Identity awareness - Access role based on MAC addr...

Frederic_Kasmir · ‎2017-10-19

Hello guys,

We have identity collector connected to AD servers and ISE servers.

ISE is able to identify some devices based on their MAC address:

# pep show user all | grep 2e:23
127.0.0.1 :00000000; ad11a944 @xx:xx:xx:xx:2e:23 xx.xx.xx.xx , 00000000 -

# pdp monitor machine xx:xx:xx:xx:2e:23

Session: ad11a944
Session UUID: {D228D90A-0315-B8D8-29D1-B4DFAB3DF4F1}
Ip: xx.xx.xx.xx
Machine:
xx:xx:xx:xx:2e:23 {5cce349d}
   Groups: -
   Roles: -
   Client Type: Identity Collector (Cisco ISE)
   Authentication Method: Trust
   Distinguished Name:
   Connect Time: Tue Oct 10 12:38:36 2017
   Next Reauthentication: Thu Oct 19 21:48:43 2017
   Next Connectivity Check: -
   Next Ldap Fetch: -

Packet Tagging Status: Not Active
Published Gateways: Local

Is there a way to create access role / firewall rules based on those devices / mac address?

When I am trying to create a access role based on machine section, it seems to lookup only on the AD directory

Thanks,

Frederic

Marco_Valenti · ‎2017-10-19

what do you want to achieve? as far as I know it can't be possible to create an access role based on a mac address , you can create one based on machine name for sure

Frederic_Kasmir · ‎2017-10-19

We would like to create firewall rules for some specific devices like Android / Ipad which are only authenticated by their MAC address.

Marco_Valenti · ‎2017-10-19

I understand , are user authenticated against an ldap database? in some scenario you can enable radius accounting in identity awareness and try to get the relevant radius message trough the cisco ise and see if you can receive identity in that way.

Since I don't know in wich way cisco ise work I don't know if this can be really a way to follow for your objective

Timothy_Hall · ‎2017-10-19

The MAC address may be showing up in the IA identity mappings, but there is no way to leverage MAC addresses in a gateway policy. By the time the SecureXL/INSPECT driver on the gateway receives the IP packet for inspection, the Layer 2 header (including MAC addresses) has already been stripped off by the relevant Gaia Ethernet driver.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

Felipe_Goulart · ‎2017-10-19

I think the best step here is to authenticate this users by username and password through Cisco ISE by using 802.1x. Why do you need to authenticate this devices by mac address?

Tzvi_Katz · ‎2017-10-19

Hello Fredric,

There is an RFE (and it is planned to be part of the upcoming R80.20 release) that support a new concept of External Tag which represent a group which is neither internal or LDAP and can be considered as somewhat of a label, so you can create an External Tag which is the same as your Cisco ISE SGT and incorporate it into the Access Role.

Please follow up with Check Point Solution Center to get this RFE.

Best regards,

Tzvi Katz, Identity Awareness & Access Client Group Manager.

Are you a member of CheckMates?

Identity awareness - Access role based on MAC address