Using Cato Identity Agents for User Awareness

This article explains how to enable the Cato Identity Agent for User Awareness and provide the ability to identify users behind a site. The Identity Agent is supported for Windows, macOS, and Linux Clients.

Overview of Identity Agent Based User Awareness

Knowing the user identity is a key component of Zero Trust Network Architecture (ZTNA) - it is essential to identify the user at any point in time, control user access, and monitor user activity. The Identity Agent for User Awareness identifies users behind a Socket, or in Office Mode. It uses the framework of the Cato Client to get the user information and regularly reports this identity to the PoP (about every 30 seconds). Any change in the IP address is immediately detected and reported.

The Client is installed on the device and runs in the background (without establishing a tunnel) and it provides the Cato Cloud with the user identity.

Prerequisites

The Client prerequisites and requirements for the Identity Agent is based on which IdP is configured for your account.

Windows Client v5.4

Windows Client v5.5 to 5.8

Windows Client v5.9 and higher

macOS Client v5.3 and higher

Linux Client v5.1 and higher

 

On-premise AD with LDAP

Supported

  • No SDP licenses are required for the users

  • The Client doesn't need to connect to the network)

Supported

(See Windows Client v5.4 for details)

Supported

(See Windows Client v5.4 for details)

    Supported

    • Requires SDP license for each user (one-time initial authentication to the Client)

    • When the Client is behind a Socket, it doesn't need to connect to the network

    Supported

    • Requires SDP license for each user (one-time initial authentication to the Client)

    • When the Client is behind a Socket, it doesn't need to connect to the network

    Hybrid Azure AD joined with LDAP

    Azure AD Domain Services with LDAP

    Azure AD with SCIM

    Hybrid Azure AD joined with SCIM

    Not Supported

    Supported

    • Requires SDP license for each user

    • One-time initial authentication to the Client

    Supported

    (No SDP license or authentication required)

    Supported

    • Requires SDP license for each use

    • One-time initial authentication to the Client

    Supported

    • Requires SDP license for each use

    • One-time initial authentication to the Client

    Other IdPs (e.g. Okta) and manually created users

    Not Supported

    Supported

    • Requires SDP license for each user

    • One-time initial authentication to the Client

    • When the Client is behind a Socket, it doesn't need to connect to the network

    Supported

    (See Windows Client v5.5 for details)

    Supported

    • Requires SDP license for each user

    • One-time initial authentication to the Client

    • When the Client is behind a Socket, it doesn't need to connect to the network

    Supported

    • Requires SDP license for each user

    • One-time initial authentication to the Client

    • When the Client is behind a Socket, it doesn't need to connect to the network

    Overview of Implementing Cato's Identity Agent for User Awareness Solution

    This is a high-level overview of the process to implement Identity Agent for User Awareness in your account:

    1. On the Access > Directory Services screen, provision users to your account.

    2. After provisioning the users and user groups is completed, create rules and policies that include them.

      1. Install the Client on the devices for the relevant users. Once the user logs in to the device, the Client starts reporting the identity to the Cato Cloud every 30 seconds.

    3. For macOS and Linux Clients, assign SDP licenses to users and user groups. For more information on how to assign SDP licenses, see Assigning SDP Licenses to Users

    Enforcing Policies Based on User Identity

    Users or User groups can be added to policies. After Cato has identified the identity of a user, any polices that are configured for the user are enforced both behind a site and remotely.

    Enabling the Identity Agent for User Awareness

    Enable your account to identify the provisioned users with Cato's Identity Agent.

    Enable_UA_Agent.png

    To enable the identity agent:

    1. From the navigation menu, select Access > User Awareness.

    2. Select the Identity Agent section.

    3. Enable the identity agent for your account.

      The toggle is green toggle.png when enabled.

    4. Click Save.

    Assigning SDP License

    An SDP license is required to identify users with the Identity Agent in these scenarios:

    • On a macOS or Linux device

    • Users provisioned from an IdP other than Azure

    • Manually created users

    For more information on how to assign an SDP license, see Assigning SDP Licenses to Users.

    Known Limitations

    • For devices that use macOS:

      • On macOS Ventura (version 13), after the Client upgrades to the new version there’s a one-time requirement to reboot the device

      • If you delete a SDP user from the Client, their identity is not reported

    • For accounts that provision users with Azure AD SCIM:

      • In Windows Client v5.8 and earlier, if users authenticate with an on-prem AD, only users with a SDP license are identified by the Identity Agent

      • In Windows Client v 5.9 and later, a SDP license is not required for a user to be identified by the Identity Agent

    • For Windows Client v5.5 and earlier - the Identity Agent is not able to identify the active user when switching between users that do not log out on a Windows device.

      • When a user is logged in to Windows, and a different user logs in to the device (Start menu > Switch user), both users are currently logged in to the device. The agent identifies only one of the users for this device

      • When a user logs out of the Windows device, and a second user logs in, then the agent identifies the second user for this device

      • Terminal servers are not supported

    • When users are authenticated to the Client, the identity is immediately acquired, and the Identity Agent report timestamp in the Client is not relevant.

    • For IdPs other than Azure AD:

      • If you delete a SDP user from the Client, their identity is not reported

    • User Awareness does not identify disabled users

    Was this article helpful?

    0 out of 0 found this helpful

    0 comments

    Add your comment