The Identity Support for AD User and Group capabilities and features explained here are not available to all Umbrella packages. If you encounter a feature described here that you do not have access to, contact your sales representative for more information about your current package. See also, Cisco Umbrella Packages.
- How it Helps with On-Premises Identity
- Enabling Identity Support
- Prerequisites for AD Integration
- Enhanced Roaming Client UI
- Reporting and Policy
- What Information is Sent and When?
- Support and Feedback
What is the identity feature of the roaming client (RC) or AnyConnect roaming security module?
Identity support is an enhancement to the Umbrella roaming client or the AnyConnect Umbrella roaming security module that provides Active Directory user and group identity-based policies, in addition to user and private LAN IP reporting.
It does not provide reporting by group, or policy by LAN IP. It does not provide support for AD OUs but does support AD Groups. It is intended to be used as an alternative to, or in conjunction with, the Umbrella virtual appliance and provide insight for devices that have a NAT'd IP address behind a single egress IP. This enables more granular reporting—down to the individual user or device—and the ability to set very specific policies for identities in Umbrella.
The feature is available for all Umbrella roaming computer options:
- Umbrella roaming client for Windows, minimum version 2.1.0
- Umbrella roaming client for macOS, minimum version 2.0.39
- AnyConnect Umbrella roaming module for Windows, minimum version 4.5.01
- AnyConnect Umbrella roaming module for macOS, minimum version 4.5.02
The Identity Support for AD User and Group capability requires an Umbrella Insights or Platform subscription. Information about packages can be found here: https://umbrella.cisco.com/products/packages
In addition to improving off-network visibility and policy granularity, a roaming client or a security module with identity support can be used effectively in on-network scenarios where the Umbrella virtual appliance (VA) is not feasible.
Deploying the Umbrella VA requires that all devices use it as their DNS server while on-network. Some organizations have "DDI" solutions already in place—a DDI is a method for managing IP addresses, and represents an integration of DNS, DHCP, and IPAM into a unified service. Products in this space include Infoblox and Bluecat.
With a DDI in place, pointing all devices to the VA for DNS can be difficult and cause loss of function (identity and granular policy for internal queries). When internal queries (“internal domains”) are conditionally forwarded by the virtual appliance to the DDI solution, these queries will have the source IP of the virtual appliance, thus preventing the DDI solution from detecting which endpoint or user originated the query.
By contrast, the roaming client sends internal domain queries directly to the DDI solution, without the need to go through the virtual appliance. This allows the source IP address to be preserved, and in turn, prevents loss of information or function in the DDI solution.
As of October 2017, to prevent unexpected behavior due to changes in policy enforcement, the identity option for roaming clients is enabled by default for all new accounts; however, it must be manually enabled for accounts created before October 2017.
- Navigate to Deployments > Core Identities > Roaming Computers and click Settings.
- From the General Settings tab, enable Active Directory.
Note: After updating settings, it can take up to 60 minutes for updates to take effect.
- At least one Domain Controller registered to sync AD User/Group data to the Umbrella cloud. This is accomplished by running a script. See Instructions.
- You must have at least one Umbrella AD Connector service installed and running to perform the sync. See Instructions. If the connector is uninstalled, any AD changes will not reflect.
- Logged in users must be part of the domain (user information on non-domain and BYOD devices are not reported to the dashboard).
Note: For macOS devices running Umbrella Roaming Client 2.2.50 or AnyConnect 4.9.01095 (MR1) and higher, Enterprise Connect is supported and there is no need to join the computer to the domain. Older versions of the agent software require that the macOS device be joined to the domain.
Your setup is complete. No additional configuration steps are required.
Unlike the enhanced roaming client UI, there are no UI differences. As a result, an end-user or admin cannot tell if the feature is enabled by looking at the endpoint. In order to test whether it's enabled or not, you must test by creating a user identity-based policy and browsing to a blocked/allowed site.
The roaming client with the identity feature shows additional information in its local interface.
In ‘Protected’ (encrypted or unencrypted) mode, your new roaming client will work with the following identity types in policy:
- Roaming Computer
- AD user
- AD group
It does not support AD Computer or Internal Network identity types.
In ‘Behind VA’, ‘On Protected Network’, and ‘Unprotected’ modes the identity feature will not work. This is consistent with the existing roaming client.
When searching for an active directory user, you will now see their on-network and off-network traffic in the same report, whether they were behind a VA while on-network or roaming off-network. The external IP should be used to differentiate the on-network versus off-network activity if necessary.
Reporting functions similarly to traffic coming from a VA. There are multiple identity types associated with each query, so the dashboard picks the ones it wants to show by default in reports. Typically this is the one that matched the active policy. Searching on the other identity types will surface the same traffic though.
The AD Connector is used to upload the AD directory structure, and sync on changes. The AD Connector’s sync behavior is identical to when it is deployed with a VA. Only one is needed for an organization, not one per site like the VA.
Informational Warnings for the Connector
If no VA is present, the AD Connector will appear in an ‘info’ state, as opposed to the 'active' (green) state that it would be otherwise. These 'info' states are seen in the Dashboard, under Settings > Sites and Active Directory. This is normal, although it can be confusing.
The roaming client sends an encoded version (hash) of the logged in user's ID, thus preventing information leakage if the roaming client is running in unencrypted (transparent) mode. This AD user information is sent if all three of the following conditions are met:
- Identity feature is enabled in your dashboard.
- An AD Connector is present and active.
- There is a single logged on AD user on the endpoint.
Examples of when the AD user ID is sent or not:
- If two users are logged-on, we do not send the user ID for either.
- If a non-AD user is logged-on, we do not send the user ID for them.
- If one AD user is logged-on we will send the user ID, and then if you switch users to another user (AD or otherwise), without logging-out as the first user, we will stop sending the user ID.
Note: The roaming client does not require an active connection to the domain controller or any AD server. It retrieves the user ID locally. Additionally, the roaming client does not utilize logon event and IP mapping like the virtual appliance.
User group (AD security group) information is sent from the AD Connector. The roaming client sends the AD User ID and relies on the cloud to find the correct user group(s). This is the same behavior as the VA.
LAN IP is always sent as long as the identity feature is enabled in your dashboard.
This is always an IPv4 address. Umbrella makes its best effort to determine which network adapter is being used at that moment (for example, a laptop having a wired and wireless connection simultaneously active). If Umbrella is unable to determine which is active, it returns the first non-reserved IP addresses in use by the device.
Important: Policy cannot be set/enforced on the LAN IP returned by the roaming client. The inclusion of LAN IP is only for visibility and reporting purposes. By comparison, only with a VA and a ‘site’ and an ‘internal network’ identity can policy be enforced on LAN IP.
The (non-AD) device ID is always sent. There is no change from the existing roaming client behavior as represented by the Roaming Computer identity.
IP Layer Enforcement Policy Caveat
The decision to enable/disable IP layer enforcement is determined by the policy in the dashboard where the Roaming Computer identity is found. This is consistent with the behavior of the Umbrella roaming client without the identity feature.
Updated about a month ago