Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Martin_Seeger
Collaborator

Identity Collector & Cisco ISE 2.6

Hello,

has anyone already tried to connect the Check Point Identity Collector to a Cisco Identiy Services Engine (ISE) Version 2.6 via pxGrid?

I know it is not supported yet (only up to 2.4, but perhaps someone has tried already (and even succeeded).

I have to next week.... Problem is, that DNA Center 1.3.1 requires ISE 2.6.

Yours, Martin

 

0 Kudos
16 Replies
PhoneBoy
Admin
Admin

@Royi_Priov what say you?

0 Kudos
Royi_Priov
Employee
Employee

Hi @Martin_Seeger ,

It was not tested by our QA yet.

However, from last certifications we didn't find any issues.

Did it worked for you eventually?

 

Thanks,

Royi Priov.

Thanks,
Royi Priov
Group manager, Identity Awareness R&D
0 Kudos
Martin_Seeger
Collaborator

Hello @Royi_Priov ,

thank you for the information. That is really useful. We are currently trying to setup a connection to the ISE 2.6. I think we will see the results within the next week. I will report here.

Yours, Martin

0 Kudos
Martin_Seeger
Collaborator

Update: Connection to the ISE 2.6 seems to be working. We get Login/Logout events and the group names are matching known SGTs. Now we will build some rules.

Yours, Martin

0 Kudos
ramtinrezaei
Explorer

Hello all,

I tried to integrate R80.10 with ISE 2.6 and i wanted to know if you have already done it and what was the result, if it works for you or NOT?

 

i know it's not recommended by Check Point.

 

thanks in advance 

0 Kudos
Martin_Seeger
Collaborator

Hi,

we are doing it with R80.30 and Cisco ISE 2.6. It looks good (we see the IA events in the log), but we have not completed the tests. I will update this post when we are finished.

Yours, Martin

David_Brodin
Contributor

Hi @Martin_Seeger 

Any new information on r80.30 and Cisco ISE 2.6?

BR,

David

0 Kudos
Martin_Seeger
Collaborator

Short answer: Yes & No

Long answer:

  • It generally works: we see session information appearing and can implement filter on Check Point based on SGT information.
  • We still have problems as we do not get session information about all clients. We debugged long and hard because we thought the problem to be on the Identity Collector side.
  • With the help of people at Check Point we found a tool from Cisco with which you can dump all session information into a file. As it turns out, the dump misses the same sessions as does the Check Point identity collector. That put the ball right into the field of Cisco.
  • The support case with Cisco is now open for four weeks. It took quite a while to explain what the problem is.
  • We just found out the our problem correlates with the lack of accounting information. Those session have in the Cisco debugs no IP address and are therefor not "publish-worthy on pxGrid".
  • Our best guess is that we have problems with the Radius Accounting. This is used to transmit the IP address information between the switch and the Cisco ISE.

It is quite an adventure so far. We are probably the first to implement Check Point SGT based firewalling in conjunction with Cisco DNA.

Yours, Martin

(1)
David_Brodin
Contributor

I just read your message properly.
We experience a bit of the same, some clients do not show up as a session. This I've figured out is probably 99% our wireless clients, but only a very few of them, and these clients have for some reason not triggered an accounting update from the WLC. I haven't looked into this but have thought that the authentication went wrong or something. We are using Cisco WLC 5508 and 5520, tunneled (flexconnect) from inside Cisco SDA/DNA, so no vxlan to the AP.
Our SDA-switches are by default configured to send accounting via the switches default update interval, some 2days (172000s) on cat9300. We haven't concluded on any different interval to use yet.

Sure is an adventure and will be amazing when it works! Rest assured that you are not alone! We are also trying to use SGT in our rules! 🙂
I've sent you a message directly.

0 Kudos
David_Brodin
Contributor

Can I ask what patch-level your ISE is on? We are on patch3 and I remember seeing sessions that don't have IP-addresses.

What tool is it that you used to dump the session information?
0 Kudos
Martin_Seeger
Collaborator

Version 2.6.0.156
Installed Patches: 1,3
0 Kudos
Sal_Previtera
Contributor

@Martin_Seeger,

would it be possible for you to share how you got the certificates working between Cisco ISE 2.6 and the CP Identity collector?

I am having problems that ISE 2.6 does not accept the certificate installed on CP Identity Collector...so communication is never established between the two devices.

I have the CP identity sources and CP gateway working fine with AD domains...no problems there.

Any info is appreciated....Thanks

0 Kudos
Martin_Seeger
Collaborator

We followed these instructions: https://community.checkpoint.com/fyrhh23835/attachments/fyrhh23835/general-topics/10644/1/Check%20Po...

Challenge: The instructions are based on the premise that you use PEM-format for certificates. But the IDC requires them to be in the JKS format now. Those need to be converted. We used a tool called "KeyStore Explorer" for that.

Yours, Martin

P.S. We have currently problems with the IDC and support thinks it may have something to do with the certificates. I do not believe that as the problem occurs after about 6h of communication.

Tim_H
Explorer

Hello Martin,

- we have the Cisco ISE 2.6 and die CP Identity Collector installed.

- we can see the login and logout of the users in the Identity Awarness Blade

- but we cannot build fw rules on base of the sgt tags. We tried everything (identity tags, CGST User groups...)

Do you have a hint or an example how to configure these fw rules ? 

Thx in advance. Tim

0 Kudos
julianomluz
Explorer

Did TAC pointed a solution to sessions not being published to Identity Collector? We are facing the same problem here with Identity Collector and ISE 2.7. 

0 Kudos
lolith
Participant

Hi, 

 

Does R80.10 support ISE 2.6 for PxGrid integration?

 

I have successfully integrated IDC with cisco ISE, but the SGT configured on ISE is not auto polled? Is that something expected? or should the SGT be auto populated when creating access roles? As per white paper from checkpoint, it is mentioned to create SGT manually same as what is configured on ISE with prefix CSGT. Is this the behavior i should expect?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events