Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sergo89
Contributor

Identity Awareness question

Jump to solution

Hi All,

Could you advise how to solve this issue. We have Cisco WLC (wireless controller) with RADIUS authentication, everything works fine, users can use own AD credentials and get IPs from Windows DHCP and access finally. CheckPoint uses Identity Awareness blade and get info from AD, i see computer name and username in CheckPoint's logs. Unfortunately it works only with Windows clients, for Linux/Android/Mac/iOS i see only IPs. i know why its happen, Windows automatically register in DNS and it has association with username, but for other OS it doesnt work. do you have any ideas/advises how to solve it? 

 

THANKS

0 Kudos
1 Solution

Accepted Solutions
Chris_Atkinson
Employee
Employee

FYI, note the steps may be version dependent in which case you should seek assistance from Cisco but please refer:

https://community.cisco.com/t5/other-wireless-mobility-subjects/how-to-configure-wlc-to-send-account...

View solution in original post

16 Replies
Chris_Atkinson
Employee
Employee

Hi

Is Identity Awareness configured for only ADquery,  Radius Accounting or both?

Sergo89
Contributor
AD query via LDAP, radius not configured. do they can works together?
0 Kudos
PhoneBoy
Admin
Admin
Should be able to also configure RADIUS Accounting as an identity source as well.
Sergo89
Contributor
Sorry guys, how it should works? i configured Radius in Identity Awareness, but it doesnt work (not sure, maybe it was configured not properly, because Radius config is tricky). Cisco WLC use Radius for auth, and checkpoint use same Radius?
0 Kudos
Chris_Atkinson
Employee
Employee

WLC will send a copy of Radius Accounting packets to Check Point gateway and we will obtain user/IP info from this based on the field mappings that you define within IA config.

0 Kudos
Sergo89
Contributor
Chris, do i have to configure something on WLC side?
0 Kudos
Chris_Atkinson
Employee
Employee

 

Unless your Radius server has the ability to "proxy" accounting records onto Check Point you will need to configure/specify Check Point as an Radius Accounting server on the WLC side yes.

0 Kudos
Sergo89
Contributor
Hi Chris,
sorry, still not clear for me, how to configure it... i want to try change Radius to LDAP on WLC...
0 Kudos
Chris_Atkinson
Employee
Employee

If the WLC is already using Radius you need to configure an additional Accounting server entry which is the Check Point IP. (We've not been discussing LDAP here.)

In case it is still unclear I will point you to a similar guide in a separate post soon.

0 Kudos
Chris_Atkinson
Employee
Employee

 

These guides show different Radius Accounting implementations for Identity Awareness. Depending upon your setup it may be much simpler to have the WLC send the Radius Accounting directly as discussed.

 

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default...

https://community.checkpoint.com/t5/General-Topics/Identity-Awareness-RADIUS-Accounting-mode/m-p/151...

 

0 Kudos
Sergo89
Contributor
Thanks Chris! will try it today
0 Kudos
Chris_Atkinson
Employee
Employee

FYI, note the steps may be version dependent in which case you should seek assistance from Cisco but please refer:

https://community.cisco.com/t5/other-wireless-mobility-subjects/how-to-configure-wlc-to-send-account...

View solution in original post

Sergo89
Contributor
Chris,
sorry that bothering you again, two days tried to implement different solutions. First of all, LDAP doesnt work, authentication works (same like Radius), but still nothing in logs (except Windows machines, even if they are not part of domain, i see them and usernames). Your solution, i tried to implement it but, still dont understand how it should works. WLC, i configured an accounting server is CheckPoint, on checkpoint side i configured WLC like Radius Client, i think its wrong. I guess, in my configuration, i have Windows NPS, and turned on Radius accounting there , and WLC and CHeckpoint have to use it like Radius server, no? CHeckpoint support advised to use Captive portal for access to wireless ... but i am not sure... in this case i have to provide open access to wireless corp, and next check users, then they will try to get access to network via checkpoint policy...
0 Kudos
Sergo89
Contributor
Fixed it! it works!!!
PhoneBoy
Admin
Admin
Define "not work."
It's also possible machine ID is not something RADIUS communicates at all.
0 Kudos
Sergo89
Contributor
I dont see any changes in CP logs, still IPs no usernames. Also it can be stealth rule (just thinking right now), radius traffic (i guess) not included to Implied rules ..
0 Kudos