Print Download PDF Send Feedback

Previous

Next

Adding Users to the Policy

In This Section:

Using Identity Awareness

Using User Directory

To Learn More About Adding Users to the Policy

Using Identity Awareness

The Identity Awareness Software Blade lets you configure the Security Gateways to enforce access control for individual users and groups. You can use Identity Sources to get information about users and groups to add flexibility and security for the Rule Base. Identity Awareness lets you create rules in the Access Control and Threat Prevention Rule Bases.

For more about using Identity Awareness, see the R80.20 Identity Awareness Administration Guide.

Identity Sources

After the Security Gateway acquires the identity of a user, user-based rules can be enforced on the network traffic. Identity Awareness can use these sources to identify users:

Browser-Based Authentication

Browser-Based Authentication uses the Internet browser to identify users. You can use these Browser-Based Authentication solutions:

Captive Portal uses a web interface to authenticate users before they can access network resources. When users try to access a protected resource, they must log in to a web page to continue.

When Transparent Kerberos Authentication is enabled, the Transparent Authentication page tries to authenticate users before the Captive Portal web page opens. The Transparent Authentication page communicates with the AD to use the Kerberos protocol to authenticate the users. If the users are successfully authenticated, then they can access the network resources. If they are not authenticated, then they are redirected to the Captive Portal.

AD Query

The Security Gateway registers to receive security event logs from the AD domain controllers when the security policy is installed. When a user authenticates with AD credentials, these event logs are generated and are sent to the Security Gateway. The gateway identifies the user based on the AD security event log, and enforces the appropriate Identity Awareness rule to the traffic that this user sends.

Enabling Identity Awareness

There is an Identity Awareness configuration wizard in SmartConsole that helps you enable and configure the Identity Awareness Software Blade. You can use the configuration wizard on these identity sources:

Using the Identity Awareness Configuration Wizard

Use the Identity Awareness Configuration wizard to configure how the Security Gateway gets information about users and computers. The wizard automatically creates an Account Unit.

This is an example of how to configure the AD query and browser-based methods for Identity Awareness.

To use the Identity Awareness configuration wizard:

  1. In SmartConsole, go to the Gateways & Servers page and double-click the Security Gateway object.

    The gateway properties window opens.

  2. From the navigation tree, click General Properties.
  3. From the Network Security tab, select Identity Awareness.

    The Identity Awareness Configuration wizard opens.

  4. Select AD Query and Browser-Based Authentication and then click Next.

    The Integration With Active Directory window opens.

  5. Select the AD domain and enter the Username and the Password.

    Make sure that the AD account has domain administrator privileges. Alternatively, you can let non-administrators make AD connections.

    Note - you can also select Create new domain and configure a new AD (Active Directory) Account Unit object.

  6. Click Connect.

    The message about user credentials shows.

  7. Click Next.

    The Browser-Based Authentication Settings window opens.

  8. Enter the URL for the Captive Portal and then click Next.

    The Identity Awareness is Now Active window opens.

  9. Click Finish.
  10. Install the policy.

Identity Awareness and Remote Access

Identity Awareness for Mobile Access and IPsec VPN clients works in Office Mode for Security Gateways. The Remote Access option is included as an identity source when you enable Identity Awareness.

To enable or disable Remote Access for Identity Awareness:

  1. In SmartConsole, go to the Gateways & Servers page and double-click the Security Gateway object.

    The gateway properties window opens.

  2. From the navigation tree, click Identity Awareness.
  3. Select or clear Remote Access.
  4. Click OK.
  5. Install the policy.

Creating Access Roles

After you enable Identity Awareness, you create Access Role objects.

You can use Access Role objects as source and/or destination parameter in a rule. Access Role objects can include one or more of these objects:

To create an Access Role object:

  1. In SmartConsole, open the Object Explorer (Ctrl+E).
  2. Click New > Users > Access Role.

    The New Access Role window opens.

  3. Enter a Name and Comment (optional).
  4. On the Networks page, select one of these:
    • Any network
    • Specific networks - Click the plus [+] sign and select a network > click the plus [+] sign next to the network name, or search for a known network
  5. On the Users page, select one of these:
    • Any user
    • All identified users - Includes users identified by a supported authentication method.
    • Specific users/groups - Click the plus [+] sign and select a user > click the plus [+] sign next to the username, or search for a known user or user group.
  6. On the Machines page, select one of these:
    • Any machine
    • All identified machines - Includes computers identified by a supported authentication method
    • Specific machines/groups - Click the plus [+] sign and select a device > click the plus [+] sign next to the device name, or search for a known device or group of devices

    For computers that use Full Identity Agents, you can select (optional) Enforce IP Spoofing protection.

  7. On the Remote Access Clients page, select one of these:
    • Any Client
    • Specific Client - Select the existing allowed client, or create a new allowed client.

    Note - For Identity Awareness Gateways R77.xx or lower, you must select Any Client.

  8. Click OK.

Using Identity Awareness in the Access Control Policy

The Identity Awareness Software Blade lets you configure your Access Control Policy to allow connections for users regardless of what computer they are using. Use Access Role objects in the Source column of a rule, and Identity Awareness Software Blade will identify users based on those objects. You can also configure the Accept action to redirect traffic from an unidentified user to a Captive Portal.

Sample gateway workflow with Identity Awareness

The gateway inspects traffic that starts from a source that matches the Access Role object and tries to identify the user.

Adding an Access Role to a Rule

You can add rules with Access Role objects as the Source or Destination to the Access Control policy for Security Gateways that have the Identity Awareness Software Blade enabled.

Note - Rules that use Access Role objects cannot be enforced on Security Gateways that do not have Identity Awareness enabled.

To add an Access Role object to a rule:

  1. Select a policy from the Access Control > Policy tree.
  2. Click the plus sign in the Source or the Destination cell of a rule.
  3. In the window that opens, click the Filter button and select Categories > Users > Access Roles.
  4. Click the plus sign for every Access Role object you want to add.
  5. Install the policy.

Redirecting to a Captive Portal

You can configure rules that use Access Role objects and the Accept action with the Action Settings option, to redirect HTTP traffic to a Captive Portal. The rule allows traffic when the users that match the source Access Role object are identified. If the Enable Identity Captive Portal option is enabled, the gateway identifies users this way:

  1. The Identity Awareness source identifies the user
  2. The user authenticates at the Captive Portal

Rules can redirect HTTP traffic according to these parameters:

To enable Captive Portal for a rule:

  1. Right-click the Action cell and select More.

    The Action Settings window opens.

  2. Select Enable Identity Captive Portal.
  3. Click OK.

    The Action column shows accept (display captive portal).

  4. Install the policy.

Sample Identity Awareness Rules

This table shows sample Identity Awareness rules for a Firewall Rule Base. (The VPN, Track and Time columns are not shown. Track is set to Log, and VPN and Time are set to Any.)

No.

Name

Source

Destination

Service

Action

1

CEO allow

John_Smith_
CEO

Any

Any

Accept
Display Captive Portal

2

HR server allow

HR_Partners

HR_Server

Any

Accept
Display Captive Portal

3

Drop non-identified HR traffic

Any

HR_Server

Any

Drop

4

Internet access

Guests
All_Domain_
Users

Internet_proxy

HTTP and HTTPS proxy

Accept
Display Captive Portal

  1. CEO allow - Allows the CEO, John Smith, to access all the network resources. The CEO is identified by Identity Awareness AD Query or he authenticates to the Captive Portal.
  2. HR server allow - Allows users that are defined in the HR_Partners Access Role object to access the HR_Server subnet. The HR users are identified by Identity Awareness AD Query or they authenticate to the Captive Portal.
  3. Drop non-identified HR traffic - Drops all traffic to the HR_Server subnet. All authenticated users were allowed by the earlier rules.
  4. Internet access - Allows HTTP and HTTPS traffic from the Guests and All_Domain_Users Access Role objects to the Internet. Domain users are identified by Identity Awareness or they authenticate to the Captive Portal. Guests authenticate to the Captive Portal.