Professional Documents
Culture Documents
Visibility about
the attack
Visibility about
user, machine and OS
Visibility about
user, machine and OS
R80.x
adlog Login
Management
• Identity Collector subscribes to the Security • Login Events are forwarded to PDP
Events on Active Directory Server – PDP performs LDAP group membership query
– Login Events are learned via Microsoft API – Once completed Identity Session is created
– A userID with event log reader rights is – Identity Sessions are shared
sufficient to subscribe the service
– Up to 35 AD Logon Servers can be configured
supporting up to 1900 login events/second Management Domain
Active Directory Identity
Logon Server 1 Collector App3
PDP PEP
Site 1
PEP
Login Events
LDAP Queries
PDP learning Login Events Active Directory
Identity Session shared to PEP(s) Cisco ISE
Site 2 Logon Server 2 Identity Services Engine
App2
“user@machine@ip”
Support users and machines roaming
PDP between network segments
PDP performs
Group Membership Queries
User performs
authentication
Identities learned via ID Agent take precedence over those
AD Logon Server learned by ID Collector or AD Query.
PDP performs
Group Membership Queries
User performs
authentication
Table
user1<> src port range1
Up to 5 MUH agents per PDP user2<> src port range2
Table
user1<> ID range1
Up to 50 MUH2 agents per PDP user2<> ID range2
• Users authenticate against the Active Directory and KERBEROS tickets are issued
• The browser presents the ticket to the PDP instance that verifies this ticket
• If verification is successful access is provided
̶ The Captive Portal allows users performing a manual logon to the gateway
http://<PDP>/connect
Captive Portal
KERBEROS tickets can be
PDP intercepted to achieve
transparent authentication
User performs
authentication
AD Logon Server
• The security is enforced using an Access Role object in the rule base
• Make sure the Identity Role is learned for the given user
[Expert@gwr8010:0]# pep sh us que usr eng1
Command: root->show->user->query
pdp monitor user <usr> pep show user query usr <usr>
Active Directory
Active Directory Limited Clientless High on DCs
Domain User & machine
Query scale Easy to apply & GWs
Controllers
Active Directory,
Identity Clientless Low on DCs &
High Scale Cisco ISE, Syslog, User & machine
Collector Easy to apply GWs
eDirectory