Enabling user identity awareness – Amer Networks E5Web GUI User Manual

iii.

The user's IP.

The Identity Awareness Agent must be installed on all domain controllers that make up the
active directory.

•

The user's IP address is now authenticated to cOS Core and connections coming from that IP
are permitted through the security gateway if an IP Rule or IP Policy is defined to allow it.

•

A client attempts to open a connection through cOS Core.

•

A cOS Core IP Rule or IP Policy object is triggered that could allow this connection.

•

The source network address object for the triggered rule or policy has an associated
authentication list of allowed usernames and groups. If the client is part of this list, the
connection can be established.

The IP Rule or IP Policy object that is created for authentication has the dual purpose of
identifying and allowing the connection as well as triggering the authentication process. NAT
could also be a function included in the rule or policy.

Setting Up Identity Awareness

To set up identity awareness, the following steps are required:

•

Install and configure the Identity Awareness Agent software on the all the domain controller
servers in a domain. This is described in more depth at the end of this section.

•

Configure an Authentication Agent object in cOS Core which has IP Address and Pre-shared Key
properties that correspond to the ones used by the agents installed on the domain controller
servers. A new object should be created for each server in the domain.

If the Pre-shared Key property is not specified, this defaults to the value of the predefined PSK
object auth_agent_psk. This is also the default key value used by the Clavister Identity
Awareness Agent. However, this default key should never be used in a live system.

An IP rule or IP policy is not needed in cOS Core to allow the traffic coming from the agent.

•

Configure an address book IP4 Address object that defines the IP address, IP range or network
from which authenticating clients will come.

Important: In the Authentication property of this address object, specify the usernames
and/or groups which are allowed to create connections. Usernames must be specified in the
format username@domain. For example, myusername@mycompanyname.

•

Specify an IP Rule or IP Policy object in the cOS Core configuration that triggers on the client
connections to be authenticated and allows them to be opened. The source network for this
rule or policy must be the IPv4 address object specified in the previous step.

It is the triggering of this rule or policy that triggers the authentication process.

Example 8.6. Enabling User Identity Awareness

This example assumes that there are external clients on a network client_net connected to the If1
interface. These clients will want HTTP access to hosts on a network server_net on the If2
interface.

Clients connections will be authenticated using the identity awareness feature. The only

Chapter 8: User Authentication

551