This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Wireless,DHCP and Mobile devices ! Doubts and queries !!

Hello Sophos Community Members,

I would like to share you my Wireless scenario.

Current scenario :

1 network with 1 SSID : Eg. ABC , Domain controller : DHCP, Combination of Sophos APs and Delink Wireless Devices all with the same SSID.

Domain controller DHCP serving the clients

 

With increasing number of wireless mobile devices

I am planning to split my network into 2 different networks :

1) 192.168.x.x series for LAN users and Local laptops (SSID : ABC) ( DHCP : Domain controller DHCP)
2) 172.16.10.x series for mobile/tab devices. (SSID : ABC_Mobile) (DHCP : Sophos UTM - DHCP)

We have all sophos products with us Sophos UTM,AP and SEC.

I would like the users of both these networks not to connect to the other one.For example : Laptop of internal network should connect only to SSID : ABC and should not be able to connect to the other network (SSID : ABC_ Mobile) and vice versa

Also I would like to seek guidance on the web filtering profile for mobile device and their authentication (AD SSO ? , CA certificate ? )

Other questions that come to mind :

1) What is the device specific web filtering profile (based on OS) and how will it help
2) How to go about with HTTPS ?
3) How do I authenticate legitimate mobile devices ? (Well MAC binding is one way !!)

Another interesting question :

We have our DC DHCP for network ABC.
For second network ABC_Mobile the DHCP is of Sophos UTM, I have a mix of APs , Sophos and a set of Delink Wireless routers
How do I force the clients connecting to Delink wireless routers to get IPs from Sophos UTM DHCP. We dont use VLANs in our network.

Come experts please guide ! Thanks

 

PS : Have been a fan of Sophos and its configurations since installations in our organization in 2015.



This thread was automatically locked due to age.
Parents
  • For having other access points getting DHCP from Sophos, I think you'll have to create a new physical interface using the specified 172.16.10.x range and connect this interface to a separate switch (or start using VLAN when you want to use your current switch(es)).

    Then every client that connects to this interface will be able to get a DHCP address from the server (in this case Sophos UTM).

    Preventing devices from connecting to a specific SSID will be harder, I think this can only be done by maintaining MAC addresses and specify allowed MAC-addresses on both SSID's. If the mobile SSID is used to connect BYOD devices, then this will be a pain in the ass to configure and keep up to date.

    For starters you could configure the ABC SSID to use radius authentication which will make it a little bit harder to connect to it since there's not 1 password for all devices. However mobile clients who's users also have an AD account will probably still be able to login to the radius configured SSID.

    I don't think AD SSO is possible with mobile devices (maybe on Win10 mobile, but I don't believe it's possible on IOS / Android since you simply don't log on to this device using an AD account. You'd probably either use transparent proxy or a standard proxy with or without authentication.

    HTTPS scanning will most likely break some sites even when you have the correct proxy CA certificate trusted, therefore I would recommend against it especially again on the mobile devices that might not even trust your proxy CA certificate.

    If have never really tried the device specific web filtering, so anyone who has? I'm also curious in how well this works.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • apijnappels,

    Thank you for your to the point revert on all of my queries.
    Makes my doubts quite clear.

    apijnappels said:
    For having other access points getting DHCP from Sophos, I think you'll have to create a new physical interface using the specified 172.16.10.x range and connect this interface to a separate switch (or start using VLAN when you want to use your current switch(es)).

    Initially will go forward with the separation of networks as I see no other option but to physically separate both the networks
    Just wonder how Sophos APs can do that being in the same network.

    apijnappels said:
    Preventing devices from connecting to a specific SSID will be harder, I think this can only be done by maintaining MAC addresses and specify allowed MAC-addresses on both SSID's. If the mobile SSID is used to connect BYOD devices, then this will be a pain in the ass to configure and keep up to date.

    Well most of these devices are company allotted so keeping a track would be easier,well if that's the only option !

    apijnappels said:
    For starters you could configure the ABC SSID to use radius authentication which will make it a little bit harder to connect to it since there's not 1 password for all devices. However mobile clients who's users also have an AD account will probably still be able to login to the radius configured SSID.

    Well then, will look for Radius server options !

    apijnappels said:
    I don't think AD SSO is possible with mobile devices (maybe on Win10 mobile, but I don't believe it's possible on IOS / Android since you simply don't log on to this device using an AD account. You'd probably either use transparent proxy or a standard proxy with or without authentication.

    Need more clarity on this will post it in a separate thread !

    apijnappels said:
    If have never really tried the device specific web filtering, so anyone who has? I'm also curious in how well this works.

    Will check out for the threads/topics on this in the forum and get back

    Once again thanks for all the pointers !

    Regards,

    Jeet J

    Network Administrator

    Sophos UTM SG 450,Sophos UTM SG 125 x 6, Sophos SEC,Sophos AP

Reply
  • apijnappels,

    Thank you for your to the point revert on all of my queries.
    Makes my doubts quite clear.

    apijnappels said:
    For having other access points getting DHCP from Sophos, I think you'll have to create a new physical interface using the specified 172.16.10.x range and connect this interface to a separate switch (or start using VLAN when you want to use your current switch(es)).

    Initially will go forward with the separation of networks as I see no other option but to physically separate both the networks
    Just wonder how Sophos APs can do that being in the same network.

    apijnappels said:
    Preventing devices from connecting to a specific SSID will be harder, I think this can only be done by maintaining MAC addresses and specify allowed MAC-addresses on both SSID's. If the mobile SSID is used to connect BYOD devices, then this will be a pain in the ass to configure and keep up to date.

    Well most of these devices are company allotted so keeping a track would be easier,well if that's the only option !

    apijnappels said:
    For starters you could configure the ABC SSID to use radius authentication which will make it a little bit harder to connect to it since there's not 1 password for all devices. However mobile clients who's users also have an AD account will probably still be able to login to the radius configured SSID.

    Well then, will look for Radius server options !

    apijnappels said:
    I don't think AD SSO is possible with mobile devices (maybe on Win10 mobile, but I don't believe it's possible on IOS / Android since you simply don't log on to this device using an AD account. You'd probably either use transparent proxy or a standard proxy with or without authentication.

    Need more clarity on this will post it in a separate thread !

    apijnappels said:
    If have never really tried the device specific web filtering, so anyone who has? I'm also curious in how well this works.

    Will check out for the threads/topics on this in the forum and get back

    Once again thanks for all the pointers !

    Regards,

    Jeet J

    Network Administrator

    Sophos UTM SG 450,Sophos UTM SG 125 x 6, Sophos SEC,Sophos AP

Children
No Data