Identity Agents

Identity Agents are dedicated client agents that are installed on user endpoint computers. These Identity Agents acquire and report identities to the Identity Awareness Gateway. As the administrator, you, not the users, configure these Identity Agents.

There are three types of Identity Agents - Full, Light and Custom:

Identity Agent	Description
Full	Predefined Identity Agent that includes packet tagging and computer authentication. It applies to all users on the computer, on which it is installed. Administrator permissions are required to use the Full Identity Agent type. For the Full Identity Agent, you can enforce IP spoofing protection. You can also leverage computer authentication, if you define computers in Access Roles.
Light	Predefined Identity Agent that does not include packet tagging and computer authentication. You can install this Identity Agent individually for each user on the target computer. Administrator permissions are not required to use the Light Identity Agent type.
Custom	Configure custom features for all computers that use this Identity Agent, such as MAD services and packet tagging. The Custom Identity Agent is a customized installation package.

Note - Make sure to use the correct Identity Agent for your environment.

This table shows the similarities and differences of the Light and Full Identity Agent types.

		Identity Agent Light		Identity Agent Full
Installation Elements	Identity Agent format		Resident application		Resident application + service + driver
	Installation permissions		None		administrator
	Upgrade permissions		None		None
Security Features	User identification		SSO		SSO
	Computer identification		No		Yes
	IP change detection		Yes		Yes
	Packet tagging		No		Yes

The installation file size is 7MB for both types. The installation takes less than a minute.

The Capabilities of Identity Agents

Using Identity Agents gives you:

Item	Description
User identification	Users that log in to the Active Directory domain are transparently authenticated (with SSO) and identified when using an Identity Agent. If you do not configure SSO, or you disable it, the Identity Agent uses username and password authentication with a standard LDAP server. The system opens a window for entering credentials.
Computer identification	You get computer identification when you use the Full Identity Agent, as it requires installing a service.
Seamless connectivity	Transparent authentication using Kerberos Single Sign-On (SSO), when users are logged in to the domain. Users, who do not want to use SSO, enter their credentials manually. You can let users save these credentials.
IP change detection	When an endpoint IP address changes (interface roaming, or DHCP assigns a new IP address), the Identity Agent automatically detects the change and reconnects.
Added security	You can use the patented packet tagging technology to prevent IP Spoofing. Packet tagging is available for the Full Identity Agent, because it requires installation of a driver. Identity Agent also gives you strong (Kerberos-based) user and computer authentication.
Packet tagging	A technology that prevents IP spoofing is available only for the Full Identity Agent, as it requires installing a driver.

Packet Tagging for Anti-Spoofing

IP Spoofing happens when an unauthorized user assigns an IP address of an authenticated user to an endpoint computer. By doing so, the user bypasses identity access enforcement rules. It is also possible to poison ARP tables that let users do ARP "man-in-the-middle attacks" that keep a continuous spoofed connectivity status.

To protect packets from IP spoofing attempts, you can enable Packet Tagging. Packet Tagging is a patent pending technology that prevents spoofed connections from passing through the Identity Awareness Gateway. This is done by a joint effort between the Identity Agent and the Identity Awareness Gateway that uses a unique technology that sign packets with a shared key.

To see Packet Tagging logs in SmartConsole:

1. From the Navigation Toolbar, click Logs & Monitor.
2. At the top, click the Logs tab.
3. In the Query field, enter:

   blade:"Identity Awareness"

   You can also click Queries > Predefined > Access > Identity Awareness Blade > All.

The Successful status indicates that a successful key exchange happened.

Note - Packet Tagging can only be set on computers installed with the Full Identity Agent.

To enable IP Spoofing protection:

1. Make sure users have the Full Identity Agent installed.
2. Create an Access Role.
3. In the Machines tab, select Enforce IP spoofing protection (requires full Identity Agent).
4. Click OK.

Downloading Identity Agent

Users download the Identity Agent from the Captive Portal and then authenticate to the Identity Awareness Gateway.

Item	Description
1	User that is trying to connect to the internal network
2	Identity Awareness Gateway
3	Active Directory domain controller
4	Internal network

This is a high-level overview of the Identity Awareness authentication process:

1. A user logs in to a computer with credentials, and tries to access the Internal Data Center.
2. The Identity Awareness Gateway does not recognize the user and redirects it to the Captive Portal.
3. The user sees the Captive Portal page, with a link to download the Identity Agent.
4. The user downloads the Identity Agent from the Captive Portal and installs it.
5. The Identity Agent client connects to the Identity Awareness Gateway.

   Note - If SSO with Kerberos is configured, the user is automatically connected.

6. The user is authenticated.
7. The Identity Awareness Gateway sends the connection to its destination according to the Firewall Rule Base.