This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jan_Kleinhans
Advisor
‎2023-01-11 12:49 AM

Identity Collector - Switch between LAN and WIFI - Active Directory

Hello,

we have the following problem. We are using Identity Collector with Active Directory.

When Notebook users detatch there LAN connection and connect to the wifi they will get a new ip address but there is no new active directory authentication. So the users are not identified on the firewall.

Does anybody have a solution for this problem? Is there maybe a windows way or do we have to force the users to authenticate via portal or make use of the identity agent.

Regards,

Jan

 

Labels
0 Kudos
3 Replies
Sorin_Gogean
Advisor
‎2023-01-11 02:33 AM

Hello,

 

Are you using any dot1X authentication/authorization solution ?
We're using ISE for WiFi and Copper ports authorization, so when users move from Cable to WiFi, some ISE events get triggered so we're collecting that through pxGrid . Still we're in a testing phase, we're not fully implemented with Identity.

The only way I would see to tackle this, is to use Identity Agent, but the only problem I have is that the Identity Agent support only a limited number "Identity Agents work well in small deployments, i.e. less than 20,000 users per PDP. By selecting
which gateway the Identity Agent connects to, you can manage the load" so in some cases it could be an issue.
One other way - that I didn't try - is to enable browser base authentication, still that is not applicable every time/everywhere.

Thank you,

PS: 

Identity Agents
Identities are acquired using full, light or custom configured endpoint agents that are installed on the Endpoint computers.
Use Case
 High level of security; packet tagging to prevent IP spoofing, IP change detection
 Transparent authentication with Kerberos Single Sign-On
 Connectivity even while roaming to another network
Session Details
 IP, User, AD Machine in an Active Directory environment
Authentication Process
 On access acquired from Internal, AD, Kerberos Single Sign-On
0 Kudos
Jan_Kleinhans
Advisor
‎2023-01-11 02:57 AM
In response to Sorin_Gogean

Hello,

we also have a Cisco ISE. But we are authenticating with machine certificates there. So ISE only logs in/out the machine and not the user. This leads to a logout of the user as well when the machine is disconnected from LAN. Without the ISE the user session would not be killed so that, if the user switches back to LAN, the session would stay authenticated.

As you mentioned above, the only option I see at the moment, is the identity agent, or forcing the users to authenticate via Idenitity Portal.

Maybe another one has a better solution.

Thanks,

Jan

0 Kudos
Sorin_Gogean
Advisor
‎2023-01-11 03:25 AM
In response to Jan_Kleinhans

I see, we're doing machine and user authentication on Cable and WiFi, so if the user moves to WiFi, we're getting an machine authentication update into CheckPoint Identity. 
Like I told you, we're going to run an extended POC in some sites, and see more in depth how it's going.
Our advantage it would be that on CheckPoint identity, we're OK with Machine identification and User identification it's an bonus.
(might change through time )

If I would be in your position, I would look into Identity Agent, depending on the number of users, your structure and global spread,
(because Identity Portal might not be OK, if an application would require Internet Access and might not be related to websites browsing)

If I may ask, from ISE, you get through pxGrid data into Identity Collector, can you tell what IC version you use and what ISE version you are? I'm asking this because, since Checkpoint change the IC code for ISE/pxGrid v2 with R81.040.000 I have seen some issues with that connection towards ISE/pxGrid. 
The main connector we use is R80.119.000 as that is stable since half of year or so 🙂 .

Thank you,

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events