Who here has struggled getting STAS working?

Anthony,

STAS is not really creating a user, this is just a consequence. If a user is allready existing, this user will of course not created a second time.

Example for STAS is easy... you want to be able to user object in web filter rules, but you do not want to install authentication client on the users client. STAS helps you to identy that this IP address belongs to a specific user ...... without installing anything on the client.

Greetings

Holger

Hi Holger,

Thank you for getting back to me. I might have not expressed myself correctly.

HolgerLehn said:

Joining AD gives you the ability to use SSO with AD backend users.

From what I understand, joining AD gives you the ability to import users (by prefetching them in Authentication Services -> Advanced -> Prefetch Directory Users) which then create an object in the UTM and allows them to be used in Web Filtering policies. 

HolgerLehn said:

STAS gives you the ability to use authenticated users in you policies, without the need to install CAA 

Does STAS only create user objects in the UTM so that they can be used in Web Filtering policies? What is the point if they can already be prefteched the Prefetch Directory Users utility?

There might in fact be something I misunderstand. If that is the case, can you clarify both options to me and give an example of a situation where on would be preferable to the other?

Thank you

Hi Anthony,

your question sound like a general misunderstanding of STAS behaviour. Let my try to clarify.

Joining AD gives you the ability to use SSO with AD backend users.

STAS gives you the ability to use authenticated users in you policies, without the need to install CAA (Client authentication agent). STAS (Sophos Transparent Authentication Suite), gets information of users that are logged in to workstations, that are a member of AD. That's all.

You can install authentication agent on client, or you can use STAS instead, if you are not able or willing to install authentication agent on your clients.

If you are using STAS, the STAS collector should be able to PING your workstations and also to query your workstations via WMI.

 Hope that I understood your question correct and that my answer is helpful.

Greetings

Holger

Hey guys,

Sorry to resurect an old thread. I was also wondering why use STAS when joining the UTM to an Active Directory domain works pretty well in the first place. Does the STAS agent work better in some way?

Thanks

Unknown said:

just to be no the same page. You mean that the user isn't listed in Definitions & Users >> Client Authentication under the tab "Global" right?

Yes, that was the problem. After some time and several logoff/logon they started to appear.

Hi vilic,

just to be no the same page. You mean that the user isn't listed in Definitions & Users >> Client Authentication under the tab "Global" right?

If you authenticate a user via STAS as described in your first two points with those log lines, the user should appear in the tab "Global" as described above until a logoff is detected from the STAS collector. Did the user ever showed up there or did the user disappear while you are still logged in?

Can you reproduce this behavior?

Regarding the picture in your third point:

The IP addresses won't be displayed there for performance reasons. It is a bit confusing but the UTM would be really slow with a lot of users logging in / out. So this is expected and you will see the same behavior with Client Authentication (SAA) too.

/Daniel

What did I do wrong here ?

1. STAS enabled on UTM, installed and configured on DC. I can see live users in STAS tool:

2. In UTM Client Authentication log there is information about successful login, and two user objects are automatically created:

2016:03:26-08:38:17 utm2 argos[13752]: [handle_transparent_sso_request]: Received login sso request: username vilic, ip_address 192.168.9.99, domain_name lab.local
2016:03:26-08:38:18 utm2 argos[13752]: [auth_aua_recv]: User vilic authenticated [REF_DefaultAdirectoryUserGroup]

3. But...there is no Online clients listed under STAS status page, and there is no resolved IP for User Network objects:

Hi mod2402,

STAS is supported only with ActiveDirectory, Therefore it will not work with computers that are not member of an ActiveDirectory domain.

Greetings

Holger

It was more to do with how to configure the Web Protection module to use STAS discovered users.

For example, my finding have deduced that the Web Filter profiles, the Authentication Type must be set as AGENT.

In all my dealings previously this has either been Standard Mode AD-SSO or Transparent Mode AD-SSO.

As such with STAS, using AGENT in the Web Protection profiles was the one piece of information missing from the documentation I've seen to date.

And using AGENT is marvellous.  

I'll still join the UTM to AD, but my web profiles use agent now.

Works very well.

Thanks all.

It's the same as before. But I think just the user 2 IP Mapping is made on the DC with STAS.

I'll test it if I've time.