This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
NorthernNetGuy
Advisor
‎2019-03-04 10:53 AM

Identity Detection - Best option?

We have a unique environment, and are having troubles identifying the best way to enforce role based access. Here are the problems I'm seeing with each Identity Awareness source:

Browser-Based: We don't want users to do browser based authentication every login.

AD Query: Assume single user host causes and RDP casuses RDP session account to override current login, and service account exemption isn't feasible for our structure.

Identity Agent: Doesn't support fast user switching

Terminal Server Agent - Doesn't support windows 10 Secureboot

Radius Accounting - We don't have radius auth configured for wired users yet.

Identity Collector - Doesn't support 2003 domain controllers (yes, I know, we are trying to upgrade)

Identity Web API - we would configure with Aruba Clearpass, but again isn't configured for wired users.

User Directory - Can it do user group detection, and handle multi user hosts? I think this is just for configuring LDAP accounts

I'm in quite a pickle on how to enforce access. Our previous TMG 2010 gateway used a proxy client to enforce access.

5 Replies
Mark_Mitchell
Advisor
‎2019-03-04 11:51 AM

Hi David,

Interesting issues indeed. What are the key requirements you are trying to achieve? 

For example ..

- All users must be identified regardless of what machine they are on 

- Identify users from Windows 10 machines with Fast User Switching

- access from Windows Server 2016 

- number of domain controllers

- etc....

Regards

Mark

NorthernNetGuy
Advisor
‎2019-03-04 12:05 PM
In response to Mark_Mitchell

Hi Mark,

Here are the requirements I'm trying to meet:

Support windows xp, 7, 8, 10

Support fast user switching

Identify current logged in user for any machine, and their group memberships for access enforcement.

Current active user session not overriden when initiating RDP with a different account

Supports the following domain controllers: windows server 2003 and 2008r2 (3x 2003, 2x2008r2)

I think this covers what we need.

Thank you,

David

Mark_Mitchell
Advisor
‎2019-03-04 12:23 PM
In response to NorthernNetGuy

Thanks David.

Based on what you need to achieve and the secure boot limitation, you may need to utilise more than one method. For me to meet your requirements I would recommend the below. 

  1. For any machine where Fast user Switching is not used, deploy the identity agent as normal. 
  2. For machines that do need Fast User Switching I would configure the captive portal method with Kerberos SSO
    1. To give the best possible end user experience, you could implement a login script that would run upon user login and direct users to the portal. Because you have SSO enabled it should just log the user straight in.

Slightly outside the scope of this forum, but I would also recommend upgrading your DC's to Windows Server 2016. As even with the 2008 R2 the support time is limited from Microsoft - This would then allow the use of the identity collector for your environment. 

Regards

Mark

NorthernNetGuy
Advisor
‎2019-03-04 12:36 PM
In response to Mark_Mitchell

Thanks Mark,

I'll trial the captive portal with SSO, and set up a login script, see what the impact from that will be. I know our team shy's away from captive portal, but if a demo goes well it may sway opinions.

We'll be assuming all computers require fast user switching, our domain structure isn't configured in a way to easily deploy nor determine which machines require it. (plus 2000+ endpoints, industrial environment)

I definitely agree on the DC upgrades, I would like to use the IDC if not for our old domain controllers. We have a project underway for that, but it's an intimidating task for that team for varying reasons.

Mark_Mitchell
Advisor
‎2019-03-04 12:49 PM
In response to NorthernNetGuy

No problems David. 

I'll be honest, I wouldn't normally go for Captive Portals on machines that we can control centrally and for Large environments would go with the Identity Agent. But in your situation I think it may work well. 

Let us know how you get on with the demo and what the outcome turns out to be. Smiley Happy

Regards

Mark

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events