Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ISE integration with third-party firewalls

Can Cisco ISE be integrated with a third-party firewall (such as Checkpoint), to provide authentication/authorization services to remote VPN user devices (based on device MAC address)?

The remote user would establish a VPN connection to a third-party firewall, based on a username/password authentication, but the user would only be allowed to send/receive traffic to the internal network if the MAC address of the device being used was authorized by Cisco ISE.

Thank you in advance.

3 REPLIES

Cisco ISE integration with third-party firewalls

Rui,

I do not think the vpn client sends the ip address in a called-station-id, that might be the public ip address that the client is initiating the request from. If you have an existing radius server or can run a packet capture you should be able to verify that.

If the client does send the mac address in the radius packet then you can create a custom condition that can be used to check the mac address along with the username to allow it access to the session. However in VPN deployments there is no concept of profiling since 802.1x deployments usually include the client's mac address.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Cisco ISE integration with third-party firewalls

According to this

According to this documentation: "http://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/at-a-glance-c45-736265.pdf" Cisco ISE integrates to Check Point through the Identity Awareness Blade.

Some of the main ISE attributes available for use by Check Point for user-related context include:
-User: user name, IP address, authentication status, location
-User class: authorization group.
-Cisco TrustSec: security group tag (SGT)
I know the post is old but still hope this information is useful for someone
1722
Views
0
Helpful
3
Replies