In This Section: |
When you enable Identity Awareness Software Blade on a Security Gateway, an Identity Awareness Configuration wizard opens. You can use the wizard to configure one Security Gateway that uses the AD Query, Browser-Based Authentication, and Terminal Servers for acquiring identities. You cannot use the wizard to configure an environment with multiple Security Gateways, or to configure Identity Agent and Remote Access acquisition (other methods for acquiring identities).
When you complete the wizard and install an Access Policy, the system is ready to monitor Identity Awareness. You can see the logs for user and computer identity in the SmartConsole Logs & Monitor > Logs tab. You can see these events using the Columns Profile Access Control.
To enable Identity Awareness Software Blade on a Security Gateway:
The Identity Awareness Configuration wizard opens.
Notes:
When the SmartConsole client computer is part of the AD domain, SmartConsole suggests this domain automatically. If you select this domain, the system creates an LDAP Account Unit with all of the domain controllers in the organization's Active Directory.
Best Practice - We highly recommend that you go to the LDAP Account Unit and make sure that only necessary domain controllers are in the list. If AD Query is not required to operate with some of the domain controllers, delete them from the LDAP Servers list.
With the Identity Awareness configuration wizard, you can use existing LDAP Account units or create a new one for one AD domain.
If the SmartConsole computer is part of the domain, the Wizard fetches all the domain controllers of the domain and all of the domain controllers are configured.
If you create a new domain, and the SmartConsole computer is not part of the domain, the LDAP Account Unit that the system creates contains only the domain controller you set manually. If it is necessary for AD Query to fetch data from other domain controllers, you must add them later manually to the LDAP Servers list after you complete the wizard.
To view/edit the LDAP Account Unit object, open Object Explorer (Ctrl + E), and select Servers > LDAP Account units in the Categories tree.
The LDAP Account Unit name syntax is: <domain name>__AD
For example, CORP.ACME.COM__AD
.
If you selected Browser-Based Authentication on the Methods For Acquiring Identity page, the Browser-Based Authentication Settings page opens.
The list shows all IP addresses configured for the Security Gateway. The IP address selected by default is the Security Gateway main IP address. The same IP address can be used for other portals with different paths. For example:
By default, access to the portal is only through internal interfaces. To change this, click Edit. On a perimeter Security Gateway, we recommend that the Captive Portal can be accessed through only through internal interfaces.
The Identity Awareness is Now Active page opens with a summary of the acquisition methods.
If you selected Terminal Servers, the page includes a link to download the agent.
After you enable Identity Awareness, you create Access Role objects.
You can use Access Role objects as source and/or destination parameter in a rule. Access Role objects can include one or more of these objects:
To create an Access Role object:
The New Access Role window opens.
For computers that use Full Identity Agents, you can select (optional) Enforce IP Spoofing protection.
Note - For Identity Awareness Gateways R77.xx or lower, you must select Any Client.
Identity Tags let you include external identifiers (such as Cisco® Security Group Tags, or any other groups provided by any Identity Source) in Access Role matching. These external identifiers act like a tag that can be assigned to a certain user, machine or group.
To use Identity Tags in Access Role matching:
Note - If you enter the External Identifier first, the Identity Tag object gets the same name.
Note - The External Identifier must be a unique name.