topic Re: Identity Awareness for dynamic environments in General Topics

Identity Awareness for dynamic environments

Carlos_Machado1 — Wed, 21 Mar 2018 18:51:56 GMT

Hi, all.

I was taking a look at the Identity Awareness documentation looking for answers to possible questions on this subject and I couldn't find anything on this:

What happens to user-to-ip mapping when a user logs in to their laptop using a wired connection but then disconnects from it and stays connected only to wifi? Since the user hasn't logged out and logged in again, I believe AD Query won't be useful. Does Check Point have something like "client probing" or any other identity acquisition method for this kind of scenario?

Thanks in advance!

Re: Identity Awareness for dynamic environments

Mark_Gurevich — Wed, 21 Mar 2018 20:05:57 GMT

Hi,

Aside login events, the next events are read as well, so if SSO is in use AD query still might be useful:

4768: A Kerberos authentication ticket (TGT) was requested.
*4769: A Kerberos service ticket was requested.
*4770: A Kerberos service ticket was renewed.

You may also consider to add Captive Portal to major allow rules

Re: Identity Awareness for dynamic environments

Kaspars_Zibarts — Wed, 21 Mar 2018 20:36:04 GMT

We are not using AD query but identity collector (IDC) instead. Much more efficient solution for larger scale. No issues with users jumping between WiFi and LAN. IDC subscribes to AD logs and gets updated, not instantly but fairly quickly.

One down side is that you can have only one username per IP with IDC. I know r&d are working on allowing more but not too sure when it's coming out.

Re: Identity Awareness for dynamic environments

Mark_Gurevich — Thu, 22 Mar 2018 09:19:45 GMT

Hi Kaspars,

Which build of IDC you've got installed?

Re: Identity Awareness for dynamic environments

Carlos_Machado1 — Thu, 22 Mar 2018 13:43:45 GMT

Thanks for your reply, Kaspars.

But if the IDC is subscribing to the AD logs, wouldn't it still need to "wait" for a session log out and session re-log in in order to map the user to their new ip? I mean, if the user jumps from LAN to wifi without re-logging in, there won't be a security log to read the new information from, right?

Re: Identity Awareness for dynamic environments

Kaspars_Zibarts — Thu, 22 Mar 2018 16:31:28 GMT

From what I understand it subscribes to more logs than that. Let me confirm

Re: Identity Awareness for dynamic environments

PhoneBoy — Thu, 22 Mar 2018 18:14:43 GMT

Identity Agent (loaded on Client IP) will provide the quickest update to user/IP association.

Re: Identity Awareness for dynamic environments

Kaspars_Zibarts — Fri, 23 Mar 2018 07:53:31 GMT

I believe it's this one (4769: A Kerberos service ticket was requested) but let me check next week when I'm in a position to confirm both firewall and DC logs

Re: Identity Awareness for dynamic environments

Carlos_Machado1 — Fri, 23 Mar 2018 16:10:41 GMT

Now we're talking. Thanks.

Re: Identity Awareness for dynamic environments

Kaspars_Zibarts — Tue, 27 Mar 2018 11:00:32 GMT

Here you go, confirmed. When I unplugged network cable:

[ 137060 137000]@xxxxxxxxx[27 Mar 12:47:01] [GatheringManager (TD::Important)] NAC::IDCOLLECTOR::GatheringManager::processEvent: processEvent process EventRecordID: 3542097560 ; EventID 4769, entity: , machine: xxxxxxx, IP: xxxxxxxxx, domain: xxxxxxxx.com

According to my sources: Usually other applications (e.g. Outlook) cause background authentication to the user with the new IP after this roaming