cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4136
Views
15
Helpful
2
Replies

ISE and Checkpoint VPN

franjean47
Level 1
Level 1

Hi  

 

We have a 8 node ISE 2.6 patch 6 deployment in a Checkpoint firewall/VPN environment and are investigating what requirements are to use the ISE to authenticate and authorize the Checkpoint VPN users. 

 

1. Can the ISE be configured to do VPN access with Checkpoint in a similar way that you can with Cisco Firewalls and Anyconnect?

2. Do you need pxGrid to be able to do ISE to Checkpoint VPN integration?

3. Is it possible to do Profiling and/or Posture with Checkpoint VPN?

 

The only ISE to Checkpoint integration information we have been able to find thus far has been with Checkpoint Identity Collector, but could not find anything specific to just the VPN.

 

Any guidance will be greatly appreciated.

 

 

 

 

 

 

 

1 Accepted Solution

Accepted Solutions

@franjean47 

You can configure checkpoint to use ISE as the RADIUS server to authenticate the users, you don't need pxgrid for that.

 

I doubt you can profile the devices, ISE needs to learn the MAC address of an endpoint in order to create an endpoint record and profile the device. The MAC address for the LAN interface of the VPN client cannot be learnt by ISE over a layer 3 connection. If using the AnyConnect VPN client to authenticate to the VPN ISE can learn the MAC address using ACIdex values, but I doubt you can use AnyConnect with the CheckPoint firewall?

 

I've not tried it, but if using ISE 3.0 perhaps agentless posture might work in your scenario.

Posturing would require the AnyConnect ISE posture client, so you'd need to install this and a profile specifying the ISE call home servers. I doubt you could use posture redirect method, as I assume the CheckPoint device wouldn't support the redirect acl that ASA/FTD do.

View solution in original post

2 Replies 2

@franjean47 

You can configure checkpoint to use ISE as the RADIUS server to authenticate the users, you don't need pxgrid for that.

 

I doubt you can profile the devices, ISE needs to learn the MAC address of an endpoint in order to create an endpoint record and profile the device. The MAC address for the LAN interface of the VPN client cannot be learnt by ISE over a layer 3 connection. If using the AnyConnect VPN client to authenticate to the VPN ISE can learn the MAC address using ACIdex values, but I doubt you can use AnyConnect with the CheckPoint firewall?

 

I've not tried it, but if using ISE 3.0 perhaps agentless posture might work in your scenario.

Posturing would require the AnyConnect ISE posture client, so you'd need to install this and a profile specifying the ISE call home servers. I doubt you could use posture redirect method, as I assume the CheckPoint device wouldn't support the redirect acl that ASA/FTD do.

Hello ,

any documentation or workaround with checkpoint vpn and ISE with azure-ad ?