Sophos XG Firewall Web Interface Reference and Admin Guide v16.5

Figure 393: Captive Portal Settings

Groups

The Groups page displays a list of all the default and custom groups.

A group is a collection of users having common policies that can be managed as a single unit thus providing the possibility to assign various policies to a number of users in one operation/step. Users that belong to a particular group are referred to as group users.

A group can contain default as well as custom policies.

Various policies that can be grouped are:

• Surfing quota policy which specifies the duration of surfing time and the period of subscription

• Access time policy which specifies the time period during which the user will be allowed access

• Network traffic policy which specifies the time allocated to cyclic/non-cyclic network traffic

• Traffic shaping policy which specifies the bandwith allocated for upload and download traffic

• Remote access policy which controls the access of remote clients

• Clientless policy which controls the access of clientless users

Creating a New User Group

This page describes how to configure a user group.

Once the appropriate group is assigned, the user will automatically inherit all the policies added to the group.

1. Go to Configure > Authentication > Groups and click Add.

2. Specify the user group details.

Group Name

Enter a unique name for the group.

Description

Specify a description for the group.

Group Type

Select the group type.

Available Options:

• Normal - The user of this group needs to log on using the client device to access the Internet.

| Configure | 412

• Clientless - The user of this group does not need to log on using the client device to access the

Internet and is symbolically represented by "group name (C)". Access control is performed through the IP address.

| Configure | 413

Figure 394: User Group Details

3. Specify the Policies.

Surfing Quota

Select the surfing quota policy from the list.

Note: For the group type Clientless, the option Unlimited is automatically applied.

Access Time

Select the access time policy from the list.

Note: For the group type Clientless, the option Unlimited is automatically applied.

Network Traffic (not available for the Clientless group)

Select the network taffic policy from the list.

Configured policy will be applicable to all the users who are member of this group.

Traffic Shaping

Select the traffic shaping policy from the list.

Configured policy will be applicable to all the users who are member of this group.

Remote Access

By default, the user will inherit his group's policy. To override the group policy, select a policy from the list.

You can also create a new policy directly on this page or from VPN > SSL VPN (Remote

Access) > VPN > SSL VPN (Remote Access) page.

If a user shall not be provided SSL VPN access then select No Policy Applied.

Clientless

By default, the user will inherit his group's policy. To override the group policy, select the policy from the list.

You can also create a new policy directly on this page or from VPN > Clientless Access > VPN >

Clientless Access page.

If a user shall not be provided SSL VPN access then select No Policy Applied.

Quarantine Digest

Configure quarantine digest.

Quarantine digest is an email containing a list of quarantined spam messages filtered by the device and held in the user quarantine area. If configured, the device will mail the digest on hourly, daily

or weekly basis to the user. Digest also provides a link to the User Portal from where the user can access and take an action on quarantined messages.

Available Options:

• Enable - The user will receive the quarantine digest at the configured frequency. This setting overrides the group setting.

• Disable - The user will not receive quarantine digest. This setting overrides the group setting.

Note: Quarantine digest is not applicable to Wi-Fi devices.

MAC Binding

Enable to bind the user to a MAC address. By binding a user to a MAC address, you are mapping the user with a group of MAC addresses.

L2TP (not available for the Clientless group)

Enable to grant group members access through an L2TP connection.

PPTP (not available for the Clientless group)

Enable to grant group members access through an PPTP connection.

Login Restriction (not available for the Clientless group)

Select the appropriate option to specify the login restriction for the group.

Available Options:

• Any Node - Select to allow a user to login from any of the nodes in the network.

• Selected Nodes - Select to restrict user login to the specified nodes. Specify an IP address. For an existing group, you can add further nodes, edit a node or remove a node.

• Node Range - Select to allow the user to login from a range of IP address. Specify the IP address range.

For the options Selected Nodes and Node Range, only IPv4 addresses are permitted.

| Configure | 414

| Configure | 415

Figure 395: Policies

4. Click Save.

Note: User configuration - MAC binding and policies is given precedence over the group configuration.

Adding Users to the Existing Groups

This page describes how to add a user to an existing group.

1. Go to Configure > Authentication > Groups

2.

Select the group to which you want to add the users by clicking the respective icon in the Manage column.

3. Click Add Member(s).

A pop-up window Add Group Member appears providing a list of all the users who can be added to the group along with some details. To search for a user filter the list based on the name and/or the current group.

4. Select the user you want to add to the group. You can select a single user or multiple users on the same page.

5. Click Add to confirm adding the member to the group.

6. Click Save.

The user is added to the group. You can check this by editing the group and clicking the Show Group Members button.

Viewing List of Group Members

This page describes how to check a user's membership in a group.

1. Go to Configure > Authentication > Groups.

2.

Select the group for which you want view the group members and click the edit icon in the Manage column.