Home  Prev  cOS Core 15.00.02 Administration Guide  Next

10.6. User Identity Awareness

10.6.1. Overview

Sometimes it is more convenient for client users if they can automatically validate themselves to cOS Core instead of being asked to type in username and password credentials every time they wish to access certain resources. The cOS Core User Identity Awareness (UIA) feature allows this to happen by receiving user authentication information from Windows domain servers.

There are two separate components involved in the identity awareness feature:

  • The Identity Awareness Agent (IDA), which is a separate piece of Clavister software, runs on one or more Windows domain servers in the active directory, sending authenticated client information to cOS Core. The IDA can run on either a domain controller or domain member. Installation of the IDA software on multiple servers will provide redundancy.

    Note that installation and management of the IDA software that runs on Windows servers is described in the separate document entitled the Identity Awareness Administration Guide.

  • The authentication process taking place in cOS Core as clients try to access resources through the firewall. This process uses the information sent by the Identity Awareness Agent.

The overall relationship between client, server and Clavister firewall is shown in the diagram below.

User Identity Awareness

Figure 10.4. User Identity Awareness

Event Flow During Authentication

The flow of events with the identity awareness feature is as follows:

  • A user of a Windows based client computer logs in.

  • The user is authenticated against a Windows Active Directory server.

  • The Clavister Identity Awareness Agent (IDA) is running on at least one server in the domain. This software listens for successful client authentications. When a client is authenticated, the agent sends the following to the configured Clavister firewall:

    1. The user name.
    2. The user's group.
    3. The user's IP.

  • The user's IP address is now authenticated to cOS Core and connections coming from that IP are permitted through the firewall if an IP rule set entry is defined to allow it.

  • A client attempts to open a connection through cOS Core.

  • An IP rule set entry is triggered that could allow this connection.

  • The source network address object for the triggered entry has an associated authentication list of allowed usernames and groups. If the client is part of this list, the connection can be established.

The IP rule set entry that is created for authentication has the dual purpose of identifying and allowing the connection as well as triggering the authentication process. Address translation could also be applied.

[Note] Note: IDA is not aware of cOS Core authentication

The purpose of the IDA service is to send details of authentication events to cOS Core. This communication is one way and the IDA service is not aware of the authentications being carried out by cOS Core and does not display this information in its interface.

10.6.2. Setting Up Identity Awareness

To set up identity awareness, the following steps are required:

  • Install and configure the Identity Awareness Agent (IDA) software on one or more domain servers. The servers can be either a domain controller or a domain member. Installation on a single server is sufficient but installation on multiple servers will provide redundancy.

    Note that the details of both the installation and management of the IDA software are described in the separate Identity Awareness Administration Guide. The IDA software is not supplied with cOS Core but is downloaded as a separate software installation package from the Clavister website. It has its own version numbering system and new versions with new features may be released at any time.

  • Configure an Authentication Agent object in cOS Core which has IP Address and Pre-shared Key properties that correspond to the ones used by the agents installed on the domain servers. A separate Authentication Agent object should be created for each server in the domain which has the IDA software installed.

    The Pre-shared Key property is the encryption key used for communication with the IDA and if not specified it defaults to the value of the predefined PSK object called auth_agent_psk. This is also the default key value used by the IDA. However, the default key is the same across all cOS Core systems and should be used for testing purposes only. It is therefore recommended to change the default key and it should be specified as a 256 bit hexadecimal value.

    An IP rule rule set entry is not needed in cOS Core to allow the traffic coming from the agent.

  • Configure a User Group object that specify the usernames and/or groups which are allowed to create connections. Usernames must be specified in the format username@domain. For example, myusername@example.com. If this format with the @ symbol is not used and a simple string is used, for example myusername, then this will be treated as a group.

    [Important] Important: Use underscore instead of space in group names

    Group names must not contain spaces in cOS Core. The group name on the domain controller server can contain spaces but this must be replaced by the underscore character "_" when the group name is specified in cOS Core.

  • Specify an entry in the cOS Core IP rule set that triggers on the client connections to be authenticated and allows them to be opened. The source User Group filter for this policy must be the User Group object specified in the previous step.

    It is the triggering of the IP rule set entry that triggers the authentication process.

Example 10.8. Enabling User Identity Awareness

This example assumes that there are external clients on a network client_net connected to the If1 interface. These clients will want HTTP access to hosts on a network server_net on the If2 interface.

Clients connections will be authenticated using the identity awareness feature. The only usernames that will be allowed are user1@mydomain and user2@mydomain.

It is also assumed that the Clavister Authentication Agent software has already been installed on a single external Windows domain server and is configured with the IPv4 address defined by the address book object aa_server_ip and the pre-shared key defined by the aa_server_key PSK object.

It is assumed that the domain has only one server.

Command-Line Interface

Define an Authentication Agent object that describes the external server: 

Device:/> add AuthAgent IPAddress=aa_server_ip
			PSK=aa_server_key
			Name=my_auth_agent

Define a User Group object and assign the permitted usernames as members: 

Device:/> add UserGroup MyGroup
			Members=user1@mydomain,user2@mydomain

Create an IP Policy which allows access and uses the User Group MyGroup. 

Device:/> add IPPolicy Name=client_to_server
			Action=Allow
			SourceInterface=If1
			SourceNetwork=If1net
			DestinationInterface=If2
			DestinationNetwork=server_net
			Service=http-all
			SourceUserGroup=MyGroup

InControl

Follow similar steps to those used for the Web Interface below.

Web Interface

Define the Authentication Agent object that describes the external server:

  1. Go to:
    Policies > Authentication > Authentication Agents > Add > Authentication Agent
  2. Now enter:
    • Name: my_auth_agent
    • IP Address: aa_server_ip
    • Pre-shared key: aa_server_key
  3. Click OK

Create the User Group object with the permitted usernames as User Auth Group members:

  1. Go to: Objects > General > User Group > Add > User Group
  2. Now enter:
    • Name: MyGroup
    • User Auth Groups: user1@mydomain,user2@mydomain
  3. Click OK

Create an IP Policy which allows access to the servers by the clients and uses the MyGroup object as source Use Groups.

  1. Go to: Policies > Firewalling > Main IP Rules > Add > IP Policy
  2. Now enter:
    • Name: client_to_server
    • Action: Allow
  3. Under Filter enter:
    • Source Network: client_net
    • Source Interface: If1
    • Destination Network: server_net
    • Destination Interface: If2
    • Service: http-all
  4. Under Advanced Filter enter:
    • Source User Group: MyGroup
  5. Click OK

Note that in this example, individual usernames are used in the User Auth object to specify which users can be authenticated. As discussed earlier in this section, a group name could have been used instead. The combination of usernames and groups is supported.

10.6.3. Monitoring Identity Awareness Activity

The administrator can ask cOS Core to show details of identity awareness activity.

In the Web Interface, the administrator can go to Status > Run-time Information > Authentication Agents to see that the IDA service is connected to cOS Core. In the CLI, the same can be achieved with the command: 

Device:/> authagent

As users are authenticated, they can be seen in the Web Interface by going to Status > Run-time Information > User Authentication. In the CLI, the same can be achieved with the command: 

Device:/> userauth -list

In order to switch on console monitoring of the communication taking place between cOS Core and the IDA service on the domain server, use the command: 

Device:/> authagentsnoop <agent-name>

Entering the following command will terminate all snooping: 

Device:/> authagentsnoop none

The options for all the above CLI commands are listed in the separate cOS Core CLI Reference Guide.

Home  Prev   Next