This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jacques_Spelier
Contributor
‎2023-05-24 12:01 PM

Identity Awareness and remote laptop users

 

I was wondering if anyone has come across this scenario and how they managed to overcome it.

 

Scenario:

 Gateways are running Identity awareness via Identity collector servers. Laptop users VPN into corporate and so gws get user's ID and associated VPN IP. User now needs to go into office so they just close the laptop (do not logout). Laptop goes in “sleep” mode. User is now onsite, he opens his laptop, unlocks his screen, and now the laptop connects up to the corporate wireless network.

 

Issue:

Since the login, while onprem, occurs prior to the laptop connecting to the wireless network, the logon event is not captured on the corporate Domain controllers. (cached authentication on the laptop). Since no event is “seen” by Identity Collectors for this user, the gws do not see his new wireless IP tagged to his userid and so no PDP/PEP associations are done. Since the gw has Identity based rules for outbound internet, user is denied access from wireless connection due to no IP association in PDP/PEP.

 

Workaround:

User has to either lock and unlock laptop to retrigger a logon event so that it is “seen” by the gws. Does not always work or slow to get recognized. Another way is that user needs to reboot which is not convenient for folks like VPs who have a  whole lot of application screens and docs opened prior to coming onsite.

 

Thoughts:

Would there be any better user experience by having identity agents on the laptop or some other method that would provide a more transparent and less impactful method of transition from home to onprem and likely vice versa?

0 Kudos
6 Replies
the_rock
Legend
Legend
‎2023-05-24 12:21 PM

Can you check what below settings are set to in IDC?

Andy

 

 

Screenshot_1.png

 

 

Screenshot_2.png

0 Kudos
Jacques_Spelier
Contributor
‎2023-05-24 12:28 PM
In response to the_rock

Hi Andy,

ignore machine identities is selected and other one is not.

debugging matches your screen capture.

 

 

0 Kudos
Wolfgang
Authority
Authority
‎2023-05-24 12:35 PM
In response to Jacques_Spelier

We had similar use cases in the past. A lot of users moving around the network internal and external. The solution was to use the Identity Agent on the client laptops. The identity agent communicates all the time with a configured gateway and sent the user and machine IDs. No problem with network switching users.

0 Kudos
Jacques_Spelier
Contributor
‎2023-05-24 01:15 PM
In response to Wolfgang

Hi Wolfgang.

 

Thanks for the insight.  Did you move all of your environment to run agents or did you have a hybrid of say laptops having the agent and the desktops (onprem) relying on the IDCs relaying the info?

0 Kudos
Wolfgang
Authority
Authority
‎2023-05-24 11:07 PM
In response to Jacques_Spelier

We used both at the same time, Identity agent and identity collector. But now we are deploying the Identity Agent to all devices to have the same environment on all devices.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-05-24 03:22 PM

This is exactly the problem a locally deployed Identity Agent will solve.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top