Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Carlos_Machado1
Participant

Identity Awareness for dynamic environments

Hi, all.

I was taking a look at the Identity Awareness documentation looking for answers to possible questions on this subject and I couldn't find anything on this:

What happens to user-to-ip mapping when a user logs in to their laptop using a wired connection but then disconnects from it and stays connected only to wifi? Since the user hasn't logged out and logged in again, I believe AD Query won't be useful. Does Check Point have something like "client probing" or any other identity acquisition method for this kind of scenario?

Thanks in advance!

0 Kudos
9 Replies
Mark_Gurevich
Contributor

Hi,

Aside login events, the next events are read as well, so if SSO is in use AD query still might be useful:

4768: A Kerberos authentication ticket (TGT) was requested.
*4769: A Kerberos service ticket was requested.
*4770: A Kerberos service ticket was renewed.

You may also consider to add Captive Portal to major allow rules

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee

We are not using AD query but identity collector (IDC) instead. Much more efficient solution for larger scale. No issues with users jumping between WiFi and LAN. IDC subscribes to AD logs and gets updated, not instantly but fairly quickly.

One down side is that you can have only one username per IP with IDC. I know r&d are working on allowing more but not too sure when it's coming out.

0 Kudos
Mark_Gurevich
Contributor

Hi Kaspars,

Which build of IDC you've got installed?

0 Kudos
Carlos_Machado1
Participant

Thanks for your reply, Kaspars.

But if the IDC is subscribing to the AD logs, wouldn't it still need to "wait" for a session log out and session re-log in in order to map the user to their new ip? I mean, if the user jumps from LAN to wifi without re-logging in, there won't be a security log to read the new information from, right?

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee

From what I understand it subscribes to more logs than that. Let me confirm

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee

I believe it's this one (4769: A Kerberos service ticket was requested) but let me check next week when I'm in a position to confirm both firewall and DC logs

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee

Here you go, confirmed. When I unplugged network cable:

[ 137060 137000]@xxxxxxxxx[27 Mar 12:47:01]  [GatheringManager (TD::Important)] NAC::IDCOLLECTOR::GatheringManager::processEvent: processEvent process EventRecordID: 3542097560 ; EventID 4769, entity: , machine: xxxxxxx, IP: xxxxxxxxx, domain: xxxxxxxx.com

According to my sources: Usually other applications (e.g. Outlook) cause background authentication to the user with the new IP after this roaming

0 Kudos
PhoneBoy
Admin
Admin

Identity Agent (loaded on Client IP) will provide the quickest update to user/IP association.

0 Kudos
Carlos_Machado1
Participant

Now we're talking. Thanks.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events