless users by the filter and change their status at the same time.
I had a play with that reorder function and not sure what the role of that feature is?
Yeah not sure what the ordering feature is for either.
If I toggle the clientless users as 'inactive', won't that let these machines through the firewall given how I've set things up?
no, that blocks access to the internet eg drops connections. It is the recommended way of stopping and restarting connections otherwise a restart is required.
Because you have linked the clientless user to a specific firewall rule it will be blocked until you re-enable it.
Unfortunately when I try that, it lets the computers right through. I think the semantic is indeed to disable the binding.
the answer to that is very simple, you do not have any groups selected in your iopther rules which allows any device to access the internet.
The difficult part for you is to add groups to each firewall rule.