SSO Client Issues

Hi Josh,

Correct me if I am wrong but you seem to be indicating you are trying to install the STAS (SSO Client) on all PC's, this is not how the SSO works you only install it on the AD Servers them selves.

If you are trying to install an authentication client on the individual PC's you should be using is the "Authentication Client" which can be downloaded from the User Portal on the appliance.

https://community.sophos.com/kb/en-US/123015

The client is available for Windows, Mac OSX, Linux, iOS and Android.

Another option which might assist is implementing the WiFi with WPA2/Enterprise, this would allow you to use the RADIUS SSO to capture authentication events from the WiFi environment.

Hi Leon

I think things have become confused here.

There are two types of SSO which i believe historically have come from the Cyberoam side

1. Clientless SSO or CTA, which uses the STAS software on the server and does not require any software on the client PC's. STAS watches the security log on the server and when it sees a logon event, it ties the username to the workstations IP address and sends this to the XG.
2. Client-based SSO which uses an agent that runs on the Client PCs. You set it up in a login script and it runs at logon to authenticate the client. As per this guide.

I am having issues with SSO (1 above). Because some of the client PC's have both WLAN and LAN connected,  the username/ip address matching only works on the interface over which the initial logon happened. If the client device then decides to use the other connection, the XG has no IP Address to username mapping for that IP.

Anyway to get around this, I thought the Client based SSO (2 above) might be worth a shot, however this is where I am having the issue mentioned in the original post.

Hi Jose

There are two clients you can use for the SSO, one is the one based on the Astaro System, the other is the one based on the Cyberoam system:

I am trying to use the Cyberoam one, the Cyberoam one allows you to specify the Address of your Firewall using a config file rather than messing around with silly fake IP addresses (what company with more than 50 workstations doesnt use a layer 3 network??)

The Cyberoam one also (according to what I can work out needs no intervention from the end user to Authenticate, it runs at login automatically. Correct me if I am wrong but the Astaro based client does run at logon, but pops up a login box? If that is still the case its useless for me.

I will use whatever client best suits my need as long as I can make it work!

Many Thanks

Josh

We have used Lightspeed system webfilter fairly regularly (maybe i should have used on for this install??) and they seem do the agent thing in a much more sensible way, here's the description.

You customise the installer MSI with the details of your web filter (using their own simple to use tool) and then just do a simple group policy install and thats it, you never see it again, it just runs in the background. It doesnt care how many IP interfaces the client has got, if the client is logged into more than one machine,it just works.

Regards

Josh

Hi Josh,

Just to clarify, the XG Firewall does not limit the number of IP Addresses a user is associated to and even supports session based users identification in Terminal Server environments using the SATC client.

Your chosen authentication methods here are based on login events against active directory, if users move from one network or ip address to another without generating a login event then the change is not tracked. The STAS does support identity checking for unknown ip addresses using WMI which does require AD permissions and appropriate firewall rules through out the network. Otherwise you will get DCOM errors as the Collector is unable to check the user ID for PCs. (Which is what you are seeing)

In most networks I get involved with the STAS with the WMI polling is very reliable for corporate machines, the idea is that you do not actually need to install or run something on the client.

As mentioned earlier in the chain there is another authentication mechanism in the form of a General Authentication agent, this behaves a lot more like what you describe in that is caches user credentials and update the UTM when it connects to it, this does not actually require an ad login event, the username and password combination though can be processed against the active directory.

Leon Friend said:

...As mentioned earlier in the chain there is another authentication mechanism in the form of a General Authentication agent, this behaves a lot more like what you describe in that is caches user credentials and update the UTM when it connects to it, this does not actually require an ad login event, the username and password combination though can be processed against the active directory.

Hi Josh,

The Astaro client pops up a login box the first time you log on and you have an option to hide the login box until next password change. It supports multiple IP addresses (IPV4 and IPV6) per client.

Hi Jose

So will this box pop up each time a user logs into a computer and do they have to input their credentials each time?

Hi Josh,

No, it won't show up if you tick the option remember user and password. It will show up the next time that you have to change the password only, until then it will go silently and the user won't notice it.

Hi Jose

Thanks for your reply.

So they have to set the username/password once then tick the box and it will remember credentials until password changes?

Do you know how this works on multi user machines, i.e machines that are logged onto by multiple users?

Hi Josh,

It's not designed for multiuser machines. In that case you have to enter user/password combination each time a new user logs in.

OK, not ideal, but at least I can use it on the 'problem' laptops. 

I'd still like to know why the Cyberoam-based SSO client fails to work though as that would seem to suit my needs better, if it worked. :P

OK, not ideal, but at least I can use it on the 'problem' laptops. 

I'd still like to know why the Cyberoam-based SSO client fails to work though as that would seem to suit my needs better, if it worked. :P