SOPHOS STAS inactivity Timer issue

Hello Ahmad,

The firewall rules follow top to down approach and it tries to match. If the rule matches with the specified information, it will allow traffic to route via another.

Do you wish to restrict Internet for unauthenticated user, if yes, you must enable match known users and show captive portal to unauthenticated user. 

You may share the snapshots of the firewall rules in DM.

For STAS, you may refer to:  Sophos Firewall: Best practice for STAS 

hi Mayur,

i have not enabled captive portal for unauthenticated users as user who are domain joined and have their cell phones when they try to conenct and have password then tehy will be authenticated and go to internet. i dont want that any user in my lan who has their own laptop/cell will be authenticated with captive portal.

in my enviormnenet guest comes , i need that i will take mac of that guest and mac an entry in my firewall and then that guest will go to internet.

please guide.

hi Mayur,

i have not enabled captive portal for unauthenticated users as user who are domain joined and have their cell phones when they try to conenct and have password then tehy will be authenticated and go to internet. i dont want that any user in my lan who has their own laptop/cell will be authenticated with captive portal.

in my enviormnenet guest comes , i need that i will take mac of that guest and mac an entry in my firewall and then that guest will go to internet.

please guide.

Hello Ahmad,

In a situation, wherein the STAS failed to login your users and if you wants to restrict Internet access for unauthenticated user you must enable show captive portal to unknow users and hence the user who failed to login will be prompted with the captive portal for login.

For guest, if the traffic comes in via flat network wherein no L3 involved, you can certainly have firewall rule with the source MAC addresses added to allow internet through it. If the MAC addresses does not match, it will check with the rules in top to down approach.

hi Mayur,

i am facing issue in MAC address. if a user comes whose mac is not enterered then he will get any ip from DHCP, that ip is authenitcated user whose session is not timed out. then this user will go to internet by matching user rule. i need to cope up this issue. for STAS users timed out as a work around i enabled Enable user inactivity under STAS, configured inactivity timer 120 Min. and Data transfer Threshold 100 Bytes. but with this setting the user whose mac in not entered is not allowed to go to internet while the user who are authenticated start being logged off either they are idle or not for 120 Min.
please advise..

Hello Ahmad,

I suggest raising the support case. As we need to collect IPSET output along with access_server debug logs. In addition to that, we will require to capture tcpdump/conntrack and drop packet capture.

Kindly share the case ID here for the reference.

Case ID: 01920916

can i limitize login of users. that only one user login either via STAS or captive portal. means if user is authenticated via STAS and he tries to connect cell phone and captive portal appears and he try to login with his domain credentials then he shoudl be denied. can i do that???

Hello Ahmad, 

We can completely disable captive portal or STAS. We cannot limit user to allow login via Captive portal or STAS. However these methods can be disabled. You can disable it from System -> Administration -> Device access. Kindly be careful before applying  it.

Hi,

Upon checking, the case ID has been closed, and the root cause is the wrong rule order.