Create a Post
Showing results for 
Search instead for 
Did you mean: 

Identity awareness - Access role based on MAC address

Hello guys,

We have identity collector connected to AD servers and ISE servers.

ISE is able to identify some devices based on their MAC address:

# pep show user all | grep 2e:23      :00000000; ad11a944  @xx:xx:xx:xx:2e:23                  xx.xx.xx.xx                , 00000000  -

# pdp monitor machine xx:xx:xx:xx:2e:23

Session:  ad11a944
Session UUID:  {D228D90A-0315-B8D8-29D1-B4DFAB3DF4F1}
Ip:  xx.xx.xx.xx
 xx:xx:xx:xx:2e:23 {5cce349d}
   Groups: -
   Roles: -
   Client Type: Identity Collector (Cisco ISE)
   Authentication Method: Trust
   Distinguished Name:
   Connect Time: Tue Oct 10 12:38:36 2017
   Next Reauthentication: Thu Oct 19 21:48:43 2017
   Next Connectivity Check: -
   Next Ldap Fetch: -

Packet Tagging Status:  Not Active
Published Gateways:  Local

Is there a way to create access role / firewall rules based on those devices / mac address?

When I am trying to create a access role based on machine section, it seems to lookup only on the AD directory



0 Kudos
6 Replies

what do you want to achieve? as far as I know it can't be possible to create an access role based on a mac address , you can create one based on machine name for sure

0 Kudos

We would like to create firewall rules for some specific devices like Android / Ipad which are only authenticated by their MAC address.

I understand , are user authenticated against an ldap database?  in some scenario you can enable radius accounting in identity awareness and try to get the relevant radius message trough the cisco ise and see if you can receive identity in that way.

Since I don't know in wich way cisco ise work I don't know if this can be really a way to follow for your objective

0 Kudos

The MAC address may be showing up in the IA identity mappings, but there is no way to leverage MAC addresses in a gateway policy.  By the time the SecureXL/INSPECT driver on the gateway receives the IP packet for inspection, the Layer 2 header (including MAC addresses) has already been stripped off by the relevant Gaia Ethernet driver.

My book "Max Power: Check Point Firewall Performance Optimization"
now available via

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at
0 Kudos

I think the best step here is to authenticate this users by username and password through Cisco ISE by using 802.1x. Why do you need to authenticate this devices by mac address?

0 Kudos

Hello Fredric, 

There is an RFE (and it is planned to be part of the upcoming R80.20 release) that support a new concept of External Tag which represent a group which is neither internal or LDAP and can be considered as somewhat of a label, so you can create an External Tag which is the same as your Cisco ISE SGT and incorporate it into the Access Role. 

Please follow up with Check Point Solution Center to get this RFE. 

Best regards, 

Tzvi Katz, Identity Awareness & Access Client Group Manager.