Cato Networks Knowledge Base

Using Identity Agents for User Awareness

  • Updated

This article explains how to enable the Cato Identity Agent for User Awareness and provide the ability to identify users behind a site.

Overview of Identity Agent Based User Awareness

Knowing the user identity is a key component of Zero Trust Network Architecture (ZTNA) - it is essential to identify the user at any point in time, control user access, and monitor user activity. The Identity Agent for User Awareness identifies Windows users behind a Socket, or in Office Mode. It uses the framework of the Cato SDP Client to get the user information and regularly reports this identity to the PoP (about every 30 seconds). Any change in the IP address is immediately detected and reported.

The Client is installed on the device and runs in the background (without establishing a tunnel) and it provides the Cato Cloud with the user identity (no action is required by the user).

Gradually Migrating to Identity Agent

For accounts that are currently using Cato's LDAP and WMI based User Awareness solution, you can gradually migrate to the Identity Agent based solution, and use both of these solutions at the same time.

If a user has the Identity Agent installed on the device, and is also defined in the LDAP server, then the identity from the Identity Agent takes precedence.

Prerequisites

  • Cato Client requirements:

    • Supported from Windows Client v5.4 and higher

    • No SDP licenses are required for the users and the Client doesn't need to connect to the network

  • User provisioning to your Cato account is performed with LDAP:

    • LDAP sync is supported for Azure Active Directory Domain Service (Azure AD DS) and for on-premise AD

    • AD joined or Azure AD joined users are supported

Overview of Implementing Cato's Identity Agent for User Awareness Solution

This is a high-level overview of the process to implement Identity Agent for User Awareness in your account:

  1. Provision User Awareness users to your account over LDAP using the Cato Management Application (Access > Directory Services > LDAP).

  2. After the LDAP sync is completed, create rules and policies that include these User Awareness users or groups.

  3. Install the Client on the devices for the relevant users. Once the user logs in to the device, the Client starts reporting the identity to the Cato Cloud every 30 seconds.

Enabling the Identity Agent for User Awareness

Enable your account to identify the LDAP provisioned users with Cato's Identity Agent.

Enable_UA_Agent.png

To enable the identity agent:

  1. From the navigation menu, select Access > User Awareness.

  2. Select the Identity Agent section.

  3. Enable the identity agent for your account.

    The toggle is green toggle.png when enabled.

  4. Click Save.

Synchronizing the Domain for User Awareness

Define which AD groups for the domain are synchronized to your Cato account for User Awareness. You can also choose whether to automatically sync the AD every day, or only manually perform the sync. The synchronization settings for User Awareness must be the same for all the domains in your account.

When AD groups or users are removed from the domain, they are disabled in your account unless they are used in rules or groups. For more about synchronization setting for Directory Services see Overview of Directory Services and User Awareness.

Defining the Active Directory Groups for User Awareness

Select the AD groups in the domain that contain the users which are synchronized for User Awareness, and define the daily sync settings for them.

The users are only synced to your Cato account if a Real-Time Domain Controller is configured, or Identity Agent is enabled (Access > User Awareness > Identity Agent).

To define the AD groups that are synchronized with User Awareness:

  1. From the navigation menu, click Access > Directory Services.

  2. Select the LDAP tab or section, and click the domain.

    The panel opens.

  3. From the panel navigation menu, select User Groups.

    UA_AddGroups.png
  4. In AD Groups for User Awareness, from the Select User Awareness Groups drop-down menu, select the AD groups for User Awareness.

    Note: If no groups are selected, then all the AD groups are imported for User Awareness.

  5. To automatically sync the User Awareness groups, enable enable.png Daily sync User Awareness Groups.

  6. Click Apply, and then click Save.

Working with Users in Policies for Your Account

You can add users to policies in the Cato Management Application, such as firewall or network rules. Users refer to individuals that are identified with User Awareness, and aren't using the Client to connect to the network over an encrypted tunnel. Users don't require an SDP license to be identified with User Awareness.

SDP Users use the Cato Client to connect to the network, and require an SDP license.

The following screenshot shows an example of adding the User Awareness user catoHost to a firewall rule:

FW_rule_UA_user.png

Known Limitations

  • User Awareness Agent doesn't support multiple users that are simultaneously logged in to a Windows device

    • When a user is logged in to Windows, and a different user logs in to the device (Start menu > Switch user), both users are currently logged in to the device. The agent identifies only one of the users for this device.

    • When a user logs out of the Windows device, and a second user logs in, then the agent identifies the second user for this device.

  • When SDP users are authenticated to the Client, the identity is immediately acquired, and the Identity Agent report timestamp in the Client is not relevant

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.