Configuring Identity Agents

Identity Agent Deployment Methods

There are different Identity Agent deployment methods:

Using Captive Portal - You can require users to download the Identity Agent from the Captive Portal. You can also let users install the Identity Agent on a specified later date and not right away. During installation, the Identity Agent automatically detects if there are administrator permissions on the computer or not and installs itself accordingly.
Notes:
- When you deploy the Full Identity Agent, the user that installs the client must have administrator rights on the computer. If the user does not have administrator permissions, the Light Identity Agent is installed instead.
- When users authenticate with the transparent portal, the download link does not show. They must install the agent from the distribution media.
Using distribution software - You can deploy the Identity Agent with distribution software. You can find the MSI installation files (Light and Full) on the Identity Awareness Gateway: $NACPORTAL_HOME/htdocs/nac/nacclients/customAgent.msi

Configuring Identity Agent Deployment from Captive Portal

To configure Identity Agent deployment from Captive Portal:

From the Identity Awareness page, select the Identity Agents checkbox.
Select Browser-Based Authentication and click Settings.
From the Portal Settings window, select the Require users to download checkbox to make users install the Identity Agent. Select which Identity Agent they must install. If you select this option and you do not select the defer option, users will can only access the network if they install the Identity Agent.
To give users flexibility to choose when they install the Identity Agent, select Users may defer installation until. Select the date by which they must install it. Until that date a Skip Identity Agent installation option shows in the Captive Portal.
Click OK.

Configuring Identity Agent Deployment for User Groups

When necessary, you can configure specific groups to download the Identity Agent. For example, if you have a group of mobile users that roam and it is necessary for them to stay connected as they move between networks.

To configure Identity Agent deployment for user groups:

From the Identity Awareness page, select the Identity Agent checkbox.
Select Browser-Based Authentication and click Settings.
Select Name and password login and click Settings.
Select Adjust portal settings for specific user groups - You can add user groups and give them settings that are different from other users. Settings specified for a user group here override settings configured elsewhere in the Portal Settings. The options that you configure for each user group are:
- If they must accept a user agreement.
- If they must download the Identity Agent and which one.
- If they can defer the Identity Agent installation and until when.
Click OK.

Server Discovery and Trust

Before the Identity Agent can connect to an Identity Awareness Gateway, the Identity Agent must discover and trust the server, to which it connects. There are several methods to configure this. The basic method is to configure one server. Another method is to deploy a domain-wide Policy, to connect to an Identity Awareness Gateway, based on the Identity Agent client current location.

Server Trust makes sure that the Identity Agent connects to a genuine Identity Awareness Gateway. It makes sure that the communication between the Identity Agent and the Security Gateway is secure. For example, Server Trust blocks man-in-the-middle attacks.

Trust is made with when the server fingerprint matches the expected fingerprint, as calculated during the SSL handshake.

There are different server discovery and trust methods:

Discovery and Trust Method	Description
File name based server configuration	If no other method is configured (out of the box situation), the Identity Agent downloaded from the Captive Portal is renamed to include the Captive Portal computer IP address in its name. During installation, the Identity Agent uses this IP address for the Identity Awareness Gateway. Users manually accept the server in the Trust window.
AD based configuration	If the Identity Agent computers are members of an Active Directory domain, deploy the server IP addresses and trust data with a dedicated Distributed Configuration tool (installed as a part of the Identity Agent).
DNS SRV record based server discovery	Configure the Identity Awareness Gateway's addresses on the DNS server. Users manually accept the server in the Trust window. Note - This is the only server discovery method for the Mac OS Identity Agent.
Remote registry	All client configurations, including Identity Server IP addresses and trust data, are in the Windows OS Registry. Deploy these values before installing the client (by GPO, or other method that lets you remotely control the Windows registry). The Identity Agent uses the data immediately.
Prepackaging Custom Identity Agents	Create a custom version of the Identity Agent installation that comes with the Identity Awareness Gateway.

Configuring Identity Agents in SmartConsole

In the Identity Sources section of the Identity Awareness page, select Identity Agents to configure Identity Agent settings.

To configure the Identity Agent settings:

Select Identity Agents and click Settings.
From the Identity Agents Settings window, configure:
- Identity Agent Access Settings
  Click Edit to open the Portal Access Settings window. In this window, you can configure:
  - Main URL - The primary URL that users are redirected to for the Captive Portal. You might have already configured this in the Identity Awareness Configuration wizard.
  - Aliases - Click the Aliases button to Add URL aliases that are redirected to the main portal URL. For example, ID.yourcompany.com can send users to the Captive Portal. To make the alias work, it must be resolved to the main URL on your DNS server.
  - Certificate - Click Import to import a certificate for the portal website to use. If you do not import a certificate, the portal uses a Check Point auto-generated certificate. This can cause browser warnings if the browser does not recognize Check Point as a trusted Certificate Authority. See Server Certificates for more details.
  - Accessibility - Click Edit to select from where the portal can be accessed. You might have already configured this in the Identity Awareness Wizard. The options are based on the topology configured for the Security Gateway.
    Users are sent to the Captive Portal, if they use networks connected to these interfaces.
    - Through all interfaces
    - Through internal interfaces
      Including undefined internal interfaces
      Including DMZ internal interfaces
      Including VPN encrypted interfaces
    - According to the Firewall policy - Select this if there is a rule that states who can access the portal.
- Authentication Settings
  Click Settings to open the Authentication Settings window. In this window you can configure:
  - Browser transparent Single Sign-On - Select Automatically authenticate users from computers in the domain if Transparent Kerberos Authentication is used to identify users.
    - Main URL: The URL used to begin the SSO process. If transparent authentication fails, users are redirected to the configured Captive Portal. This URL contains the DNS name or IP address of Identity Awareness Gateway.
    Note - The Identity Agent download link and the Automatic Logout option are ignored when Transparent Kerberos Authentication SSO is successful. This is so because users do not see the Captive Portal.
  - Authentication Method - Select one method that known users must use to authenticate.
    - Defined on user record (Legacy Authentication) - Takes the authentication method from Gateway Object Properties > Other > Legacy Authentication.
    - User name and password - This can be configured internally or on an LDAP server.
    - RADIUS - A configured RADIUS server. Select the server from the list.
  - User Directories - Select one or more places where the Security Gateway searches to find users when they try to authenticate.
    - Internal users - The directory of internal users.
    - LDAP users - The directory of LDAP users. Either:
      Any - Users from all LDAP servers.
      Specific - Users from an LDAP server that you select.
    - External user profiles - The directory of users who have external user profiles.
  The default is that all user directory options are selected. You might choose only one or two options if users are only from a specified directory or directories and you want to maximize Security Gateway performance when users authenticate. Users with identical user names must log in with domain\user.
- Session details
- Identity Agent Upgrades

Identity Agent Access

Click Edit to select from where the Identity Agent can be accessed. The options are based on the topology configured for the Security Gateway.

Users can communicate with the servers if they use networks connected to these interfaces.

Through all interfaces
Through internal interfaces
- Including undefined internal interfaces
- Including DMZ internal interfaces
- Including VPN encrypted interfaces
According to the Firewall Policy - the Identity Agent is accessible through interfaces associated with source networks that appear in access rules used in the Firewall Policy.

Session

Configure data for the logged in session using the Identity Agent.

Agents send keepalive every X minutes - The interval, at which the Identity Agent sends a keepalive signal to the Security Gateway. The keepalive is used as the server assumes the user logged out if it is not sent. Lower values affect bandwidth and network performance.
Users should re-authenticate every XXX minutes - For how long can users access network resources before they have to authenticate again. When using SSO, this is irrelevant.
Allow user to save password - When SSO is not enabled, you can let users save the passwords they enter in the Identity Agent login window.

Identity Agent Upgrades

Configure data for Identity Agent upgrades.

Check agent upgrades for - You can select all users or select specific user groups that should be checked for Identity Agent upgrades.
Upgrade only non-compatible versions - the system will only upgrade versions that are no longer compatible.
Keep agent settings after upgrade - settings made by users before the upgrade are saved.
Upgrade agents silently (without user intervention) - the Identity Agent is automatically updated in the background without asking the user for upgrade confirmation.

Note - When you install or upgrade the Full Identity Agent version, the user will experience a momentary loss of connectivity.

Troubleshooting Authentication Issues

Some users cannot authenticate with the Identity Agent

This issue can occur in Kerberos environments with a very large Domain Controller database. The authentication failure occurs when the CCC message size is larger than the default maximum size. You can increase the maximum CCC message size to prevent this error.

To increase the maximum CCC message size, use the procedure in sk66087.

Transparent Portal Authentication fails for some users

This issue can occur for users that try to authenticate with Kerberos authentication with the transparent portal. The user sees a 400 Bad Request page with this message:

Your browser sent a request that this server could not understand.

Size of a request header field exceeds server limit.

The authentication failure occurs because the HTTP request header is larger than the default maximum size. You increase the maximum HTTP request header to prevent this error.

To increase the maximum HTTP request header size, use the procedure in sk92802.