Print Download PDF Send Feedback

Previous

Next

Identity Agents

Identity Agents are dedicated client agents that are installed on user endpoint computers. These Identity Agents acquire and report identities to the Identity Awareness Gateway. As the administrator, you, not the users, configure these Identity Agents.

There are three types of Identity Agents - Full, Light and Custom:

Identity Agent

Description

Full

Predefined Identity Agent that includes packet tagging and computer authentication.
It applies to all users on the computer, on which it is installed.
Administrator permissions are required to use the Full Identity Agent type. For the Full Identity Agent, you can enforce IP spoofing protection. You can also leverage computer authentication, if you define computers in Access Roles.

Light

Predefined Identity Agent that does not include packet tagging and computer authentication.
You can install this Identity Agent individually for each user on the target computer.
Administrator permissions are not required to use the Light Identity Agent type.

Custom

Configure custom features for all computers that use this Identity Agent, such as MAD services and packet tagging.
The Custom Identity Agent is a customized installation package.

Note - Make sure to use the correct Identity Agent for your environment.

This table shows the similarities and differences of the Light and Full Identity Agent types.

 

Identity Agent Light

Identity Agent Full

Installation Elements

Identity Agent format

Resident application

Resident application + service + driver

Installation permissions

None

administrator

Upgrade permissions

None

None

Security Features

User identification

SSO

SSO

Computer identification

No

Yes

IP change detection

Yes

Yes

Packet tagging

No

Yes

The installation file size is 7MB for both types. The installation takes less than a minute.

The Capabilities of Identity Agents

Using Identity Agents gives you:

Item

Description

User identification

Users that log in to the Active Directory domain are transparently authenticated (with SSO) and identified when using an Identity Agent.
If you do not configure SSO, or you disable it, the Identity Agent uses username and password authentication with a standard LDAP server.
The system opens a window for entering credentials.

Computer identification

You get computer identification when you use the Full Identity Agent, as it requires installing a service.

Seamless connectivity

Transparent authentication using Kerberos Single Sign-On (SSO), when users are logged in to the domain.
Users, who do not want to use SSO, enter their credentials manually. You can let users save these credentials.

IP change detection

When an endpoint IP address changes (interface roaming, or DHCP assigns a new IP address), the Identity Agent automatically detects the change and reconnects.

Added security

You can use the patented packet tagging technology to prevent IP Spoofing.
Packet tagging is available for the Full Identity Agent, because it requires installation of a driver.
Identity Agent also gives you strong (Kerberos-based) user and computer authentication.

Packet tagging

A technology that prevents IP spoofing is available only for the Full Identity Agent, as it requires installing a driver.

Packet Tagging for Anti-Spoofing

IP Spoofing happens when an unauthorized user assigns an IP address of an authenticated user to an endpoint computer. By doing so, the user bypasses identity access enforcement rules. It is also possible to poison ARP tables that let users do ARP "man-in-the-middle attacks" that keep a continuous spoofed connectivity status.

To protect packets from IP spoofing attempts, you can enable Packet Tagging. Packet Tagging is a patent pending technology that prevents spoofed connections from passing through the Identity Awareness Gateway. This is done by a joint effort between the Identity Agent and the Identity Awareness Gateway that uses a unique technology that sign packets with a shared key.

To see Packet Tagging logs in SmartConsole:

  1. From the Navigation Toolbar, click Logs & Monitor.
  2. At the top, click the Logs tab.
  3. In the Query field, enter:

    blade:"Identity Awareness"

    You can also click Queries > Predefined > Access > Identity Awareness Blade > All.

The Successful status indicates that a successful key exchange happened.

Note - Packet Tagging can only be set on computers installed with the Full Identity Agent.

To enable IP Spoofing protection:

  1. Make sure users have the Full Identity Agent installed.
  2. Create an Access Role.
  3. In the Machines tab, select Enforce IP spoofing protection (requires full Identity Agent).
  4. Click OK.

Downloading Identity Agent

Users download the Identity Agent from the Captive Portal and then authenticate to the Identity Awareness Gateway.

Item

Description

1

User that is trying to connect to the internal network

2

Identity Awareness Gateway

3

Active Directory domain controller

4

Internal network

This is a high-level overview of the Identity Awareness authentication process:

  1. A user logs in to a computer with credentials, and tries to access the Internal Data Center.
  2. The Identity Awareness Gateway does not recognize the user and redirects it to the Captive Portal.
  3. The user sees the Captive Portal page, with a link to download the Identity Agent.
  4. The user downloads the Identity Agent from the Captive Portal and installs it.
  5. The Identity Agent client connects to the Identity Awareness Gateway.

    Note - If SSO with Kerberos is configured, the user is automatically connected.

  6. The user is authenticated.
  7. The Identity Awareness Gateway sends the connection to its destination according to the Firewall Rule Base.