This article explains how to enable the Cato Identity Agent for User Awareness and provide the ability to identify users behind a site. The Identity Agent is supported for Windows, macOS, and Linux Clients.
Knowing the user identity is a key component of Zero Trust Network Architecture (ZTNA) - it is essential to identify the user at any point in time, control user access, and monitor user activity. The Identity Agent for User Awareness identifies users behind a Socket, or in Office Mode. It uses the framework of the Cato Client to get the user information and regularly reports this identity to the PoP (about every 30 seconds). Any change in the IP address is immediately detected and reported.
The Client is installed on the device and runs in the background (without establishing a tunnel) and it provides the Cato Cloud with the user identity.
The Client prerequisites and requirements for the Identity Agent is based on which IdP is configured for your account.
Windows Client v5.4 |
Windows Client v5.5 to 5.8 |
Windows Client v5.9 and higher |
macOS Client v5.3 and higher |
Linux Client v5.1 and higher |
|
---|---|---|---|---|---|
On-premise AD with LDAP |
Supported
|
Supported (See Windows Client v5.4 for details) |
Supported (See Windows Client v5.4 for details) |
Supported
|
Supported
|
Hybrid Azure AD joined with LDAP |
|||||
Azure AD Domain Services with LDAP |
|||||
Azure AD with SCIM |
|||||
Hybrid Azure AD joined with SCIM |
Not Supported |
Supported
|
Supported (No SDP license or authentication required) |
Supported
|
Supported
|
Other IdPs (e.g. Okta) and manually created users |
Not Supported |
Supported
|
Supported (See Windows Client v5.5 for details) |
Supported
|
Supported
|
This is a high-level overview of the process to implement Identity Agent for User Awareness in your account:
-
On the Access > Directory Services screen, provision users to your account.
-
After provisioning the users and user groups is completed, create rules and policies that include them.
-
Install the Client on the devices for the relevant users. Once the user logs in to the device, the Client starts reporting the identity to the Cato Cloud every 30 seconds.
-
-
For macOS and Linux Clients, assign SDP licenses to users and user groups. For more information on how to assign SDP licenses, see Assigning SDP Licenses to Users
Enable your account to identify the provisioned users with Cato's Identity Agent.
An SDP license is required to identify users with the Identity Agent in these scenarios:
-
On a macOS or Linux device
-
Users provisioned from an IdP other than Azure
-
Manually created users
For more information on how to assign an SDP license, see Assigning SDP Licenses to Users.
-
For devices that use macOS:
-
On macOS Ventura (version 13), after the Client upgrades to the new version there’s a one-time requirement to reboot the device
-
If you delete a SDP user from the Client, their identity is not reported
-
-
For accounts that provision users with Azure AD SCIM:
-
In Windows Client v5.8 and earlier, if users authenticate with an on-prem AD, only users with a SDP license are identified by the Identity Agent
-
In Windows Client v 5.9 and later, a SDP license is not required for a user to be identified by the Identity Agent
-
-
For Windows Client v5.5 and earlier - the Identity Agent is not able to identify the active user when switching between users that do not log out on a Windows device.
-
When a user is logged in to Windows, and a different user logs in to the device (Start menu > Switch user), both users are currently logged in to the device. The agent identifies only one of the users for this device
-
When a user logs out of the Windows device, and a second user logs in, then the agent identifies the second user for this device
-
Terminal servers are not supported
-
-
When users are authenticated to the Client, the identity is immediately acquired, and the Identity Agent report timestamp in the Client is not relevant.
-
For IdPs other than Azure AD:
-
If you delete a SDP user from the Client, their identity is not reported
-
-
User Awareness does not identify disabled users
0 comments
Article is closed for comments.