Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Subscribers 42 subscribers
  • Views 2003 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

V18 / STAS - Authentication

M8ey

Hey guys,

 

Is there a better mechanism in development that STAS in its current form?

95% of my Firewall issues relate to STAS and it deciding not to work as needed. Ideally going back to the UTM style suits me fine rather than reading events.

My laptop users are the worst as they close the lid and bring it to work which doesn't create the logon event needed. iOs / Android is a whole other ball game and any PC not on our domain.

 

I heard Sophos are looking at a better way but I see in V18 STAS remains unchanged.

 

Whats the plans  - anyone aware?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Keyur

    PS: UTM "style" will not solve your issue at all. 

    UTM style is Kerberos, which is included in V18. But Kerberos depends on HTTP (Web Traffic). Your client needs to login and open a Web application, to get authenticated. UTM only need Kerberos for Web traffic (proxy), so it does not matter there. But XG depends as a "Layer 8 Firewall" on the first packets already authenticated. 

    Better approach could be Synchronized User ID (with the Central Endpoint). It moves the authentication to the Endpoint and relies on the information by the Central Endpoint.

    Or you move to Kerberos and uses it only for Web Traffic. 

    __________________________________________________________________________________________________________________

  • 0 in reply to Keyur

    Keyur said:
    we will try to provide the best solution possible

     

    Hey Keyer,

    Its more the reliability and complexity of STAS.

    Today I had many users not Authenticating where it worked fine for the past months - a reboot of the XG fixed it.

    My laptop users are always blocked as they dont logon - just open the lids

    iOS users seldom work and as I use Meraki Wireless that uses RADIUS the Sophos does funky things.

     

    Ideally it would have an option similar to UTM with being connected to AD and authenticating this way rather than from an event on the DC.

     

    Cheers

    Sophos XG 450 (SFOS 18.5.1 MR-1)

    Sophos R.E.D 50 x 2

    Always configuring new stuff.....

  • 0 in reply to M8ey

    In my opinion, security should not pass for a single vendor: this means that it would be easier to implement a "Sophos agent" to load into the various PCs/Servers instead of relegating authentication to the antivirus endpoint.

Unfiltered HTML