topic Re: Identity awareness question in Firewall and Security Management

Identity awareness question

the_rock — Mon, 08 Mar 2021 23:17:06 GMT

Hello everyone, I know this may sound like a dumb question, but Im little confused as to why the output is the way it looks. So lets say you have 2 users logging into one PC (well mac in this case, but I dont think thats really relevant) and both are logged into it at the same time (lets call them user 1 and user2). Well, I was expecting when doing command on the firewall -> watch -d pdp monitor ip 10.10.10.55 (ip of the machine), output to show BOTH users logged in, NOT just one...what seems to be happening is that command keeps switching between 2 users every minute or so...is that normal?? The reason Im asking this is because in IA setting on the gateway, option assume only one user is connected per machine is unchecked. This is important to the customer because we are doing url blocking based on the users, NOT ip addresses. Anyway, maybe Im understanding this wrong...if someone could clarify, would be awesome. Tx Andy

Re: Identity awareness question

Vladimir — Tue, 09 Mar 2021 00:36:28 GMT

As per IA Architecture and Best Practices , bolow are the common mistakes (see the last point):

Forgetting to Exclude Services(see sk131792)–When using AD Query itis highly recommended to activate “assume only one user per device” or Identity Collector which “assumes one user per device”by defaultand exclude any non-user devices that may be inspected,such as Exchange servers or Citrix servers.
It’salso highly recommended to exclude all known service accounts. These are not used in the user-based policy and so they create an unnecessary overhead.
Forgetting to Exclude Multi-user Hosts–When using ADQuery orIdentity Collector.

Re: Identity awareness question

PhoneBoy — Tue, 09 Mar 2021 00:45:29 GMT

How are identities being acquired in this case?
Note that in general, you can expect erratic results on multi-user machines unless it's a terminal server and you install the appropriate agent.
That said, the identity shouldn't change like that, unless it's something unique with the Mac.

Re: Identity awareness question

the_rock — Tue, 09 Mar 2021 00:58:48 GMT

Thanks for the input gents, appreciated. I have to do bit more testing, but I was under impression that if multiple users I logging in to the same machine, pdp monitor would show that, but I dont believe thats the case. There is IA agent installed on MAC, so it authenticates to the gateway, which then goes to AD.

Re: Identity awareness question

PhoneBoy — Tue, 09 Mar 2021 01:03:14 GMT

The Identity Agent that runs on a regular PC or Mac "assumes" a single user is present, I believe.
If it's running on both users, that might explain what's going on.

Re: Identity awareness question

the_rock — Tue, 09 Mar 2021 01:50:10 GMT

Ok, correct, that makes sense then, as it is running and showing connected on both users logged in.

Tx!