In our previous blog, we explained how to integrate CheckPoint firewalls and Multi-Domain servers with RADIUS. In this blog, we are explain how to integrate Check Point SmartConsole with Active Directory using Cisco ISE and the RADIUS protocol. In our sample environment, on the domain controller, we have created a security group called CheckPointSmartCon. Users who are members of this group will be allowed to authenticate using SmartConsole.
First, we log on to ISE (in our topology it is 10.1.18.104). Next, navigate to Work Centers > Network Access > Ext Id Sources
Then expand Active Directory and click the name of your domain controller (in our instance, it is ad1dc).
Click the Group tab
Click the Add button
Click the “Select Groups from Directory” menu option
Click the “Select Groups from Directory” menu option
Place a check in the newly created “CheckPointSmartCon” group and click “OK.”
Next, navigate to Policy > Policy Elements > Results
Expand Authorization and click Authorization Profiles
Click Add
In the Name field, type “CheckPoint-SmartConsole”
Set the Network Device Profile to the pre-existing “Checkpoint-Devices” we created in the previous blog. Then click “Submit.”
Then navigate to Policy > Policy Elements > Conditions
Click where it says “Click to add an attribute”
Next, click the “Identity group” button, then click the domain controller (in our instance, it is ad1dc).
Then click the “Choose from list or type” pulldown menu and select the “CheckPointSmartCon” group. Then click “Save”
Select the “Save as a new Library Condition,” radio button. Call it If-MDS-SmartCon and click “Save.”
Next, navigate to Policy > Policy Sets
In the row of the existing Policy Set, called CheckPointMDS (from the previous blog), click on the caret on the right side of the row.
Next, expand “Authorization Policy”
Click the plus sign to add a new rule.
In the Rule Name field, call it “CheckPointSmartConRule
Click the plus sign in the Conditions column
Click the Identity group button
Drag the IF-MDS-SmatCon group into the Editor white space
Then click “Use”
Under the “Results/Profiles” box, click “Select from list” and select “CheckPoint-SmartConsole
Then click “Save”
Next, we will want to use SmartConsole to connect to the Multi-Domain server to add ISE as a RADIUS object and create administrative user accounts that will use RADIUS to authenticate their login via ISE and Active Directory.
Open up SmartConsole and connect to the Multi-Domain Server (in our topology, it is 10.1.18.101)
Click the LOGIN button and connect to the domain.
Right click the Global Domain server (circled here in red) and click “Connect to Domain Server.”
Once the policy editor loads, click the “New” button and navigate to More > Server > More > RADIUS
Call it CiscoISERadiusObject, and enter in the shared secret that it will use to communicate with the Cisco ISE server.
Next, click the pulldown menu in the Host field, and click the Asterisk button
Then click “host”
Call it CiscoISEServer, enter in its IP (in our topology, it is 10.1.18.104) and click OK.
Then click OK on the CiscoISERadiusObject
Next, click Publish
Then close the SmartConsole Global Policy Window and navigate back to the SmartConsole MDS window.
Click the Permissions and Administrations button.
Click the New Button
Enter the name of the user – the user must match the name of a user in the Active Directory Security Group we retrieved in ISE (in our case, CheckPointSmartCon). Set the Authentication method to RADIUS. Set the RADIUS server to the CiscoISERadiusObject we created. Set the permissions in the Multi-Domain Permission Profile to “Multi-Domain Super User.” Then click OK.
Then click “Publish.”
Now, you should be able to log in with the Windows user cpsmartconuser, using its active directory password.
If you need any assistance with your enterprise solutions, don't hesitate to reach out to contact@spikefishsolutions.com
Commenti