Advanced Endpoint Identity Agents Configuration

In This Section: Customizing Parameters Advanced Endpoint Identity Agent Options

Customizing Parameters

You can change settings for Endpoint Identity Agent parameters to control Endpoint Identity Agent behavior. You can change some of the settings in SmartDashboard and others using the Endpoint Identity Agent Configuration tool.

To change Endpoint Identity Agents parameters in SmartDashboard:

1. Go to Policy > Global Properties > SmartDashboard Customization.
2. Click Configure.
3. Go to Identity Awareness > Agent.
4. Click OK.

The Endpoint Identity Agent parameters show. This is a sample list of parameters that you can change:

Parameter	Description
Nac_agent_disable_settings	Whether users can right click the Endpoint Identity Agent client (umbrella icon on their desktops) and change settings.
Nac_agent_email_for_sending_logs	You can add a default email address for to which to send client troubleshooting information.
Nac_agent_disable_quit	Whether users can right click the Endpoint Identity Agent client (umbrella icon on their desktops) and close the agent.
Nac_agent_disable_tagging	Whether to disable the packet tagging feature that prevents IP Spoofing.
Nac_agent_hide_client	Whether to hide the client (the umbrella icon does not show on users' desktops).

Advanced Endpoint Identity Agent Options

Kerberos SSO Compliance

The Identity Awareness Single Sign-On (SSO) solution for Endpoint Identity Agents gives the ability to authenticate users transparently that are logged in to the domain. This means that a user authenticates to the domain one time and has access to all authorized network resources without additional authentication.

Using Endpoint Identity Agents gives you:

• User and computer identity
• Minimal user intervention - The administrators do all the necessary configuration steps and no user input is required user.
• Seamless connectivity - Transparent authentication when users are logged in to the domain. If you do not want to use SSO, users enter their credentials manually. You can let them save these credentials.
• Connectivity through roaming - Users stay automatically identified when they move between networks, while the client detects the movement and reconnects.
• Added security - You can use the patented packet tagging technology to prevent IP Spoofing. Endpoint Identity Agents also gives you strong (Kerberos based) user and computer authentication.

You get SSO in Windows domains with the Kerberos authentication protocol. Kerberos is the default authentication protocol used in Windows 2000 and above.

The Kerberos protocol is based on the idea of tickets, encrypted data packets issued by a trusted authority, which in this case, is the Active Directory (AD). When a user logs in, the user authenticates to a domain controller that provides an initial ticket granting ticket (TGT). This ticket vouches for the user’s identity. When the user needs to authenticate against the Identity Awareness Gateway, the Endpoint Identity Agent presents this ticket to the domain controller and requests a service ticket (SR) for a specific resource (Security Gateway that Endpoint Identity Agents connect to). The Endpoint Identity Agent then presents this service ticket to the Security Gateway that grants access.

How SSO Works

Item	Description
A	User
B	Active Directory Domain Controller
C	Security Gateway that Endpoint Identity Agents connect to
D	Data Center servers
1	a) A logs in to B b) B sends an initial ticket (TGT) to A
2	a) The Endpoint Identity Agent connects to C b) C asks A for user authentication
3	a) The Endpoint Identity Agents requests a service ticket (SR) for C and presents the TGT to B b) B sends the SR (encrypting the user name with the shared secret between B and C)
4	The Endpoint Identity Agent sends the service ticket to C
5	C decrypts the ticket with the shared secret and identifies A
6	A gets access to D based on identity