Print Download PDF Send Feedback

Previous

Next

Comparison of Acquisition Sources

These tables show how identity sources are different in terms of usage and deployment considerations. Based on these considerations, you can configure Identity Awareness to use one or more identity of these identity sources.

Browser-Based Authentication - Captive Portal

Unidentified users log in with a user name and password in a Captive Portal. After authentication, the user clicks a link to go to the destination address.

Recommended Usage

Deployment Considerations

  • Identity based enforcement for non-AD users (non-Windows and guest users)
  • You can require deployment of Endpoint Identity Agents
  • Used for identity enforcement (not intended for logging purposes).

Browser-Based Authentication - Transparent Kerberos Authentication

The Transparent Kerberos Authentication Single-Sign On (SSO) solution transparently authenticates users already logged into the AD. This means that when a user authenticates to the domain, user gets access to all authorized network resources and does not have to enter credentials again. If Transparent Kerberos Authentication fails, the user is redirected to the Captive Portal for manual authentication.

Note -The Endpoint Identity Agent download link and the Automatic Logout option are ignored when Transparent Kerberos Authentication SSO is successful. This is so, because the user does not see the Captive Portal.

Recommended Usage

Deployment Considerations

  • In AD environments, when known users are already logged in to the domain.
  • Used for identity enforcement only (not intended for logging purposes)
  • Transparent Kerberos Authentication does not use Endpoint Identity Agents or the Keep Alive feature.

AD Query

Gets identity data seamlessly from Active Directory (AD).

Recommended Usage

Deployment Considerations

  • Identity-based auditing and logging.
  • Leveraging identity in Internet application control.
  • Basic identity enforcement in the internal network.
  • Easy configuration (requires AD administrator credentials). For organizations that prefer not to allow administrator users to be used as service accounts on third party devices, there is an option to configure AD Query without AD administrator privileges, see sk43874.
  • Preferred for Desktop users.
  • Only detects AD users and computers.

Endpoint Identity Agent

A lightweight Endpoint Identity Agent authenticates users securely with Single Sign-On (SSO).

Recommended Usage

Deployment Considerations

  • Identity enforcement for Data Centers.
  • Protecting highly sensitive servers.
  • When accuracy in detecting identity is crucial.

Terminal Servers Endpoint Identity Agent

Identifies multiple users who connect from one IP address. A terminal Server Endpoint Identity Agent is installed on the application server, which hosts the terminal/Citrix services.

Recommended Usage

Deployment Considerations

  • Identify users, who use Terminal Servers, or a Citrix environment.

RADIUS Accounting

You can configure a Identity Awareness Gateway to use RADIUS Accounting to get user and computer identities directly from a RADIUS accounting client. Identity Awareness Gateway uses this information to apply access permissions to the connection.

RADIUS Accounting gets identity data from RADIUS Accounting Requests generated by the RADIUS accounting client. Identity Awareness Gateway uses the data from these requests to get user and device group information from the LDAP server. Firewall rules apply these permissions to users, computers and networks.

Recommended Usage

Deployment Considerations

  • In environments, where authentication is handled by a RADIUS server.
  • You must configure the RADIUS accounting client to send RADIUS accounting requests to the Identity Awareness Gateway.
  • You must give the RADIUS client access permissions and create a shared secret.

Identity Collector

The Identity Collector is a Windows-based application, which collects identity information and sends it to the Identity Awareness Gateways for identity enforcement.

Recommended Usage

Deployment Considerations

  • Works with Microsoft Active Directory Domain Controller in large scale environments.
  • Integrates with Cisco Identity Services Engine.
  • Requires Event Log Readers permission credentials.

Identity Web API

The Web API is a flexible identity source that you can use for simple integration with 3rd party security and identity products.

Recommended Usage

Deployment Considerations

  • Integrates with 3rd party security products, such as ForeScout CounterACT and Aruba Networks ClearPass.
  • Integrates Identity Awareness with authentication systems that Check Point does not regularly support.
  • Does system administration tasks such as quick checks of users' IP address.
  • You must properly configure the accessibility and the list of authorized API clients.
  • You must create a separate shared secret for each API client.

Remote Access

Users, who get access using IPsec VPN Office Mode can authenticate seamlessly.

Recommended Usage

Deployment Considerations

  • Identify and apply identity-based security Policy on users that access the organization through VPN.