PLEASE READ Advisory: Kernel memory issue affecting multiple OS (aka F**CKWIT, KAISER, KPTI, Meltdown & Spectre) for the latest updates.
We'd love to hear about it! Click here to go to the product suggestion community
I have a sophos xg firewall and two children who use the same computer. One of their accounts allows the computer to access the internet without any issues, but the other account causes the network panel to read "no internet." In both instances, the icon in the right side of the dock (windows 10) is orange, so I know that both accounts are logging in, but only one is able to access the internet. The problem account also works on my Android phone. There is no different between the permissions granted to each account, so what could be wrong?
are you using authentication on Sophos XG? I mean, your firewall rule are user-based or network-based?
Are you using SAA?
In reply to lferrara:
I'm not sure what you mean. Different users have different rules (my account doesn't have the restrictions of the kids'), but all users have to log in to access the network.
In reply to David Pu:
thanks for the reply. Are you using Captive portal? If yes, can you share the settings of captive portal?
I am not using captive portal.
Thanks for your help.
please explain better your scenario (authentication type, screenshot of firewall rules, etc..) otherwise we are not able to help you.
Sorry for not explaining clearer. Users cannot access the network without logging in using the client authentication agent. I have two accounts with a restriction on data transfer per day and games/sexually explicit content. Both of them work on every device in the house besides a Windows 10 computer connected using Ethernet. On that machine, one account is able to log in and access the internet, but when the other logs in, the client authentication agent accepts the information but internet access is not granted.
I'm pretty sure it is something with the computer that I configured for one account but not the other, since both accounts work on everything else exactly the same. Is there anything (ip address, etc.) Specific to the computer that could prevent one account from accessing the internet after logging in?
thanks for the information. So you are using SAA, Sophos Authentication Agent.
If both users use the same computer at the same time, traffic is generated from the same IP so Firewall should have a problem on that. Make sure on the firewall rule you have added both users.
Network devices do not understand users (inside the ISO-OSI, users is not present), so XG (and other devices) associate the user with IP address and then on that IP they route/allow/deny traffic.
once the first user is logged in and is able to surf, log with the other user and open the captive portal (https://xglanip:8090) and proceed with authentication. Check if the user then is able to surf. If it is, the problem is with SAA which is not able to handle more than one user at time.
also do not forget that per each user, you need to install the SAA or import the Certificate. Each user has its own certificate.
Thank you for the information. I believe I forgot to import the certificate for the other user! Thank you for your help.
Let us know.
I'm logged in as the user and at the download client page. On computers, is there a special certificate to download? I only see "certificate for ios and android clients." Or do I just redownload the CAA as the problem user? And if I do this, will the account that is currently working still be able to access the internet?
sorry for the previous reply. CAA is using a global Certificate and not a per user certificate. Sorry about the wrong info. I was quite sure SAA was using per user certificate.
I am not sure if 2 accounts at the same time can use CAA on the same computer.
Let's see if sachingurung or Aditya Patel can clarify us.
Sorry, I guess I didn't specify my problem well (again!) The issue is not having two users on at once, but that only one specific account works on the machine at all. The account of kid A is able to log in and surf just fine. Kid B's account is able to log in (CAA accepts the credential) on the same computer but is not granted access to the internet.
David, make sure both users are included in the lan to wan firewall rule.
I would like to check the issue, send me a PM.