Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3363
Views
0
Helpful
3
Replies

Cisco ISE integration with third-party firewalls

Rui Antunes
Level 4
Level 4

‎10-24-2013 11:17 AM - edited ‎03-10-2019 09:01 PM

Can Cisco ISE be integrated with a third-party firewall (such as Checkpoint), to provide authentication/authorization services to remote VPN user devices (based on device MAC address)?

The remote user would establish a VPN connection to a third-party firewall, based on a username/password authentication, but the user would only be allowed to send/receive traffic to the internal network if the MAC address of the device being used was authorized by Cisco ISE.

Thank you in advance.

Labels:
0 Helpful
3 Replies 3

Tarik Admani
VIP Alumni
VIP Alumni

‎10-24-2013 07:18 PM

Rui,

I do not think the vpn client sends the ip address in a called-station-id, that might be the public ip address that the client is initiating the request from. If you have an existing radius server or can run a packet capture you should be able to verify that.

If the client does send the mac address in the radius packet then you can create a custom condition that can be used to check the mac address along with the username to allow it access to the session. However in VPN deployments there is no concept of profiling since 802.1x deployments usually include the client's mac address.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

blenka
Level 3
Level 3

‎10-31-2013 03:38 PM

Kindly find the link information may help you.

http://pmbuwiki.cisco.com/Products/ISE/Technical/Third_Party_Information#Summary

0 Helpful

Mike_fbr
Level 1
Level 1

‎03-16-2016 02:49 PM

According to this documentation: "http://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/at-a-glance-c45-736265.pdf" Cisco ISE integrates to Check Point through the Identity Awareness Blade.

Some of the main ISE attributes available for use by Check Point for user-related context include:
-User: user name, IP address, authentication status, location
-User class: authorization group.
-Cisco TrustSec: security group tag (SGT)
I know the post is old but still hope this information is useful for someone
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents