In This Section: |
The Identity Awareness Software Blade lets you configure the Security Gateways to enforce access control for individual users and groups. You can use Identity Sources to get information about users and groups to add flexibility and security for the Rule Base. Identity Awareness lets you create rules in the Access Control and Threat Prevention Rule Bases.
For more about using Identity Awareness, see the R80.20 Identity Awareness Administration Guide.
After the Security Gateway acquires the identity of a user, user-based rules can be enforced on the network traffic. Identity Awareness can use these sources to identify users:
The Identity Collector can connect with more than one Identity Source at a time. The Identity Sources are organized in Query Pools. The Identity Collector sends the Identity Server information from the Identity Sources selected in the Query Pool assigned to the gateway.
If there is more than one Security Gateway enabled with Identity Awareness that share identities with each other and have Office Mode configured, each gateway must be configured with different office mode ranges.
Browser-Based Authentication uses the Internet browser to identify users. You can use these Browser-Based Authentication solutions:
Captive Portal uses a web interface to authenticate users before they can access network resources. When users try to access a protected resource, they must log in to a web page to continue.
When Transparent Kerberos Authentication is enabled, the Transparent Authentication page tries to authenticate users before the Captive Portal web page opens. The Transparent Authentication page communicates with the AD to use the Kerberos protocol to authenticate the users. If the users are successfully authenticated, then they can access the network resources. If they are not authenticated, then they are redirected to the Captive Portal.
The Security Gateway registers to receive security event logs from the AD domain controllers when the security policy is installed. When a user authenticates with AD credentials, these event logs are generated and are sent to the Security Gateway. The gateway identifies the user based on the AD security event log, and enforces the appropriate Identity Awareness rule to the traffic that this user sends.
There is an Identity Awareness configuration wizard in SmartConsole that helps you enable and configure the Identity Awareness Software Blade. You can use the configuration wizard on these identity sources:
Use the Identity Awareness Configuration wizard to configure how the Security Gateway gets information about users and computers. The wizard automatically creates an Account Unit.
This is an example of how to configure the AD query and browser-based methods for Identity Awareness.
To use the Identity Awareness configuration wizard:
The gateway properties window opens.
The Identity Awareness Configuration wizard opens.
The Integration With Active Directory window opens.
Make sure that the AD account has domain administrator privileges. Alternatively, you can let non-administrators make AD connections.
Note - you can also select Create new domain and configure a new AD (Active Directory) Account Unit object.
The message about user credentials shows.
The Browser-Based Authentication Settings window opens.
The Identity Awareness is Now Active window opens.
Identity Awareness for Mobile Access and IPsec VPN clients works in Office Mode for Security Gateways. The Remote Access option is included as an identity source when you enable Identity Awareness.
To enable or disable Remote Access for Identity Awareness:
The gateway properties window opens.
After you enable Identity Awareness, you create Access Role objects.
You can use Access Role objects as source and/or destination parameter in a rule. Access Role objects can include one or more of these objects:
To create an Access Role object:
The New Access Role window opens.
For computers that use Full Identity Agents, you can select (optional) Enforce IP Spoofing protection.
Note - For Identity Awareness Gateways R77.xx or lower, you must select Any Client.
The Identity Awareness Software Blade lets you configure your Access Control Policy to allow connections for users regardless of what computer they are using. Use Access Role objects in the Source column of a rule, and Identity Awareness Software Blade will identify users based on those objects. You can also configure the Accept action to redirect traffic from an unidentified user to a Captive Portal.
Sample gateway workflow with Identity Awareness
The gateway inspects traffic that starts from a source that matches the Access Role object and tries to identify the user.
You can add rules with Access Role objects as the Source or Destination to the Access Control policy for Security Gateways that have the Identity Awareness Software Blade enabled.
Note - Rules that use Access Role objects cannot be enforced on Security Gateways that do not have Identity Awareness enabled. |
To add an Access Role object to a rule:
You can configure rules that use Access Role objects and the Accept action with the Action Settings option, to redirect HTTP traffic to a Captive Portal. The rule allows traffic when the users that match the source Access Role object are identified. If the Enable Identity Captive Portal option is enabled, the gateway identifies users this way:
Rules can redirect HTTP traffic according to these parameters:
To enable Captive Portal for a rule:
The Action Settings window opens.
The Action column shows accept (display captive portal).
This table shows sample Identity Awareness rules for a Firewall Rule Base. (The VPN, Track and Time columns are not shown. Track is set to Log, and VPN and Time are set to Any.)
No. |
Name |
Source |
Destination |
Service |
Action |
---|---|---|---|---|---|
1 |
CEO allow |
John_Smith_ |
Any |
Any |
Accept |
2 |
HR server allow |
HR_Partners |
HR_Server |
Any |
Accept |
3 |
Drop non-identified HR traffic |
Any |
HR_Server |
Any |
Drop |
4 |
Internet access |
Guests |
Internet_proxy |
HTTP and HTTPS proxy |
Accept |