topic Re: Legacy authentication and Identity Awareness Difference in Firewall and Security Management

Legacy authentication and Identity Awareness Difference

Malik1 — Fri, 17 Jul 2020 16:16:12 GMT

Hi Team,

We are using Legacy Authentication ( Client Auth ) in our environment. We have been recommended by TAC to move to Identity Awareness as client auth is an old method.

But I need to ask if there is any real advantage of using identity awareness rather than client auth as its still supported in R80.30 ?

The only limitation is that the Client Auth option is available for layers that only have the firewall blade enabled, so this means it cannot be used with the application control blade.

What limitations of client auth over identity awareness ?

Regards,

Sijeel Malik

Re: Legacy authentication and Identity Awareness Difference

PhoneBoy — Fri, 17 Jul 2020 18:12:18 GMT

Client Auth only allows you to use legacy forms of authentication.
It does not support blades other than firewall or work in policy layers beyond the first layer or with blades other than firewall.
You cannot leverage the additional granularity you get from Access Roles or get pervasive knowledge of acquired identities even in contexts where identity isn’t strictly required.

There may be other limitations present today, or added in the future should you continue to use Client Auth.
Best to migrate away from this legacy feature ASAP.

Re: Legacy authentication and Identity Awareness Difference

John_Fleming — Sat, 18 Jul 2020 11:26:41 GMT

Client auth.

1. causes issues with acceleration (connection templates)

2. all authenticated sessions are blown away during a policy push*

3. all sessions are tied to rule number. Insert a rule above the authentication rule and now everyone's session break.

You can work around #2 with a table.def change however you can't for #3.

IA portal doesn't have any of those issues.

Re: Legacy authentication and Identity Awareness Difference

Malik1 — Sat, 18 Jul 2020 11:58:02 GMT

Thanks ,

But are there any compatibility issues with using client auth in R80 ? As far as I know there aren't any

Re: Legacy authentication and Identity Awareness Difference

PhoneBoy — Sat, 18 Jul 2020 15:27:37 GMT

It is incompatible with certain features as we already described in this thread.
There may be additional incompatibilities now or in future versions because, this being a legacy feature, it gets minimal testing in QA.
Identity Awareness has been available for several major versions now.

My question to you: why the resistance to this change?
Is there something Identity Awareness doesn’t do that Client Auth does?

Re: Legacy authentication and Identity Awareness Difference

Malik1 — Sat, 18 Jul 2020 16:06:25 GMT

Its more of a political thing where we need to explain our client the benefits of migrating to IA .

Re: Legacy authentication and Identity Awareness Difference

John_Fleming — Sat, 18 Jul 2020 17:22:29 GMT

You could edit the legacy client auth html pages to link to the new IA portal and tell users to update urls. Could also do a count down with js that then redirects.

Re: Legacy authentication and Identity Awareness Difference

Sascha_Hasenst1 — Tue, 21 Jul 2020 05:25:40 GMT

Hello,

yes there is one difference I can do with client-Auth but not with identity awareness (as I know). With IA it is not possible to limit the duration of a session.

We are using Client-Auth for maintenance-access for partners. With client auth I can limit the session length to, let's say, 4h. With IA I'm not aware of that option.

Is there a option with IA to limit the session length?

Best regards

Sascha

Re: Legacy authentication and Identity Awareness Difference

Timothy_Hall — Tue, 21 Jul 2020 11:45:09 GMT

You can set the timeout for captive portal authentication here, your users would connect to URL https://198.51.100.7/connect in this example, and you would also need to make the captive portal accessible from external interfaces under the Edit button for Access Settings...Accessibility:

Re: Legacy authentication and Identity Awareness Difference

Sascha_Hasenst1 — Tue, 21 Jul 2020 11:51:40 GMT

That could be a solution, but with client auth I could adjust the timeout per rule. That is very flexible. If we know from one partner that he has to do a bigger change, we raise that timeout for that partner to 8h while other partners still have a timeout of 4h. That can be done per rule and so we were able to raise the timeout for one partner only.

Is there a possibility with IA too? At the moment this is the only thing which holds us from changeing to IA for now.

Thank you for your help in advance.

Best regards

Sascha

Re: Legacy authentication and Identity Awareness Difference

Chris_Atkinson — Tue, 21 Jul 2020 13:32:57 GMT

Are you familiar with the use of time objects in the access policy?

Re: Legacy authentication and Identity Awareness Difference

Sascha_Hasenst1 — Tue, 21 Jul 2020 14:00:51 GMT

I think so, but how can I configure a duration of 4h starting from login with time-objects? If it is possible, I don't know how. Could you please post a picture how that can be configured?

Thank you in advance.

Best regards

Sascha

Re: Legacy authentication and Identity Awareness Difference

PhoneBoy — Tue, 21 Jul 2020 14:37:43 GMT

Time objects gives you a window to access, it doesn’t allow you to adjust the time between reauthentication.
Sounds like an RFE @Royi_Priov

Re: Legacy authentication and Identity Awareness Difference

John_Fleming — Tue, 21 Jul 2020 19:59:19 GMT

So you're right that you can't do per rule limits however there is another factor i forgot to bring up with IA that may just change how you agree to have client auth rules. Legacy client auth has no way to tell when the access is no longer needed unless someone logs in and hits the sign out button. I think the sun may burn out before that happens. With captive portal you can configure it so that the user needs to keep open a web page and once they close it their access shuts down. This means if someone starts a 8 hour window and finishes in 30 mins the access they had open goes away unlike client auth which would remain open for another 7 hours and 30 mins.