I have a question (or if it doesn't exists, a proposition).
Is it possible to create a posture check that check the ip-based geolocalization of an identity, to allow or deny access to resources ?
It would be awesome to see in real-time all devices on the dashboard map too (like an option to enable and specify an external API or with a built-in API).
And be able to see when zooming or clicking on the entity a compact sets of information like OS, IP, identity, Connectivity status, hardware information, etc...
And then click on a button like "More details" to see more information of this entity.
Be able to see the localization history and the "last seen" on the map with a gray dots, see online entities with green dots, red dots for blocked entity or missing posture check of the entity, etc...
I don't find a way to use this map. For the localization, I tried custom tags like longitude latitude on identities but don't know how to link them to the map and even if it works, it's static so not very intersting.
There have been other, geographical-type requests in the past. It's doable, sure, but it hasn't been a priority to implement. Also OpenZiti tends to not collect IP information by default as it's often considered PII. The link Philip shared is probably the best one to start/watch.
This was originally intended to be used for routers and pathing and things along those lines. We haven't had the time to really dig into making that sort of thing a reality though, and for "most people" (who aren't running 10+ edge router networks), seeing "one or two" routers isn't all that exciting...
There's lots that could be done with the map, but right now we know it's a bit... "barren"...
Tags have always been meant to be used by applications. In this case, the ziti admin console uses the singular "geolocation" tag. There are no others i know of.
On an identity add:
"geolocation", "43.1584824,-77.6518579"
I don't know that it would useful for a posture check, but an external system could consume the api-session creation event and act on it. This message captures the IP address of the endpoint as seen by the Network Controller, so it can be easily bypassed by the use of a VPN, etc., but one can geocode the IP.
You can consume those messages and easily pass them to a map to see where devices were then they created the session, as accurate as GeoIP lookups are, which is fair, but I wouldn't bet my security on it.
