# Device Authentication
Cloudbrink is introducing a new feature called Device-Authentication from the release 14.4. This feature Device-Authentication opens up several new use cases for customers using the Cloudbrink platform. Cloudbrink can now be used to provide zero-trust security and application performance optimization capabilities to hardware devices such as branch gateways, Wi-Fi access points and firewalls as well as to the hybrid workforce users.
**How it works?**
BrinkAgent can now be installed on EnGenius networking products (ex: ESG510 cloud-managed gateway) which are typically deployed in branch or SOHO (small office home office) locations. The BrinkAgent on EnGenius gateway can provide zero-trust security and performance optimization to all devices in that network using the EnGenius gateway as the default router. There is no need to install the BrinkAgent on the devices within the network to take advantage of the security and performance benefits of Cloudbrink.
The BrinkAgent on the EnGenius gateway operates exactly similar to that of the BrinkAgent running on the regular endpoint such as user’s laptop or mobile phone. The BrinkAgent on EnGenius gateway authenticates to the Cloudbrink SaaS using Device-Authentication feature, downloads the application configuration as defined by the administrator and starts securing and improving performance for those applications that are defined by the administrator.
The Device-Authentication feature on BrinkAgent reads a secured data source from the EnGenius gateway which is generated by the EnGenius platform when Cloudbrink service is enabled on the EnGenius cloud-managed platform. This data source contains required information for the BrinkAgent to authenticate and authorize the EnGenius gateway. The configuration section in this document provides steps to complete the Device-Authentication feature.
**Use Cases:**
Device-Authentication feature enables multiple use cases to customers using the Cloudbrink platform.
1\) Branch Zero-Trust Security and SD-WAN Optimization
BrinkAgent on EnGenius gateway can provide zero-trust security and SD-WAN optimization benefits to branch deployments. Customers having several branches can deploy EnGenius gateway powered by BrinkAgent to define access control policies, branch-to-branch connectivity, SD-WAN link aggregation as well as experience high-quality application acceleration performance benefits. Customers can replace their expensive MPLS and SD-WAN solutions which do not provide application-level and user-level access policies but are very expensive.
2\) IoT Access Controls and Edge Acceleration
Customers have deployed lots of IoT devices in their branches and office spaces. These IoT devices interact with Edge services for data processing and providing real-time feedback as well as sending lots of metadata to the Cloud. All this communication between IoT devices and Edge/Cloud services require access controls as well as performance boosting acceleration. The BrinkAgent and EnGenius gateway can be deployed in these branches and office spaces to secure the IoT device communication, control the access to approved Edge/Cloud services only and also improve the performance of this communications.
3\) AI & Autonomous Agents
AI & Autonomous agents are rapidly expanding their footprint into various use cases within the enterprise IT infrastructure. AI agents pose a significant security risk if the communication is not controlled and monitored. Enterprises can use the BrinkAgent and EnGenius gateway solution to ensure AI agents are communicating with only the approved set of services internally as well as on the Internet. Along with access controls, enterprises can monitor these communications and ensure they are compliant with the AI usage.
#### **Configuration**
1\) EnGenius Cloud-Managed Gateway configuration
On the EnGenius cloud-based administrative console, customer has to enable the Cloudbrink service for those gateways that require zero-trust security and performance benefits. The option to enable Cloudbrink service is given below.
2\) Cloudbrink configuration
a. Navigate to Cloudbrink Admin Portal → Configure → Collections → Devices Collection
\
b. Add a new device-collection and add device information. Devices information can be added one-device-at-a-time or multiple devices info can be added using bulk upload in CSV format. CSV format is given at the end of this guide.
Device info consists of the serial-ID and MAC address of the EnGenius gateway appliance.
c. Verify if the devices have been added successfully by clicking on the “Devices List” section
d. Add a new authentication policy of type “Device Auth” by navigating through Admin Portal → Configure → Policies → Authentication → Device Auth type
Realm → This is a string which must configured on both Cloudbrink as well as on the EnGenius cloud-based management console. Only when Realm matches, any device can be authenticated by the Cloudbrink SaaS.
OT Device Collection → Select the device collection created in step b)
Device User Group → This is the device-user-group to which a successfully authenticated device will be placed and the resource-template and policies applied to this device-user-group will be applicable for the authenticated device.
Visibility
After above configurations are complete on both EnGenius management portal and Cloudbrink admin portal, customer can restart their EnGenius gateway. Upon EnGenius gateway bootup, BrinkAgent will automatically perform the authentication process and successfully logs into the Cloudbrink service.
Admin can monitor the EnGenius gateway devices using Cloudbrink service from the Cloudbrink Admin Portal → Troubleshoot → Devices → OT Devices tab
Admin can also monitor the application traffic sessions for each of these devices by navigating through Admin Portal → Troubleshoot → Users → \ → Sessions tab
Same information is available under Admin Portal → Troubleshoot → Sessions → \