- CheckMates
- :
- Products
- :
- General Topics
- :
- Identity Awareness for dynamic environments
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Identity Awareness for dynamic environments
Hi, all.
I was taking a look at the Identity Awareness documentation looking for answers to possible questions on this subject and I couldn't find anything on this:
What happens to user-to-ip mapping when a user logs in to their laptop using a wired connection but then disconnects from it and stays connected only to wifi? Since the user hasn't logged out and logged in again, I believe AD Query won't be useful. Does Check Point have something like "client probing" or any other identity acquisition method for this kind of scenario?
Thanks in advance!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Aside login events, the next events are read as well, so if SSO is in use AD query still might be useful:
4768: A Kerberos authentication ticket (TGT) was requested.
*4769: A Kerberos service ticket was requested.
*4770: A Kerberos service ticket was renewed.
You may also consider to add Captive Portal to major allow rules
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are not using AD query but identity collector (IDC) instead. Much more efficient solution for larger scale. No issues with users jumping between WiFi and LAN. IDC subscribes to AD logs and gets updated, not instantly but fairly quickly.
One down side is that you can have only one username per IP with IDC. I know r&d are working on allowing more but not too sure when it's coming out.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Kaspars,
Which build of IDC you've got installed?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your reply, Kaspars.
But if the IDC is subscribing to the AD logs, wouldn't it still need to "wait" for a session log out and session re-log in in order to map the user to their new ip? I mean, if the user jumps from LAN to wifi without re-logging in, there won't be a security log to read the new information from, right?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From what I understand it subscribes to more logs than that. Let me confirm
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe it's this one (4769: A Kerberos service ticket was requested) but let me check next week when I'm in a position to confirm both firewall and DC logs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here you go, confirmed. When I unplugged network cable:
[ 137060 137000]@xxxxxxxxx[27 Mar 12:47:01] [GatheringManager (TD::Important)] NAC::IDCOLLECTOR::GatheringManager::processEvent: processEvent process EventRecordID: 3542097560 ; EventID 4769, entity: , machine: xxxxxxx, IP: xxxxxxxxx, domain: xxxxxxxx.com
According to my sources: Usually other applications (e.g. Outlook) cause background authentication to the user with the new IP after this roaming
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Identity Agent (loaded on Client IP) will provide the quickest update to user/IP association.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Now we're talking. Thanks.
