Integration Cisco ISE with Checkpoint VPN and AD

GabsC2 · ‎07-21-2022

Good day,

I'm trying to use a Cisco ISE for a Radius server using AD with checkpoint VPN, yes, it sound confusing, I Know.

We use checkpoint for our client to site VPN connections and we tried to integrate it with our AD server but for external issues we can't. We have an ISE and I would like to use it to be the intermediate between my checkpoint clients and the AD. The checkpoint VPN client doesn't work with TACACS+ so the options are using RADIUS server. I wan't to know if it is possible to activate the RADIUS server in the ISE and it reads the users on the AD server that has RADIUS ON, that way I can select RADIUS auth on the Checkpoint VPN, put the Cisco ISE as the RADIUS server and the ISE check the authorization with the AD server we have. If someone knows if this is possible and have the link for the documentation I would be very appreciated. Meanwhile I'll keep working with the lab to see if I get an EUREKA

ahollifield · ‎07-21-2022

Yes RADIUS is an open standard. Here would be your flow:

VPN attempt ->CheckPoint->RADIUS->ISE->Access-Accept->CheckPoint.

So the CheckPoint sends a RADIUS request to ISE, ISE validates this attempt against AD, checks AD group membership for the user, etc. and then responds with an access-accept (or whatever attribute the CheckPoint is expecting). Then the CheckPoint allows the remote access VPN attempt.

GabsC2 · ‎01-31-2023

Good day,

Thank you for your answer, and how will the ISE know that the authentications received via RADIUS should be checked in the AD server?