Print Download PDF Send Feedback

Previous

Next

Acquiring Identities with Endpoint Identity Agents

Scenario: Endpoint Identity Agent Deployment and User Group Access

The ACME organization wants to make sure that only the Finance department can access the Finance Web server. The current Rule Base uses static IP addresses to define access for the Finance department.

Amy, the IT administrator wants to leverage the use of Endpoint Identity Agents so:

Amy wants Finance users to download the Endpoint Identity Agent from the Captive Portal. She needs to configure:

After configuration and policy install, users that browse to the Finance Web server will get the Captive Portal and can download the Endpoint Identity Agent.

User Experience

A Finance department user does this:

  1. Browses to the Finance Web server.

    The Captive Portal opens because the user is not identified and cannot access the server. A link to download the Endpoint Identity Agent is shown.

  2. The user clicks the link to download the Endpoint Identity Agent.

    The user automatically connects to the Security Gateway. A window opens asking the user to trust the server.

    Note - The trust window opens because the user connects to the Identity Awareness Gateway, with the File name based server discovery option. There are other server discovery methods, which do not require user trust confirmation.

  3. Click OK. The user automatically connects to the Finance Web server.

    The user can successfully browse to the internet for a specified time.

Required SmartConsole Configuration

To make this scenario work, the IT administrator must:

  1. Enable Identity Awareness Software Blade on a Security Gateway.
  2. Select Endpoint Identity Agents and Browser-Based Authentication as Identity Sources.
  3. Click the Browser-Based Authentication Settings button.
  4. In the Portal Settings window in the Users Access section, select Name and password login.
  5. In the Endpoint Identity Agent Deployment from the Portal, select Require users to download and select Endpoint Identity Agent - Full option.

    Note - This configures Endpoint Identity Agent for all users. Alternatively, you can set Endpoint Identity Agent download for a specific group.

  6. Configure Kerberos SSO.
  7. Create a rule in the Firewall Rule Base that lets only Finance department users access the Finance Web server and install the Access Policy:
    1. From the Source of the rule, right-click to create an Access Role.
    2. Enter a Name for the Access Role.
    3. In the Networks tab, select Specific users and add the Active Directory Finance user group.
    4. In the Users tab, select All identified users.
    5. In the Machines tab, select All identified machines and select Enforce IP spoofing protection (requires Full Endpoint Identity Agent).
    6. Click OK.

      The Access Role is added to the rule.

  8. Install the Access Policy.

What's Next

Other options that can be configured for Endpoint Identity Agents:

User Identification in the Logs

The log in the Logs & Monitor > Logs tab shows how the system recognizes a guest.

The log entry shows that the system maps the source IP address with the user identity. In this case, the identity is "guest" because that is how the user is identified in the Captive Portal.