Configuring Endpoint Identity Agents
Endpoint Identity Agent Deployment Methods
There are different Endpoint Identity Agent deployment methods:
- Using Captive Portal - You can require users to download the Endpoint Identity Agent from the Captive Portal. You can also let users install the Endpoint Identity Agent on a specified later date and not right away. During installation, the Endpoint Identity Agent automatically detects if there are administrator permissions on the computer or not and installs itself accordingly.
Notes:
- When you deploy the Full Endpoint Identity Agent, the user that installs the client must have administrator rights on the computer. If the user does not have administrator permissions, the Light Endpoint Identity Agent is installed instead.
- When users authenticate with the transparent portal, the download link does not show. They must install the agent from the distribution media.
- Using distribution software - You can deploy the Endpoint Identity Agent with distribution software. You can find the MSI installation files (Light and Full) on the Identity Awareness Gateway:
$NACPORTAL_HOME/htdocs/nac/nacclients/customAgent.msi
Configuring Endpoint Identity Agent Deployment from Captive Portal
To configure Endpoint Identity Agent deployment from Captive Portal:
- From the Identity Awareness page, select the checkbox.
- Select and click .
- From the window, select the checkbox to make users install the Endpoint Identity Agent. Select which Endpoint Identity Agent they must install. If you select this option and you do not select the defer option, users will can only access the network if they install the Endpoint Identity Agent.
- To give users flexibility to choose when they install the Endpoint Identity Agent, select . Select the date by which they must install it. Until that date a Skip Endpoint Identity Agent installation option shows in the Captive Portal.
- Click .
Configuring Endpoint Identity Agent Deployment for User Groups
When necessary, you can configure specific groups to download the Endpoint Identity Agent. For example, if you have a group of mobile users that roam and it is necessary for them to stay connected as they move between networks.
To configure Endpoint Identity Agent deployment for user groups:
- From the Identity Awareness page, select the checkbox.
- Select and click .
- Select and click .
- Select - You can add user groups and give them settings that are different from other users. Settings specified for a user group here override settings configured elsewhere in the Portal Settings. The options that you configure for each user group are:
- If they must accept a user agreement.
- If they must download the Endpoint Identity Agent and which one.
- If they can defer the Endpoint Identity Agent installation and until when.
- Click .
Configuring Endpoint Identity Agents in SmartConsole
In the section of the Identity Awareness page, select to configure Endpoint Identity Agent settings.
To configure the Endpoint Identity Agent settings:
- Select and click .
- From the window, configure:
- Endpoint Identity Agent Access Settings
Click to open the window. In this window, you can configure:
- Authentication Settings
Click to open the window. In this window you can configure:
The default is that all user directory options are selected. You might choose only one or two options if users are only from a specified directory or directories and you want to maximize Security Gateway performance when users authenticate. Users with identical user names must log in with domain\user.
- Session details
- Endpoint Identity Agent Upgrades
Endpoint Identity Agent Access
Click to select from where the Endpoint Identity Agent can be accessed. The options are based on the topology configured for the Security Gateway.
Users can communicate with the servers if they use networks connected to these interfaces.
- - the Endpoint Identity Agent is accessible through interfaces associated with source networks that appear in access rules used in the Firewall Policy
Session
Configure data for the logged in session using the Endpoint Identity Agent.
- - The interval, at which the Endpoint Identity Agent sends a keepalive signal to the Security Gateway. The keepalive is used as the server assumes the user logged out if it is not sent. Lower values affect bandwidth and network performance.
- - For how long can users access network resources before they have to authenticate again. When using SSO, this is irrelevant.
- - When SSO is not enabled, you can let users save the passwords they enter in the Endpoint Identity Agent login window.
Endpoint Identity Agent Upgrades
Configure data for Endpoint Identity Agent upgrades.
- - You can select all users or select specific user groups that should be checked for Endpoint Identity Agent upgrades.
- - the system will only upgrade versions that are no longer compatible.
- - settings made by users before the upgrade are saved.
- - the Endpoint Identity Agent is automatically updated in the background without asking the user for upgrade confirmation.
Note - When you install or upgrade the Full Endpoint Identity Agent version, the user will experience a momentary loss of connectivity.
Troubleshooting Authentication Issues
Some users cannot authenticate with the Endpoint Identity Agent
This issue can occur in Kerberos environments with a very large Domain Controller database. The authentication failure occurs when the CCC message size is larger than the default maximum size. You can increase the maximum CCC message size to prevent this error.
To increase the maximum CCC message size, use the procedure in sk66087.
Transparent Portal Authentication fails for some users
This issue can occur for users that try to authenticate with Kerberos authentication with the transparent portal. The user sees a page with this message:
Your browser sent a request that this server could not understand.
Size of a request header field exceeds server limit.
The authentication failure occurs because the HTTP request header is larger than the default maximum size. You increase the maximum HTTP request header to prevent this error.
To increase the maximum HTTP request header size, use the procedure in sk92802.