First of all I am sorry for my poor English but I will try describe my question.
I have got McAfee logon collector 1.0.1. On McAfee Firewall Enterprise 8.2.1. I set Passive identity validation.On MFE side i create some access rules with differents "user and groups" criteria.
All rules works fine but when I am using secondory logon (runas /user:user2) for some application MLC think that this user is logged on. And if I close this application and start it from logged user (user1) will be applied policy for user2.
Example: I have got rule to allow skype for domain admins. I log on to windows as domain admin. Start skype and it works as expected. Then I start skype as user1 (not domain admin user) and skype doesnt work. Then I again start Skype from domain admin account but now it doesnt work because MLC think that user1 is logged on.
So... Can I configure MFE\MLC with passive passport so that different proccess (started from different users) work with different acces rules?
Thanks in advance.
It is possible that one of the McAfee guys may be able to explain this better. But, the way I understand MLC to work it monitors the domain login/logout events and from this builds a table of who is logged in on any (windows) machine on the network.
You can see this by looking at the "Logon Report" screen within the MLC web interface or by clicking on the "Manage Passports" button in the Policy -> Rule Elements -> Passport screen in the Firewall Admin Console.
As I understand it, this passport table tells the Firewall who is logged in and the IP address of the machine they are using based on the action of logging into the domain. When you create a rule based on a username it isn't necessarily applying against the username, but against the IP address recorded in the list of active passports.
So, while you may be able to use the "runas" option within Windows to allow a specific application to run as if you were logged in as "user2" the PC/Laptop itself is still logged into the domain as "user1" - and this is the user account which MLC will see and report back to the Firewall. I'm not sure that it will pick up on a single application running as a different user.