This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
mbsm
Participant
‎2019-10-16 08:48 AM

Identity Collector Users unable to browse to internet

Hi,

We successfully implement Identity Collector and working on R80.30. But we encounter an problem, the user is connected thru the WiFi and able to browse the internet but when the user disconnect to WiFi then connect thru LAN cable the user unable to browse the internet. By the way, the network of the WiFi is different to the LAN. Our workaround is login thru captive portal or restart the laptop.

Is there a solution for this issue? Or is this a limitation of the Identity Collector?

 

Appreciate your answers,

0 Kudos
7 Replies
Nik_Bloemers
Advisor
Advisor
‎2019-10-16 11:11 PM

This is a limitation. Identity Collector can only see logon events and determine the user/IP combination at that time. So when the client IP changes, there is not way for IC to know about that until something generates a logon security event.
When fast roaming between wired/wireless is required, the recommended way is to use the identity agent, this will constantly update the user/IP asssociation.

Also, another workaround aside from restarting the laptop would be locking/unlocking it, that should generate an AD login event.
PhoneBoy
Admin
Admin
‎2019-10-17 04:46 PM

Short of using Identity Agents on user machines, this limitation will apply.
0 Kudos
mbsm
Participant
‎2019-10-21 11:38 PM
In response to PhoneBoy

Hi,

Is Admin account required for the Identity Agent implementation or like on the Identity Collector that a domain user can be used?

0 Kudos
Nik_Bloemers
Advisor
Advisor
‎2019-10-21 11:53 PM
In response to mbsm

Identity Agent has 2 variants: Full and Light. Light requires no admin privileges to install and only provides user identity. Full provides machine identity and packet tagging as well, but needs admin privileges to be installed.
Usually these are deployed centrally by some form of software management tool or GPO.
Marco_Valenti
Advisor
‎2019-10-22 02:29 AM

you should enable browser based authentication to avoid this kind of behavior but it require additional configuration steps for make it work

0 Kudos
mdjmcnally
Advisor
‎2019-10-22 08:29 AM

As others already pointed out then would need the Agent installed.

One thing that is also possibly though waiting for it to happen is if you are using a NAC like Cisco ICE or HPE ClearPass where can use these as a Source for the Identity Collector.

That way as you move from Wired to Wirelss then the NAC has the log entry for you that the Identity Collector can take to update.

Useful if rolling out something like that but obviously probably easier to roll out the Agent if not rolling out the NAC anyway.

0 Kudos
mbsm
Participant
‎2019-10-30 02:03 AM

Hi 

I appreciate your reply on this issue, and we already raise this to TAC.

But unfortunately, as we try to replicate the issue the users was still able to access the internet. We are still investigating  for the possible cause of this scenario. As checked on the logs for Identity Collector Server located on the C:\Windows\Temp\ia_ag.log, the Wireless IP of the User was changed to Wire IP which could indicate that the AD capture the change of the user's IP. 

Thank you, 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top