Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Understanding the Device Identity Authentication Table on NFX Devices

 

The NFX Series device contains a number of local authentication tables used for user authentication for various purposes. For example, the device contains a local Active Directory authentication table for user authentication when Microsoft Windows Active Directory is used as the authentication source.

When you configure the device to use the integrated user firewall device identity authentication feature for authentication based on the device identity and its attributes, the device creates a new table called the device identity authentication table.

To gain a complete view of the device identity authentication feature, it helps to understand this table, its contents, and its relationship to other entities.

The Device Identity Authentication Table

Unlike other local authentication tables, the device identity authentication table does not contain information about a user but rather about the user’s device. Moreover, unlike user authentication tables, it does not contain information about devices authenticated by one authentication source. Rather, it serves as a repository for device identity information for all devices regardless of their authentication source. For example, it might contain entries for devices authenticated by Active Directory or third-party NAC authentication sources.

A device identity authentication table entry contains the following parts:

  • The IP address of the device.

  • The name of the domain that the device belongs to.

  • The groups with which the device is associated.

  • The device identity.

    The device identity is actually that of a device identity profile (referred to in the CLI as end-user-profile). This type of profile contains a group of attributes that characterize a specific individual device or a specific group of devices, for example, a specific type of laptop.

IPv6 addresses are supported for the following authentication sources:

  • Active directory authentication table

  • Device identity with Active Directory authentication

  • Local authentication table

Why the Device Identity Authentication Table Content Changes

The device identity entries in the device identity authentication table are changed when certain events occur: when the user authentication entry with which the device identity entry is associated expires, when security policy changes occur in regard to referencing a group that the device belongs to, when the device is added to or removed from groups, or when groups that it belongs to are deleted and that change is made to the Windows Active Directory LDAP server.

  • When the User Identity Entry with Which a Device Identity Entry Is Associated Expires

    When the device generates an entry for a device in the device identity authentication table, it associates that entry with a user identity entry in a local authentication table for the specific authentication source that authenticated the user of the device, such as Active Directory. That is, it ties the device identity entry in the device identity authentication table to the entry for the user of the device in the user authentication table.

    When the user authentication entry with which the device identity entry is associated expires and is deleted from the user authentication table, the device identity entry is deleted silently from the device identity authentication table. That is, no message is issued to inform you of this event.

  • When Security Policy Changes Occur in Regard to Referencing a Group to Which the Device Belongs

    To control access to network resources based on device identity, you create a device identity profile that you can refer to in a security policy. In addition to other attributes, a device identity profile contains the names of groups. When a device identity profile is referenced by a security policy, the groups that it contains are referred to as interested groups.

    A group qualifies as an interested group if it is referenced by a security policy—that is, if it is included in a device identity profile that is specified in the source-end-user-device field of a security policy. If a group is included in a device identity profile that is not currently used in a security policy, it is not included in the list of interested groups. A group can move in and out of the list of groups referenced by security policies.

  • When a Device Is Added to or Removed from a Group or a Group Is Deleted

    To keep the device identity entries in the local device identity authentication table current, the SRX Series monitors the Active Directory event log for changes. In addition to determining whether a device has logged out of or in to the network, it can determine changes to any groups that the device might belong to. When changes occur to the groups that a device belongs to—that is, when a device is added to or removed from a group or the group is deleted—the device modifies the contents of the affected device entries in its own device identity authentication table to reflect the changes made in the Microsoft Windows Active Directory LDAP server.

The device identity authentication table is updated according to changes to groups with which the device is associated in the LDAP server, as illustrated in Table 1.

Table 1: Group Changes for Devices in the Active Directory LDAP and the Response

Changes Made to LDAP

LDAP Message and UserID Daemon Action

Group information for a device has changed. The device has been added to or removed from a group, or a group that the device belongs to has been deleted.

The Active Directory LDAP module sends notification of the change to the UserID daemon, directing it to revise information in its local device identity authentication table.

The device processes these messages every 2 minutes.

The device entry in LDAP is deleted.

The Active Directory LDAP module sends notification of the change to the UserID daemon, directing it to revise information in its local device identity authentication table.

The device processes these messages every 2 minutes.

The UserID daemon is informed of the changes. Whether or not a group that a device belongs to is specified in a security policy has bearing on what information is stored in device identity authentication table entries for the affected device. Table 2 shows the activity that occurs when a group is added to or deleted from the Active Directory LDAP.

Table 2: Changes to Device Identity Entries Based on Security Policy Specifications

Device Identity Profile Changes

Device-Group Mapping Behavior

SRX Series UserID Daemon Response

A new group that was added to the Active Directory LDAP is added to the device identity profile.

The gets the list of devices that belong to the new group and its subgroups from the Active Directory LDAP server. It adds the list to its local LDAP directory.

The UserID daemon determines whether the device identity authentication table includes entries for the set of affected devices. If so, it updates the group information for these entries.

For example, here is the entry for device1 before it was updated to include the new group and after the group was added:

  • device1, g1

  • device1, g1, g2

A group is deleted from the Active Directory LDAP. The device deletes the group from the device identity profile.

The device gets the list of devices that belong to the deleted group from its local LDAP database.

It deletes the device-group mapping from the local LDAP directory.

The UserID daemon checks the device identity authentication table for entries that belong to the group. It removes the group from affected entries.

For example, here is the entry for device1 before the group was deleted and after the group was deleted:

  • device1, g1, g2

  • device1, g1

Table 3 elaborates on the contents of device authentication entries for several devices that are affected by deletion of a group.

Table 3: Changes to Device Identity Authentication Table Resulting from LDAP and Security Policy Changes

Changes to Device identity Authentication Table Entries

IP Address

Device Information

Group

Original Entries

192.0.2.10

device1

group1, group2

192.0.2.11

device2

group3, group4

192.0.2.12

device3

group2

Same Entries After group2 Is Deleted

192.0.2.10

device1

group1

192.0.2.11

device2

group3, group4

192.0.2.12

device3

This entry no longer contains groups.

Security Policy Matching and Device Identity Profiles

The device follows the standard rules for matching traffic against security policies. The following behavior pertains to the use of a device identity profile in a security policy for determining a match:

  • Use of a device identity profile in a security policy is optional.

    • If no device identity profile is specified in the source-end-user-profile field, any profile is assumed.

    • You cannot use the keyword any in the source-end-user-profile field of a security policy.

      If you use the source-end-user-profile field in a security policy, you must reference a specific profile. The device from which the access attempt is issued must match the profile’s attributes.

  • Only one device identity profile can be specified in a single security policy.

  • A security policy rematch is triggered when the source-end-user-profile field value of the security policy is changed. No rematch is triggered when an attribute value of a profile is changed.