Acquiring Identities with Endpoint Identity Agents
Scenario: Endpoint Identity Agent Deployment and User Group Access
The ACME organization wants to make sure that only the Finance department can access the Finance Web server. The current Rule Base uses static IP addresses to define access for the Finance department.
Amy, the IT administrator wants to leverage the use of Endpoint Identity Agents so:
- Finance users will automatically be authenticated one time with SSO when logging in (using Kerberos, which is built-in into Microsoft Active Directory).
- Users that roam the organization will have continuous access to the Finance Web server.
- Access to the Finance Web server will be more secure by preventing IP spoofing attempts.
Amy wants Finance users to download the Endpoint Identity Agent from the Captive Portal. She needs to configure:
- as an identity source for Identity Awareness.
- Endpoint Identity Agent deployment for the Finance department group from the Captive Portal. She needs to deploy the Full Endpoint Identity Agent so she can set the IP spoofing protection. No configuration is necessary on the client for IP spoofing protection.
- A rule in the Rule Base with an Access Role for Finance users, from all managed computers and from all locations with IP spoofing protection enabled.
After configuration and policy install, users that browse to the Finance Web server will get the Captive Portal and can download the Endpoint Identity Agent.
User Experience
A Finance department user does this:
- Browses to the Finance Web server.
The Captive Portal opens because the user is not identified and cannot access the server. A link to download the Endpoint Identity Agent is shown.
- The user clicks the link to download the Endpoint Identity Agent.
The user automatically connects to the Security Gateway. A window opens asking the user to trust the server.
Note - The trust window opens because the user connects to the Identity Awareness Gateway, with the discovery option. There are other server discovery methods, which do not require user trust confirmation.
- Click . The user automatically connects to the Finance Web server.
The user can successfully browse to the internet for a specified time.
Required SmartConsole Configuration
To make this scenario work, the IT administrator must:
- Enable Software Blade on a Security Gateway.
- Select and as .
- Click the Browser-Based Authentication button.
- In the Portal Settings window in the section, select .
- In the Endpoint Identity Agent Deployment from the Portal, select and select option.
Note - This configures Endpoint Identity Agent for all users. Alternatively, you can set Endpoint Identity Agent download for a specific group.
- Configure Kerberos SSO.
- Create a rule in the Firewall Rule Base that lets only Finance department users access the Finance Web server and install the Access Policy:
- From the of the rule, right-click to create an .
- Enter a for the Access Role.
- In the Networks tab, select and add the Active Directory Finance user group.
- In the Users tab, select .
- In the tab, select and select.
- Click.
The Access Role is added to the rule.
- Install the Access Policy.
What's Next
Other options that can be configured for Endpoint Identity Agents:
- A method that determines how Endpoint Identity Agents connect to an Identity Awareness Gateway and trusts it. In this scenario, the File Name server discovery method is used.
- Access Roles to leverage computer awareness.
- End user interface protection so users cannot access the client settings.
- Let users defer client installation for a set time and ask for user agreement confirmation. See User Access.
Configure what users can do in the Captive Portal to become identified and access the network.
- - Users are prompted to enter an existing username and password. This will only let known users authenticate.
- - Let guests who are not known by the Security Gateway access the network after they enter required data.
User Identification in the Logs
The log in the > tab shows how the system recognizes a guest.
The log entry shows that the system maps the source IP address with the user identity. In this case, the identity is "guest" because that is how the user is identified in the Captive Portal.