The current BETA of the Sophos Firewall OS allows you to infer user objects from both DC login and RADIUS accounting. Here I've got my Cisco WLC sending accounting information to SFOS, and users are being identified based on their credentials used to join WiFi. Works very well!
Ideally this would leverage associated records on an existing AAA service on the network which is used by 802.1x. Eg: iOS device authenticates to the network using 802.1x, the Web Protection module could then cascade down 'authentication servers' (AD SSO >> RADIUS) to establish trust of the device and map it back to a specific Web Protection profile.
This would greatly help the educational space and corporates who are introducing BYOD and are providing network access via wireless but still wish to capture WHO is using the infrastructure.
29 votesUnder Review · 2 comments · Endpoint Protection » Sophos Enterprise Console (SEC) · Flag idea as inappropriate… · Admin →
15 votesUnder Review · 4 comments · Endpoint Protection » Sophos Enterprise Console (SEC) · Flag idea as inappropriate… · Admin →
Doesn't SEC already provide this with it's 'Smart Views', filtering system that are online, up2date, protected, etc?
Would be cool if the WiFi Hotspot feature could have this as an 'auth method;.
The primary use case is in environments where passwords are shared (either inadvertently or directly) with other staff members. As such, knowing a Username and Password would then allow the unauthorised user to gain access to the QR code via the User Portal.
If the process can be manually controlled - like it can be now - it regulates WHO actually gets the soft token.
However, the manual process requires a SECRET which needs to be manually created by the Admin (as expected).
The feature simply expose the automated generation of a secret key and allow the admin to invoke that same function from webadmin when building a manual soft token.
We are hard at work on this feature and will deliver the first implementation of front end authentication as part of our Web Server protection (reverse proxy) in UTM 9.2. The public beta will begin in October. Stay Tuned!
Given the demise of ISA and TMG; many organisations are using Forms Based Authentication over SSL provided by the TMG to the world. Once a user is authenticated to a backend (typically AD), an SSO action is performed against the Exchange Client Access Service; presenting au authenticated Outlook Web Access session.
Currently, with the Sophos WAF, we simply publish the CAS; however, the issue is that in some cases SSL certificates are NOT used, as the TMG only requires SSL from external and then internally requests OWA content via HTTP.
As such, our current implementation requires those customers to configure the IIS server sustaining the OWA/CAS system with an SSL certificate that is publically verifiable.
Agreed, with the increase in more OPEN type of usage policies for URL category access; businesses still wish to regulate what file types can be downloaded from these sites.
Ideally, breaking the association of URL and File Type within default and Additional rules and having file types act in a similar fashion to that of how the newer Authentication/Connection Profile system works would allow an overlay of file type downloads depending on request and or destination.
This would also mean a rework of the User Submission for FILES as well due to its current design.
Agreed; notifying the end user that a request has been blocked or allowed and then providing them a summary of what they originally requested would be nice. Currently, their local help desk must implement this procedure manually which is a time and effort cost and contradicts our simplicity model.