Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jacques_Spelier
Contributor

Identity Awareness and remote laptop users

 

I was wondering if anyone has come across this scenario and how they managed to overcome it.

 

Scenario:

 Gateways are running Identity awareness via Identity collector servers. Laptop users VPN into corporate and so gws get user's ID and associated VPN IP. User now needs to go into office so they just close the laptop (do not logout). Laptop goes in “sleep” mode. User is now onsite, he opens his laptop, unlocks his screen, and now the laptop connects up to the corporate wireless network.

 

Issue:

Since the login, while onprem, occurs prior to the laptop connecting to the wireless network, the logon event is not captured on the corporate Domain controllers. (cached authentication on the laptop). Since no event is “seen” by Identity Collectors for this user, the gws do not see his new wireless IP tagged to his userid and so no PDP/PEP associations are done. Since the gw has Identity based rules for outbound internet, user is denied access from wireless connection due to no IP association in PDP/PEP.

 

Workaround:

User has to either lock and unlock laptop to retrigger a logon event so that it is “seen” by the gws. Does not always work or slow to get recognized. Another way is that user needs to reboot which is not convenient for folks like VPs who have a  whole lot of application screens and docs opened prior to coming onsite.

 

Thoughts:

Would there be any better user experience by having identity agents on the laptop or some other method that would provide a more transparent and less impactful method of transition from home to onprem and likely vice versa?

0 Kudos
6 Replies
the_rock
Legend
Legend

Can you check what below settings are set to in IDC?

Andy

 

 

Screenshot_1.png

 

 

Screenshot_2.png

0 Kudos
Jacques_Spelier
Contributor

Hi Andy,

ignore machine identities is selected and other one is not.

debugging matches your screen capture.

 

 

0 Kudos
Wolfgang
Authority
Authority

We had similar use cases in the past. A lot of users moving around the network internal and external. The solution was to use the Identity Agent on the client laptops. The identity agent communicates all the time with a configured gateway and sent the user and machine IDs. No problem with network switching users.

0 Kudos
Jacques_Spelier
Contributor

Hi Wolfgang.

 

Thanks for the insight.  Did you move all of your environment to run agents or did you have a hybrid of say laptops having the agent and the desktops (onprem) relying on the IDCs relaying the info?

0 Kudos
Wolfgang
Authority
Authority

We used both at the same time, Identity agent and identity collector. But now we are deploying the Identity Agent to all devices to have the same environment on all devices.

0 Kudos
PhoneBoy
Admin
Admin

This is exactly the problem a locally deployed Identity Agent will solve.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events