topic Re: Identity Collector - Switch between LAN and WIFI - Active Directory in Firewall and Security Management

Identity Collector - Switch between LAN and WIFI - Active Directory

Jan_Kleinhans — Wed, 11 Jan 2023 08:49:28 GMT

Hello,

we have the following problem. We are using Identity Collector with Active Directory.

When Notebook users detatch there LAN connection and connect to the wifi they will get a new ip address but there is no new active directory authentication. So the users are not identified on the firewall.

Does anybody have a solution for this problem? Is there maybe a windows way or do we have to force the users to authenticate via portal or make use of the identity agent.

Regards,

Jan

Re: Identity Collector - Switch between LAN and WIFI - Active Directory

Sorin_Gogean — Wed, 11 Jan 2023 10:42:16 GMT

Hello,

Are you using any dot1X authentication/authorization solution ?
We're using ISE for WiFi and Copper ports authorization, so when users move from Cable to WiFi, some ISE events get triggered so we're collecting that through pxGrid . Still we're in a testing phase, we're not fully implemented with Identity.

The only way I would see to tackle this, is to use Identity Agent, but the only problem I have is that the Identity Agent support only a limited number "Identity Agents work well in small deployments, i.e. less than 20,000 users per PDP. By selecting
which gateway the Identity Agent connects to, you can manage the load" so in some cases it could be an issue.
One other way - that I didn't try - is to enable browser base authentication, still that is not applicable every time/everywhere.

Thank you,

PS:

Identity Agents
Identities are acquired using full, light or custom configured endpoint agents that are installed on the Endpoint computers.
Use Case
 High level of security; packet tagging to prevent IP spoofing, IP change detection
 Transparent authentication with Kerberos Single Sign-On
 Connectivity even while roaming to another network
Session Details
 IP, User, AD Machine in an Active Directory environment
Authentication Process
 On access acquired from Internal, AD, Kerberos Single Sign-On

Re: Identity Collector - Switch between LAN and WIFI - Active Directory

Jan_Kleinhans — Wed, 11 Jan 2023 10:57:22 GMT

Hello,

we also have a Cisco ISE. But we are authenticating with machine certificates there. So ISE only logs in/out the machine and not the user. This leads to a logout of the user as well when the machine is disconnected from LAN. Without the ISE the user session would not be killed so that, if the user switches back to LAN, the session would stay authenticated.

As you mentioned above, the only option I see at the moment, is the identity agent, or forcing the users to authenticate via Idenitity Portal.

Maybe another one has a better solution.

Thanks,

Jan

Re: Identity Collector - Switch between LAN and WIFI - Active Directory

Sorin_Gogean — Wed, 11 Jan 2023 11:27:13 GMT

I see, we're doing machine and user authentication on Cable and WiFi, so if the user moves to WiFi, we're getting an machine authentication update into CheckPoint Identity.
Like I told you, we're going to run an extended POC in some sites, and see more in depth how it's going.
Our advantage it would be that on CheckPoint identity, we're OK with Machine identification and User identification it's an bonus.
(might change through time )

If I would be in your position, I would look into Identity Agent, depending on the number of users, your structure and global spread,
(because Identity Portal might not be OK, if an application would require Internet Access and might not be related to websites browsing)

If I may ask, from ISE, you get through pxGrid data into Identity Collector, can you tell what IC version you use and what ISE version you are? I'm asking this because, since Checkpoint change the IC code for ISE/pxGrid v2 with R81.040.000 I have seen some issues with that connection towards ISE/pxGrid.
The main connector we use is R80.119.000 as that is stable since half of year or so 🙂 .

Thank you,