topic Re: Identity Awareness question in Firewall and Security Management

Identity Awareness question

Sergo89 — Sun, 19 Apr 2020 00:12:33 GMT

Hi All,

Could you advise how to solve this issue. We have Cisco WLC (wireless controller) with RADIUS authentication, everything works fine, users can use own AD credentials and get IPs from Windows DHCP and access finally. CheckPoint uses Identity Awareness blade and get info from AD, i see computer name and username in CheckPoint's logs. Unfortunately it works only with Windows clients, for Linux/Android/Mac/iOS i see only IPs. i know why its happen, Windows automatically register in DNS and it has association with username, but for other OS it doesnt work. do you have any ideas/advises how to solve it?

THANKS

Re: Identity Awareness question

Chris_Atkinson — Sun, 19 Apr 2020 01:11:09 GMT

Is Identity Awareness configured for only ADquery, Radius Accounting or both?

Re: Identity Awareness question

Sergo89 — Sun, 19 Apr 2020 01:36:59 GMT

AD query via LDAP, radius not configured. do they can works together?

Re: Identity Awareness question

PhoneBoy — Sun, 19 Apr 2020 02:05:03 GMT

Should be able to also configure RADIUS Accounting as an identity source as well.

Re: Identity Awareness question

Sergo89 — Tue, 21 Apr 2020 14:56:34 GMT

Sorry guys, how it should works? i configured Radius in Identity Awareness, but it doesnt work (not sure, maybe it was configured not properly, because Radius config is tricky). Cisco WLC use Radius for auth, and checkpoint use same Radius?

Re: Identity Awareness question

Chris_Atkinson — Tue, 21 Apr 2020 15:21:43 GMT

WLC will send a copy of Radius Accounting packets to Check Point gateway and we will obtain user/IP info from this based on the field mappings that you define within IA config.

Re: Identity Awareness question

PhoneBoy — Tue, 21 Apr 2020 15:33:33 GMT

Define "not work."
It's also possible machine ID is not something RADIUS communicates at all.

Re: Identity Awareness question

Sergo89 — Tue, 21 Apr 2020 16:07:49 GMT

I dont see any changes in CP logs, still IPs no usernames. Also it can be stealth rule (just thinking right now), radius traffic (i guess) not included to Implied rules ..

Re: Identity Awareness question

Sergo89 — Tue, 21 Apr 2020 21:27:45 GMT

Chris, do i have to configure something on WLC side?

Re: Identity Awareness question

Chris_Atkinson — Tue, 21 Apr 2020 23:47:53 GMT

Unless your Radius server has the ability to "proxy" accounting records onto Check Point you will need to configure/specify Check Point as an Radius Accounting server on the WLC side yes.

Re: Identity Awareness question

Sergo89 — Wed, 22 Apr 2020 14:22:56 GMT

Hi Chris,
sorry, still not clear for me, how to configure it... i want to try change Radius to LDAP on WLC...

Re: Identity Awareness question

Chris_Atkinson — Wed, 22 Apr 2020 15:16:31 GMT

If the WLC is already using Radius you need to configure an additional Accounting server entry which is the Check Point IP. (We've not been discussing LDAP here.)

In case it is still unclear I will point you to a similar guide in a separate post soon.

Re: Identity Awareness question

Chris_Atkinson — Wed, 22 Apr 2020 15:36:33 GMT

These guides show different Radius Accounting implementations for Identity Awareness. Depending upon your setup it may be much simpler to have the WLC send the Radius Accounting directly as discussed.

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=33265

https://community.checkpoint.com/t5/General-Topics/Identity-Awareness-RADIUS-Accounting-mode/m-p/15108#M2559

Re: Identity Awareness question

Sergo89 — Wed, 22 Apr 2020 15:46:38 GMT

Thanks Chris! will try it today

Re: Identity Awareness question

Chris_Atkinson — Wed, 22 Apr 2020 23:29:33 GMT

FYI, note the steps may be version dependent in which case you should seek assistance from Cisco but please refer:

https://community.cisco.com/t5/other-wireless-mobility-subjects/how-to-configure-wlc-to-send-accounting-message-to-radius-server/td-p/3307846

Re: Identity Awareness question

Sergo89 — Sat, 25 Apr 2020 00:13:42 GMT

Chris,
sorry that bothering you again, two days tried to implement different solutions. First of all, LDAP doesnt work, authentication works (same like Radius), but still nothing in logs (except Windows machines, even if they are not part of domain, i see them and usernames). Your solution, i tried to implement it but, still dont understand how it should works. WLC, i configured an accounting server is CheckPoint, on checkpoint side i configured WLC like Radius Client, i think its wrong. I guess, in my configuration, i have Windows NPS, and turned on Radius accounting there , and WLC and CHeckpoint have to use it like Radius server, no? CHeckpoint support advised to use Captive portal for access to wireless ... but i am not sure... in this case i have to provide open access to wireless corp, and next check users, then they will try to get access to network via checkpoint policy...

Re: Identity Awareness question

Sergo89 — Tue, 28 Apr 2020 16:00:42 GMT

Fixed it! it works!!!