Print Download PDF Send Feedback

Previous

Next

Identity Agents

Endpoint Identity Agents are dedicated client agents that are installed on user endpoint computers. These Endpoint Identity Agents acquire and report identities to the Identity Awareness Gateway. As the administrator, you, not the users, configure these Endpoint Identity Agents.

There are three types of Endpoint Identity Agents - Full, Light and Custom:

Endpoint Identity Agent

Description

Full

Predefined Endpoint Identity Agent that includes packet tagging and computer authentication.
It applies to all users on the computer, on which it is installed.
Administrator permissions are required to use the Full Endpoint Identity Agent type. For the Full Endpoint Identity Agent, you can enforce IP spoofing protection. You can also leverage computer authentication, if you define computers in Access Roles.

Light

Predefined Endpoint Identity Agent that does not include packet tagging and computer authentication.
You can install this Endpoint Identity Agent individually for each user on the target computer.
Administrator permissions are not required to use the Light Endpoint Identity Agent type.

Custom

Configure custom features for all computers that use this Endpoint Identity Agent, such as MAD services and packet tagging.
The Custom Endpoint Identity Agent is a customized installation package.

Note - Make sure to use the correct Endpoint Identity Agent for your environment.

This table shows the similarities and differences of the Light and Full Endpoint Identity Agent types.

 

Endpoint Identity Agent Light

Endpoint Identity Agent Full

Installation Elements

Endpoint Identity Agent format

Resident application

Resident application + service + driver

Installation permissions

None

administrator

Upgrade permissions

None

None

Security Features

User identification

SSO

SSO

Computer identification

No

Yes

IP change detection

Yes

Yes

Packet tagging

No

Yes

The installation file size is 7MB for both types. The installation takes less than a minute.

The Capabilities of Endpoint Identity Agents

Using Endpoint Identity Agents gives you:

Item

Description

User identification

Users that log in to the Active Directory domain are transparently authenticated (with SSO) and identified when using an Endpoint Identity Agent.
If you do not configure SSO, or you disable it, the Endpoint Identity Agent uses username and password authentication with a standard LDAP server.
The system opens a window for entering credentials.

Computer identification

You get computer identification when you use the Full Endpoint Identity Agent, as it requires installing a service.

Seamless connectivity

Transparent authentication using Kerberos Single Sign-On (SSO), when users are logged in to the domain.
Users, who do not want to use SSO, enter their credentials manually. You can let users save these credentials.

IP change detection

When an endpoint IP address changes (interface roaming, or DHCP assigns a new IP address), the Endpoint Identity Agent automatically detects the change and reconnects.

Added security

You can use the patented packet tagging technology to prevent IP Spoofing.
Packet tagging is available for the Full Endpoint Identity Agent, because it requires installation of a driver.
Endpoint Identity Agent also gives you strong (Kerberos-based) user and computer authentication.

Packet tagging

A technology that prevents IP spoofing is available only for the Full Endpoint Identity Agent, as it requires installing a driver.

Packet Tagging for Anti-Spoofing

IP Spoofing happens when an unauthorized user assigns an IP address of an authenticated user to an endpoint computer. By doing so, the user bypasses identity access enforcement rules. It is also possible to poison ARP tables that let users do ARP "man-in-the-middle attacks" that keep a continuous spoofed connectivity status.

To protect packets from IP spoofing attempts, you can enable Packet Tagging. Packet Tagging is a patent pending technology that prevents spoofed connections from passing through the Identity Awareness Gateway. This is done by a joint effort between the Endpoint Identity Agent and the Identity Awareness Gateway that uses a unique technology that sign packets with a shared key.

To see Packet Tagging logs in SmartConsole:

  1. From the Navigation Toolbar, click Logs & Monitor.
  2. At the top, click the Logs tab.
  3. In the Query field, enter:

    blade:"Identity Awareness"

    You can also click Queries > Predefined > Access > Identity Awareness Blade > All.

The Successful status indicates that a successful key exchange happened.

Note - Packet Tagging can only be set on computers installed with the Full Endpoint Identity Agent.

To enable IP Spoofing protection:

  1. Make sure users have the Full Endpoint Identity Agent installed.
  2. Create an Access Role.
  3. In the Machines tab, select Enforce IP spoofing protection (requires full Endpoint Identity Agent).
  4. Click OK.

Downloading Endpoint Identity Agent

Users download the Endpoint Identity Agent from the Captive Portal and then authenticate to the Identity Awareness Gateway.

Item

Description

1

User that is trying to connect to the internal network

2

Identity Awareness Gateway

3

Active Directory domain controller

4

Internal network

This is a high-level overview of the Identity Awareness authentication process:

  1. A user logs in to a computer with credentials, and tries to access the Internal Data Center.
  2. The Identity Awareness Gateway does not recognize the user and redirects it to the Captive Portal.
  3. The user sees the Captive Portal page, with a link to download the Endpoint Identity Agent.
  4. The user downloads the Endpoint Identity Agent from the Captive Portal and installs it.
  5. The Endpoint Identity Agent client connects to the Identity Awareness Gateway.

    Note - If SSO with Kerberos is configured, the user is automatically connected.

  6. The user is authenticated.
  7. The Identity Awareness Gateway sends the connection to its destination according to the Firewall Rule Base.