Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Answers 2 answers
  • Subscribers 41 subscribers
  • Views 3672 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web authentication captive page

Akshay Hegde

1. Login  with https://yourfirewall.domain.com:8090/httpclient.html 

2. After Successful login Close tab / or closed accidently 

3. Again open  https://yourfirewall.domain.com:8090/httpclient.html 

It shows Sign in form with username and password. This is very annoying behavior. When already session is established after sign in it should show logout / signout button instead of login page which will make user life easy. 

-- We have below settings

Sign out user --> When user is inactive 

( Here user is still active, so expected behavior is to show signout or logout button )



This thread was automatically locked due to age.
  • 0

    Firmware: SFOS 20.0.0 GA-Build222

  • 0 in reply to Akshay Hegde

    Hey  ,

    Thank you for reaching out to the community, please refer the Captive portal basics.

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case  | Security Advisories 
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Hi  Vivek,

    I had gone through it. We're using Sign out user --> When user is inactive  settings.

    After we close tab and re-open captive portal page why we're not getting signout button ? user is still active.

    Expected: when user is already active as per sophos session table, signout / logout button should show when user re-visit captive portal page. ( In Authelia this happens which is expected behavior )

  • +1 in reply to Akshay Hegde

    The current behavior has existed since the start of XG and the way it is intended to be used.

    It is a security measure that the XG does not give any current login information to clients.  Without it, a computer could spoof their IP address and query the XG for each to find out which IPs are logged in and which are not.

    Customers who use the "when inactive" typically have computers that have one user all the time and never change.  The only time that the computer becomes inactive is if is does something like disconnect from the network or go to sleep.

    If you are frequently wanting to change users on a given device you should probably use "when captive portal page is closed or redirected".  This setting is typically used if you have computers anyone can log into, such as a school.

    If this is an infrequent or one off, you can always log in again and then hit the log out button.  Annoying, I agree.

  • 0 in reply to Michael Dunn

    Hi Michael thanks for the clarification it convincing. One more query. 

    If someone spoof IP which is already logged in.  Whether sophos having any mechanism to understand this ?  Session can be hijacked right ?

    Scenario is when you have L3 routing. Sophos will not get user MAC address.

    User <----> LAN  <----> L3 routing <----> Sophos <---> WAN

  • 0 in reply to Akshay Hegde

    The XG maintains a list of what user is logged into what IP address, it does not not use MAC address.
    Yes in theory spoofing where one computer appears as another (logged in) computer could occur.  However in practical terms it cannot because of the problems where two computers share the same IP address.  Moreover the impact is low.  The worst would be...  if you had a web policy that blocked Facebook but you knew that Jack down the hall had a different web policy that was allow all, you could spoof Jack's IP and not get blocked.  So you have issues of the wrong policy being applied and the wrong user appearing in reports, but you don't have any loss of security.  The reality is that most people who are bypassing web policy just use their phone connected directly to their cell phone company.

Unfiltered HTML