This article explains how to enable the Cato Identity Agent for User Awareness and provide the ability to identify users behind a site. The Identity Agent is supported for Windows, macOS, and Linux Clients.
Knowing the user identity is a key component of Zero Trust Network Architecture (ZTNA) - it is essential to identify the user at any point in time, control user access, and monitor user activity. The Identity Agent for User Awareness identifies users behind a Socket, or in Office Mode. It uses the framework of the Cato Client to get the user information and regularly reports this identity to the PoP (about every 30 seconds). Any change in the IP address is immediately detected and reported.
The Client is installed on the device and runs in the background (without establishing a tunnel), and it provides the Cato Cloud with the user identity.
Starting with the following versions, Cato has expanded User Awareness without requiring a ZTNA license. Users can authenticate with the Cato Client while in the office, which creates a Cato token that is used to more accurately identify users for policies and user attribution in DEM and covers all IdPs.
- Cato Client for Windows v5.18 and later
- Cato Client for macOS v5.11 and later
The Client prerequisites and requirements for the Identity Agent are based on which IdP is configured for your account and which Client Version you are using.
| Windows Client v5.10 to v5.17 | macOS Client v5.6 to v5.10 | Linux Client v5.2 and higher | |
|---|---|---|---|
|
Entra ID with LDAP Entra ID with SCIM Microsoft Intune |
Supported | Supported* | Supported* |
| Other IdPs (e.g. Okta) and manually created users | Supported* | Supported* | Supported* |
* Requires an SDP license for each user and one-time initial authentication to the Client.
For more information on how to assign an SDP license, see Assigning ZTNA Licenses to Users.
This is a high-level overview of the process to implement Identity Agent for User Awareness in your account:
- On the Access > Directory Services screen, provision users to your account.
-
After provisioning the users and user groups is completed, create rules and policies that include them.
- Install the Client on the devices for the relevant users. Once the user logs in to the device, the Client starts reporting the identity to the Cato Cloud every 30 seconds.
- For Linux Clients, assign SDP licenses to users and user groups. For more information on how to assign SDP licenses, see Assigning ZTNA Licenses to Users.
Users or user groups can be added to policies. After Cato has identified the identity of a user, any polices that are configured for the user are enforced both behind a site and remotely.
Note: When using Identity Agent, users behind a site are not matched in WAN rules when they are set as the Destination.
Enable your account to identify the provisioned users with Cato's Identity Agent.
-
For devices that use macOS:
- On macOS Ventura (version 13), after the Client upgrades to the new version, there’s a one-time requirement to reboot the device
- If you delete a user from the Client, their identity is not reported
- When users are authenticated to the Client, the identity is immediately acquired, and the Identity Agent report timestamp in the Client is not relevant.
-
For IdPs other than Entra ID:
- If you delete a user from the Client, their identity is not reported
- User Awareness does not identify disabled users
0 comments
Article is closed for comments.