Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

SOPHOS STAS inactivity Timer issue

hi,
i have XGS2100 (SFOS 20.0.2 MR-2-Build378).very wired issue is being faced. i am using STAS for user authentication. user rule is down in the rules. on top of all i have created rule in which i added mac address of few users. this rule is not working. when a user came whose mac in not entered in rule then it passes through any user rule. in log viewer it shows mac address and email address of any domain user. while this mac is not part of any domain PC. this is not normal. from user rule that user shoudl pass who was called in that rule.
i also created new mac address rule but it is not working. i noticed that when any user came whose mac is not in allowed rule it take ip from dhcp , that ip was previously used by some authenticated user then this user is considered as authenticated user and goes through user rule.
as a work around i enabled Enable user inactivity under STAS, configured inactivity timer 120 Min. and Data transfer Threshold 100 Bytes. but with this setting the user whose mac in not entered is not allowed to go to internet while the user who are authenticated start being logged off either they are idle or not for 120 Min.
please advise..



Added TAGs
[edited by: Raphael Alganes at 2:48 PM (GMT -7) on 2 Oct 2024]
Parents
  • Hello Ahmad,

    The firewall rules follow top to down approach and it tries to match. If the rule matches with the specified information, it will allow traffic to route via another.

    Do you wish to restrict Internet for unauthenticated user, if yes, you must enable match known users and show captive portal to unauthenticated user. 

    You may share the snapshots of the firewall rules in DM.

    For STAS, you may refer to:  Sophos Firewall: Best practice for STAS 

    Mayur Makvana
    Technical Account Manager | Global Customer Experience

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button.

  • hi Mayur,

    i have not enabled captive portal for unauthenticated users as user who are domain joined and have their cell phones when they try to conenct and have password then tehy will be authenticated and go to internet. i dont want that any user in my lan who has their own laptop/cell will be authenticated with captive portal.

    in my enviormnenet guest comes , i need that i will take mac of that guest and mac an entry in my firewall and then that guest will go to internet.

    please guide.

  • Hello Ahmad,

    In a situation, wherein the STAS failed to login your users and if you wants to restrict Internet access for unauthenticated user you must enable show captive portal to unknow users and hence the user who failed to login will be prompted with the captive portal for login.

    For guest, if the traffic comes in via flat network wherein no L3 involved, you can certainly have firewall rule with the source MAC addresses added to allow internet through it. If the MAC addresses does not match, it will check with the rules in top to down approach.

    Mayur Makvana
    Technical Account Manager | Global Customer Experience

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button.

  • hi Mayur,

    i am facing issue in MAC address. if a user comes whose mac is not enterered then he will get any ip from DHCP, that ip is authenitcated user whose session is not timed out. then this user will go to internet by matching user rule. i need to cope up this issue. for STAS users timed out as a work around i enabled Enable user inactivity under STAS, configured inactivity timer 120 Min. and Data transfer Threshold 100 Bytes. but with this setting the user whose mac in not entered is not allowed to go to internet while the user who are authenticated start being logged off either they are idle or not for 120 Min.
    please advise..

  • Hello Ahmad,

    I suggest raising the support case. As we need to collect IPSET output along with access_server debug logs. In addition to that, we will require to capture tcpdump/conntrack and drop packet capture.

    Kindly share the case ID here for the reference.

    Mayur Makvana
    Technical Account Manager | Global Customer Experience

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button.

Reply Children