05-10-2021 03:43 PM
Hi
We have a 8 node ISE 2.6 patch 6 deployment in a Checkpoint firewall/VPN environment and are investigating what requirements are to use the ISE to authenticate and authorize the Checkpoint VPN users.
1. Can the ISE be configured to do VPN access with Checkpoint in a similar way that you can with Cisco Firewalls and Anyconnect?
2. Do you need pxGrid to be able to do ISE to Checkpoint VPN integration?
3. Is it possible to do Profiling and/or Posture with Checkpoint VPN?
The only ISE to Checkpoint integration information we have been able to find thus far has been with Checkpoint Identity Collector, but could not find anything specific to just the VPN.
Any guidance will be greatly appreciated.
Solved! Go to Solution.
05-11-2021 01:00 PM - edited 05-11-2021 01:23 PM
You can configure checkpoint to use ISE as the RADIUS server to authenticate the users, you don't need pxgrid for that.
I doubt you can profile the devices, ISE needs to learn the MAC address of an endpoint in order to create an endpoint record and profile the device. The MAC address for the LAN interface of the VPN client cannot be learnt by ISE over a layer 3 connection. If using the AnyConnect VPN client to authenticate to the VPN ISE can learn the MAC address using ACIdex values, but I doubt you can use AnyConnect with the CheckPoint firewall?
I've not tried it, but if using ISE 3.0 perhaps agentless posture might work in your scenario.
Posturing would require the AnyConnect ISE posture client, so you'd need to install this and a profile specifying the ISE call home servers. I doubt you could use posture redirect method, as I assume the CheckPoint device wouldn't support the redirect acl that ASA/FTD do.
05-11-2021 01:00 PM - edited 05-11-2021 01:23 PM
You can configure checkpoint to use ISE as the RADIUS server to authenticate the users, you don't need pxgrid for that.
I doubt you can profile the devices, ISE needs to learn the MAC address of an endpoint in order to create an endpoint record and profile the device. The MAC address for the LAN interface of the VPN client cannot be learnt by ISE over a layer 3 connection. If using the AnyConnect VPN client to authenticate to the VPN ISE can learn the MAC address using ACIdex values, but I doubt you can use AnyConnect with the CheckPoint firewall?
I've not tried it, but if using ISE 3.0 perhaps agentless posture might work in your scenario.
Posturing would require the AnyConnect ISE posture client, so you'd need to install this and a profile specifying the ISE call home servers. I doubt you could use posture redirect method, as I assume the CheckPoint device wouldn't support the redirect acl that ASA/FTD do.
09-20-2021 03:23 AM
Hello ,
any documentation or workaround with checkpoint vpn and ISE with azure-ad ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide