Results 1 to 7 of 7
  1. #1
    Newbie
    Join Date
    May 2021
    Posts
    13

    Question Confusion over behavior of usernames on Devices and Hosts

    I have searched the wiki for articles, and the forum for any posts, that shed light onto the behavior I'm seeing, but I'm not finding anything quite detailed enough to help me understand what I'm seeing.

    When changing the username on a Device, the change is reflected pretty quickly on the corresponding Host entry, and traffic from that Host gets appropriately routed to the correct policy, given the new username and other inputs considered by my policy rules. But if I remove a username from a Device, the previous username stays associated with the corresponding Host. I haven't been able to find any particular set of steps I can take to merely blank the username for a Host (which would result in the traffic from that Host reverting to being processed by the Default policy).

    The above is true even if I do something wacky like force the traffic to be captured by Captive Portal and validate with a user from the local directory. The Host entry details do update to show that its username is being sourced from Captive Portal; but after a subsequent portal logout, the username for the Host still doesn't blank - it reverts to the previous Device-provided username, even though that Device is no longer associated with that username in the Device table.

    Is there something I'm missing or misunderstanding?

  2. #2
    Newbie
    Join Date
    May 2021
    Posts
    13

    Default

    Additional details, if needed:

    I have a relatively simple setup: an Untangle appliance sitting between my cable modem (customer-owned, Xfinity service) and a Netgear Orbi RBR20 router in AP mode (mesh system made up of the base plus 2 RBS20 satellites).

    In our family, we have about 15 total devices that get on the network (mix of Windows, Android, ChromeOS, and IoT). Some of these are only used by one person, so I have assigned a username to those devices on the Device page. I then have policy rules that send traffic to different policies based on username and time-of-day. As I understand it, a totally normal approach.

    But there are a few devices that are lightly shared, and I have been logging into the control panel and modifying the username on these devices as needed. This is a bit of a hassle, but seems to work, as long as I'm actually updating the Device from one username to another. I just can't disassociate the Host from the last username.

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,485

    Default

    I'm not sure if that's a bug or a feature but yes this behavior is "normal".

    If you want to shunt the traffic into the default policy, in effect deleting the username you need to force a change. The only way to force a change is to change the username itself. Removing it just leaves it as is until the sessions naturally expire. So to force the change just feed it a fake username that doesn't impact any policy save it, and the sessions will reset for that device and you're free to go blank it out and save again.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Newbie
    Join Date
    May 2021
    Posts
    13

    Default

    Thank you for the suggestion. I was finally able to break the tie to the previous username and get the traffic to the default policy. So the result was what I needed. Of course, the Host is now showing the fake username, but I guess that's an annoyance now, rather than a functional problem.

    Ultimately, I'd like to have a better understanding of how changes actually flow from Device to Host (to Session?): can you expand on what you meant by "force a change"? Did you mean this only with respect to the username field (i.e. I needed to force a change to the username in the Host record, and the only way to do that is to change the username on the Device), or did you mean something more generally? Because I think I've noticed similar behavior regarding tags: adding a tag to a Device pushes it in a pretty timely fashion to the corresponding Host, but removing a tag does not. (I know that tags can be removed from a Host record directly, but I've seen removed tags pop up again shortly thereafter, and I think not understanding that gets right back to me not fully understanding how data flows from Device table to Host yet, and the articles on this fall a little short on the details I would find most enlightening.)

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,485

    Default

    Untangle has always fought a fight over session resets. We make rule changes as admins, and the system tries to limit the sessions reset at the time of rule change to what the rule actually impacts.

    The problem is... in a system as complex as Untangle this doesn't always get everything! The alternative is to reset all network sessions on every rule change, but that's really ugly because every time we make a change everyone gets punted out of their stuff for a bit. Which makes help desk phones ring... madly.

    If you want the full reset? It's in config -> networking -> advanced -> options Enable the "Block new sessions during network configuration" box, and hit save.

    From that point forward every time you save a rule change anywhere, EVERYTHING is reset. This will solve the goofy behavior you're seeing, but it also means momentary connection loss practically every time you click a save button.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Newbie
    Join Date
    May 2021
    Posts
    13

    Default

    I can understand the difficulty of pushing changes all the way down to the individual active session level. I'm more confused about why username and tag removal are treated differently than username adds/changes and tag adds. If there are good reasons, I'd like to try to learn about them, as I'm no networking expert whatsoever. But I am a software engineer, and at first blush, I would think a change event is a change event, even if there are different flavors.
    Last edited by allprocenter; 05-25-2021 at 07:34 PM.

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,485

    Default

    Quote Originally Posted by allprocenter View Post
    I can understand the difficulty of pushing changes all the way down to the individual active session level. I'm more confused about why username and tag removal are treated differently than username adds/changes and tag adds. If there are good reasons, I'd like to try to learn about them, as I'm no networking expert whatsoever. But I am a software engineer, and at first blush, I would think a change event is a change event, even if there are different flavors.
    Well... to understand that you'd have to read the code: https://github.com/untangle/ngfw_src

    I'm very much NOT a software developer, so much of that stuff is gibberish to me. I just use the product as is, and try to understand its strangeness enough to not have it blow up in my face when I'm stuck deploying something in the middle of the night somewhere.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2