This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DETAILED FUNCTION OF WALLED GARDEN OPTION ON SOPHOS UTM 9.6

Hello all, I'd like to allow a wireless acces point (a unifi AC PRO) to allow clients that access the network through it to have access without putting a voucher code, but other clients that access the same network through another access point do need to put their voucher codes. Is the "Walled Garden" option on Sophos UTM 9.6 (Wireless Protection > Hotspots > Advanced > Walled Garden). an option to achied that goal? Thanks in advance.



This thread was automatically locked due to age.
Parents Reply Children
  • I know what you mean, but also what Jaydeep was talking about.

    The wireless management of the access points, SSIDs and guest networks is limited to Sophos Access Points.
    All the "normal wireless protection features" only work with Sophos APs. That's what Jaydeep meant.

    On the other hand that does not mean you can't use any other AP with a Sophos XG/UTM on the network protection/web protection layer, connected via cable and managed separately.

    What you are talking about is "Hotspot", which is licensed by Wireless Protection, but not limited to only wireless interfaces on the UTM. "Hotspot" can be used on "Sophos WLAN"-Interfaces as well as on the "normal LAN" ports or VLAN ports. When you e.g. enable an Hotspot on interface "network1" every connection from a client in "network1" to anywhere else has to be "authorized" first by the Hotspot.

    If you have a client behind an interface "network2" that connects to a server/website in "network1" that one needs an authorization, too. "Walled Garden" let's you specify, which hosts can be reached without an authentication before. I ran a portping on RDP to a server behind a Hotspot secured interface. When my client was in the "Walled Garden" config I got a reply, if it was not the port appeared to be closed. Even if in my network no hotspot is defined.

    So that what you are trying to achieve is not possible with "Walled Garden", because it only covers destinations for which authentication is not needed.

     

    You will have to devide the traffic from the both access points to two different interfaces/vlan interfaces on the UTM. Then you activate Hotspot on the interface for AP1 and leave it disabled on the interface for AP2, that would work. Same SSID should function, too but will cause a lot of confusion, when a user roams between the two APs and sometimes has to authenticate and some times not.

    Other way would be an internal and a guest network (2 SSIDs) that use different VLANs. So internal could be without, guest with voucher.

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • Thank you kerobra, it help me a lot.