About User Identity Sources

The following table provides a brief overview of the user identity sources supported by the system. Each identity source provides a store of users for user awareness. These users can then be controlled with identity and access control policies.

User Identity Source

Server Requirements

Login Type

Authentication Type

User Control

For more, see...

Captive portal

OpenLDAP

Microsoft Active Directory

Microsoft Azure Active Directory

Authoritative

Active

Yes

The Captive Portal Identity Source

Create a Microsoft Azure AD (SAML) Realm for Active Authentication (Captive Portal)

Passive authentication

OpenLDAP

Microsoft Active Directory

Non-authoritative

Active

Yes

Create an LDAP Realm or an Active Directory Realm and Realm Directory

Passive authentication

Microsoft Azure Active Directory

Passive

Passive

Yes

Configure Microsoft Azure Active Directory for Passive Authentication

Passive authentication with the TS Agent

Microsoft Windows Terminal Server

Authoritative

Passive

Yes

The Terminal Services (TS) Agent Identity Source

Passive authentication with pxGrid cloud identity source

Cisco ISE

Non-authoritative

Passive

Yes

About the pxGrid Cloud Identity Source

Remote Access VPN

OpenLDAP or Microsoft Active Directory

Authoritative

Active

Yes

The Remote Access VPN Identity Source

RADIUS

Authoritative

Active

No, awareness only

ISE/ISE-PIC

Microsoft Active Directory

Authoritative

Passive

Yes

The ISE/ISE-PIC Identity Source

Traffic-based detection

(Configured in the network discovery policy.)

Non-authoritative

No, awareness only

The Traffic-Based Detection Identity Source

Consider the following when selecting identity sources to deploy:

  • You must use traffic-based detection for non-LDAP user logins.

  • You must use traffic-based detection or captive portal to record failed login or authentication activity. A failed login or authentication attempt does not add a new user to the list of users in the database.

  • The captive portal identity source requires a managed device with a routed interface. You cannot use an inline (also referred to as tap mode) interface with captive portal.

Data from those identity sources is stored in the Security Cloud Control's users database and the user activity database. You can configure Security Cloud Control-server user downloads to automatically and regularly download new user data to your databases.

After you configure identity rules using the desired identity source, you must associate each rule with an access control policy and deploy the policy to managed devices for the policy to have any effect. For more information about access control policies and deployment, see Associating Other Policies with Access Control.

For general information about user identity, see About User Identity.