Acquiring Identities with Endpoint Identity Agents

Scenario: Endpoint Identity Agent Deployment and User Group Access

The ACME organization wants to make sure that only the Finance department can access the Finance Web server. The current Rule Base uses static IP addresses to define access for the Finance department.

Amy, the IT administrator wants to leverage the use of Endpoint Identity Agents so:

• Finance users will automatically be authenticated one time with SSO when logging in (using Kerberos, which is built-in into Microsoft Active Directory).
• Users that roam the organization will have continuous access to the Finance Web server.
• Access to the Finance Web server will be more secure by preventing IP spoofing attempts.

Amy wants Finance users to download the Endpoint Identity Agent from the Captive Portal. She needs to configure:

• Endpoint Identity Agents as an identity source for Identity Awareness.
• Endpoint Identity Agent deployment for the Finance department group from the Captive Portal. She needs to deploy the Full Endpoint Identity Agent so she can set the IP spoofing protection. No configuration is necessary on the client for IP spoofing protection.
• A rule in the Rule Base with an Access Role for Finance users, from all managed computers and from all locations with IP spoofing protection enabled.

After configuration and policy install, users that browse to the Finance Web server will get the Captive Portal and can download the Endpoint Identity Agent.

User Experience

A Finance department user does this:

1. Browses to the Finance Web server.

   The Captive Portal opens because the user is not identified and cannot access the server. A link to download the Endpoint Identity Agent is shown.

2. The user clicks the link to download the Endpoint Identity Agent.

   The user automatically connects to the Security Gateway. A window opens asking the user to trust the server.

   Note - The trust window opens because the user connects to the Identity Awareness Gateway, with the File name based server discovery option. There are other server discovery methods, which do not require user trust confirmation.

3. Click OK. The user automatically connects to the Finance Web server.

   The user can successfully browse to the internet for a specified time.

Required SmartConsole Configuration

To make this scenario work, the IT administrator must:

1. Enable Identity Awareness Software Blade on a Security Gateway.
2. Select Endpoint Identity Agents and Browser-Based Authentication as Identity Sources.
3. Click the Browser-Based Authentication Settings button.
4. In the Portal Settings window in the Users Access section, select Name and password login.
5. In the Endpoint Identity Agent Deployment from the Portal, select Require users to download and select Endpoint Identity Agent - Full option.

   Note - This configures Endpoint Identity Agent for all users. Alternatively, you can set Endpoint Identity Agent download for a specific group.

6. Configure Kerberos SSO.
7. Create a rule in the Firewall Rule Base that lets only Finance department users access the Finance Web server and install the Access Policy:
   1. From the Source of the rule, right-click to create an Access Role.
   2. Enter a Name for the Access Role.
   3. In the Networks tab, select Specific users and add the Active Directory Finance user group.
   4. In the Users tab, select All identified users.
   5. In the Machines tab, select All identified machines and select Enforce IP spoofing protection (requires Full Endpoint Identity Agent).
   6. Click OK.

      The Access Role is added to the rule.

8. Install the Access Policy.

What's Next

Other options that can be configured for Endpoint Identity Agents:

• A method that determines how Endpoint Identity Agents connect to an Identity Awareness Gateway and trusts it. In this scenario, the File Name server discovery method is used.
• Access Roles to leverage computer awareness.
• End user interface protection so users cannot access the client settings.
• Let users defer client installation for a set time and ask for user agreement confirmation. See User Access.

  Configure what users can do in the Captive Portal to become identified and access the network.

  • Name and password login- Users are prompted to enter an existing username and password. This will only let known users authenticate.
  • Unregistered guests login - Let guests who are not known by the Security Gateway access the network after they enter required data.

User Identification in the Logs

The log in the Logs & Monitor > Logs tab shows how the system recognizes a guest.

The log entry shows that the system maps the source IP address with the user identity. In this case, the identity is "guest" because that is how the user is identified in the Captive Portal.