This article explains how to enable the Cato Identity Agent for User Awareness and provide the ability to identify users behind a site. The Identity Agent is supported for Windows and macOS Clients.
Knowing the user identity is a key component of Zero Trust Network Architecture (ZTNA) - it is essential to identify the user at any point in time, control user access, and monitor user activity. The Identity Agent for User Awareness identifies users behind a Socket, or in Office Mode. It uses the framework of the Cato SDP Client to get the user information and regularly reports this identity to the PoP (about every 30 seconds). Any change in the IP address is immediately detected and reported.
The Client is installed on the device and runs in the background (without establishing a tunnel) and it provides the Cato Cloud with the user identity.
The Client prerequisites and requirements for the Identity Agent is based on which IdP is configured for your account.
-
Microsoft Active Directory (AD) including on-premise AD with LDAP, Azure AD with SCIM, Azure AD Domain Services with LDAP:
-
Windows Client v5.4 and higher
-
No SDP licenses are required for the users and the Client doesn't need to connect to the network
-
AD joined or Azure AD joined users are supported
-
-
macOS Client v5.3 and higher
-
Requires SDP license for each user (one-time initial authentication to the Client)
-
When the Client is behind a Socket, it doesn't need to connect to the network
-
-
-
Other IdPs, such as Okta:
-
Windows Client v5.5, macOS v5.3 and higher
-
Requires SDP license for each user
-
One-time initial authentication to the Client
-
When the Client is behind a Socket, it doesn't need to connect to the network
-
This is a high-level overview of the process to implement Identity Agent for User Awareness in your account:
-
On the Access > Directory Services screen, provision users to your account over SCIM or LDAP.
-
After provisioning the users and user groups is completed, create rules and policies that include them.
-
Install the Client on the devices for the relevant users. Once the user logs in to the device, the Client starts reporting the identity to the Cato Cloud every 30 seconds.
-
-
Assign SDP licenses to users and user groups:
-
Assigning SDP Licenses - SCIM Provisioning (see below)
-
Assigning SDP License - Directory Services (LDAP) (see below)
-
You can add users to policies in the Cato Management Application, such as firewall or network rules.
-
Users refer to individuals that are identified with User Awareness, and aren't using the Client to connect to the network over an encrypted tunnel.
-
SDP Users use the Cato Client to connect to the network, and require an SDP license.
We recommend that you use user groups in the various Security and Network policies. When using a user group, the policy will apply to users connecting behind the Socket or remotely with the Client.
If you need to create policies for specific users (and not for user groups), make sure to include the items for the user and the SDP user as the Source for the rule. This makes sure that the policies always apply to that person no matter where they are connecting from.
Enable your account to identify the provisioned users with Cato's Identity Agent.
In the IdP, define the groups and users that are synced to your Cato account. After the initial sync is completed, all users are then created in the Cato Management Application.
For accounts that have SDP users and User Awareness users, define the user groups and SDP users that are assigned an SDP license. All other user groups and users can use the Client as an Identity Agent, but not for remote access.
You can choose how SDP licenses are assigned in your account:
-
Assign SDP license to all users provisioned from the IdP
-
Select specific user groups and users that are assigned SDP licenses
To assign licenses to specific SDP users and groups:
-
In the Cato Management Application, from the navigation menu select Access > Directory Services and click the SCIM tab.
-
Click Apply SDP license to selected group.
-
From the drop down menu, select User Group or SDP User, and then add the items that you are assigning an SDP license to.
-
Click Save.
Configure the domain settings that define which AD groups that are synchronized for User Awareness and are assigned SDP licenses. For more information, see Adding User Awareness to Directory Services.
Define which AD groups for the domain are synchronized to your Cato account for User Awareness. You can also choose whether to automatically sync the AD every day, or only manually perform the sync. The synchronization settings for User Awareness must be the same for all the domains in your account.
When AD groups or users are removed from the domain, they are disabled in your account unless they are used in rules or groups. For more about synchronization setting for Directory Services see Configuring Directory Services in the Cato Management Application.
Select the AD groups in the domain that contain the users which are synchronized for User Awareness, and define the daily sync settings for them.
The users are only synced to your Cato account if a Real-Time Domain Controller is configured, or Identity Agent is enabled (Access > User Awareness > Identity Agent).
The sAMAaccountName attribute is used for the name of the User Group in the Cato Management Application.
To define the AD groups that are synchronized with User Awareness:
-
From the navigation menu, click Access > Directory Services.
-
Select the LDAP tab or section, and click the domain.
The panel opens.
-
From the panel navigation menu, select User Groups.
-
In AD Groups for User Awareness, from the Select User Awareness Groups drop-down menu, select the AD groups for User Awareness.
Note: If no groups are selected, then all the AD groups are imported for User Awareness.
-
To automatically sync the User Awareness groups, enable
Daily sync User Awareness Groups. -
Click Apply, and then click Save.
-
User Awareness is only supported for provisioned users. Users created manually in the Cato Management Application don't report their identity
-
LDAP provisioning with Okta, OneLogin, JumpCloud is not supported
-
For devices that use macOS:
-
On macOS Ventura (version 13), after the Client upgrades to the new version there’s a one-time requirement to reboot the device
-
If you delete a SDP user from the Client, their identity is not reported
-
-
For SDP users provisioned with Azure AD SCIM:
-
SDP users authenticating with on-prem Azure AD require a SDP license to be identified by the identity agent
-
-
For Windows Client v5.5 and earlier - the User Awareness Agent doesn't support multiple users that are simultaneously logged in to a Windows device
-
When a user is logged in to Windows, and a different user logs in to the device (Start menu > Switch user), both users are currently logged in to the device. The agent identifies only one of the users for this device
-
When a user logs out of the Windows device, and a second user logs in, then the agent identifies the second user for this device
-
-
When SDP users are authenticated to the Client, the identity is immediately acquired, and the Identity Agent report timestamp in the Client is not relevant.
-
For IdPs other than Azure AD:
-
If you delete a SDP user from the Client, their identity is not reported
-
Comments
0 comments
Please sign in to leave a comment.