Passive authentication

Use the IBM Security Logon-event Scanner to authenticate users to the IBM QRadar Network Security appliance automatically when they log on to your network using Active Directory.

You can configure the IBM QRadar Network Security appliance to create authenticated user sessions transparently when it receives a logon event from the IBM Security Logon-event Scanner. You can then create Network Access Policy rules based on authenticated users without requiring users to log in directly to the authentication portal.

The Logon-event Scanner scans for Active Directory logon events and sends the events to the IBM QRadar Network Security appliance. A Logon-event Scanner must be deployed on every domain controller within the AD environment. You must then configure each installed instance of the Logon-event Scanner on the IBM QRadar Network Security interface.
Note: Manual user authentication through the portal always overrides an existing session added by passive authentication.

Creating a secure connection between the Logon-event Scanner and the IBM QRadar Network Security appliance requires an SSL certificate, which you can export from the LMI.

Tip: For instructions on downloading the Logon-event Scanner, visit the IBM Support Portal and search for technote #1593164.
Parent topic: Identity Settings
Related tasks:
Opening an IBM QRadar Network Security policy in the SiteProtector System