This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Wireless,DHCP and Mobile devices ! Doubts and queries !!

Hello Sophos Community Members,

I would like to share you my Wireless scenario.

Current scenario :

1 network with 1 SSID : Eg. ABC , Domain controller : DHCP, Combination of Sophos APs and Delink Wireless Devices all with the same SSID.

Domain controller DHCP serving the clients

 

With increasing number of wireless mobile devices

I am planning to split my network into 2 different networks :

1) 192.168.x.x series for LAN users and Local laptops (SSID : ABC) ( DHCP : Domain controller DHCP)
2) 172.16.10.x series for mobile/tab devices. (SSID : ABC_Mobile) (DHCP : Sophos UTM - DHCP)

We have all sophos products with us Sophos UTM,AP and SEC.

I would like the users of both these networks not to connect to the other one.For example : Laptop of internal network should connect only to SSID : ABC and should not be able to connect to the other network (SSID : ABC_ Mobile) and vice versa

Also I would like to seek guidance on the web filtering profile for mobile device and their authentication (AD SSO ? , CA certificate ? )

Other questions that come to mind :

1) What is the device specific web filtering profile (based on OS) and how will it help
2) How to go about with HTTPS ?
3) How do I authenticate legitimate mobile devices ? (Well MAC binding is one way !!)

Another interesting question :

We have our DC DHCP for network ABC.
For second network ABC_Mobile the DHCP is of Sophos UTM, I have a mix of APs , Sophos and a set of Delink Wireless routers
How do I force the clients connecting to Delink wireless routers to get IPs from Sophos UTM DHCP. We dont use VLANs in our network.

Come experts please guide ! Thanks

 

PS : Have been a fan of Sophos and its configurations since installations in our organization in 2015.



This thread was automatically locked due to age.
Parents
  • On your theoretical question, I think the complete list of options for authenticating wireless users are the following, although I cannot address which ones are supported by Sophos products:

    1) MAC filtering at the access point.

    2) Login, to a RADIUS or TAKACS+ authentication server, using either the device MAC for both username and password, or a user-entered username and password.   The second approach assumes that the user can boot his device to a point where he can enter the login information, which may not work for some devices.

    3) 802.1X authentication, where the device is equipped with an identity certificate which it presents as part of the connection process.   In some implementations, I think it can be combined with user login as well.   This is the most complex and probably the most secure for large organizations that need to support many laptops moving between many locations.

    4) Old fashioned WPA2, which only works if you can control knowledge of the WPA2 password.   Since it is very difficult to switch to a new password, it is not really a solution to your question.

Reply
  • On your theoretical question, I think the complete list of options for authenticating wireless users are the following, although I cannot address which ones are supported by Sophos products:

    1) MAC filtering at the access point.

    2) Login, to a RADIUS or TAKACS+ authentication server, using either the device MAC for both username and password, or a user-entered username and password.   The second approach assumes that the user can boot his device to a point where he can enter the login information, which may not work for some devices.

    3) 802.1X authentication, where the device is equipped with an identity certificate which it presents as part of the connection process.   In some implementations, I think it can be combined with user login as well.   This is the most complex and probably the most secure for large organizations that need to support many laptops moving between many locations.

    4) Old fashioned WPA2, which only works if you can control knowledge of the WPA2 password.   Since it is very difficult to switch to a new password, it is not really a solution to your question.

Children
  • DouglasFoster said:

    2) Login, to a RADIUS or TAKACS+ authentication server, using either the device MAC for both username and password, or a user-entered username and password.   The second approach assumes that the user can boot his device to a point where he can enter the login information, which may not work for some devices.

    3) 802.1X authentication, where the device is equipped with an identity certificate which it presents as part of the connection process.   In some implementations, I think it can be combined with user login as well.   This is the most complex and probably the most secure for large organizations that need to support many laptops moving between many locations.

     

    Thanks DouglasFoster,

    I am definitely looking for RADIUS server authentication which will help me put in another layer of authentication.

    Regards,

    Jeet J

    Network Administrator

    Sophos UTM SG 450,Sophos UTM SG 125 x 6, Sophos SEC,Sophos AP