Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Identity Collector & Cisco ISE 2.6

Hello,

has anyone already tried to connect the Check Point Identity Collector to a Cisco Identiy Services Engine (ISE) Version 2.6 via pxGrid?

I know it is not supported yet (only up to 2.4, but perhaps someone has tried already (and even succeeded).

I have to next week.... Problem is, that DNA Center 1.3.1 requires ISE 2.6.

Yours, Martin

 

0 Kudos
11 Replies
Admin
Admin

@Royi_Priov what say you?

0 Kudos
Highlighted
Employee+
Employee+

Hi @Martin_Seeger ,

It was not tested by our QA yet.

However, from last certifications we didn't find any issues.

Did it worked for you eventually?

 

Thanks,

Royi Priov.

Thanks,
Royi Priov
Group manager, Identity Awareness R&D
0 Kudos
Highlighted

Hello @Royi_Priov ,

thank you for the information. That is really useful. We are currently trying to setup a connection to the ISE 2.6. I think we will see the results within the next week. I will report here.

Yours, Martin

0 Kudos
Highlighted

Update: Connection to the ISE 2.6 seems to be working. We get Login/Logout events and the group names are matching known SGTs. Now we will build some rules.

Yours, Martin

0 Kudos
Highlighted

Hello all,

I tried to integrate R80.10 with ISE 2.6 and i wanted to know if you have already done it and what was the result, if it works for you or NOT?

 

i know it's not recommended by Check Point.

 

thanks in advance 

0 Kudos
Highlighted

Hi,

we are doing it with R80.30 and Cisco ISE 2.6. It looks good (we see the IA events in the log), but we have not completed the tests. I will update this post when we are finished.

Yours, Martin

Highlighted

Hi @Martin_Seeger 

Any new information on r80.30 and Cisco ISE 2.6?

BR,

David

0 Kudos
Highlighted

Short answer: Yes & No

Long answer:

  • It generally works: we see session information appearing and can implement filter on Check Point based on SGT information.
  • We still have problems as we do not get session information about all clients. We debugged long and hard because we thought the problem to be on the Identity Collector side.
  • With the help of people at Check Point we found a tool from Cisco with which you can dump all session information into a file. As it turns out, the dump misses the same sessions as does the Check Point identity collector. That put the ball right into the field of Cisco.
  • The support case with Cisco is now open for four weeks. It took quite a while to explain what the problem is.
  • We just found out the our problem correlates with the lack of accounting information. Those session have in the Cisco debugs no IP address and are therefor not "publish-worthy on pxGrid".
  • Our best guess is that we have problems with the Radius Accounting. This is used to transmit the IP address information between the switch and the Cisco ISE.

It is quite an adventure so far. We are probably the first to implement Check Point SGT based firewalling in conjunction with Cisco DNA.

Yours, Martin

0 Kudos
Highlighted

I just read your message properly.
We experience a bit of the same, some clients do not show up as a session. This I've figured out is probably 99% our wireless clients, but only a very few of them, and these clients have for some reason not triggered an accounting update from the WLC. I haven't looked into this but have thought that the authentication went wrong or something. We are using Cisco WLC 5508 and 5520, tunneled (flexconnect) from inside Cisco SDA/DNA, so no vxlan to the AP.
Our SDA-switches are by default configured to send accounting via the switches default update interval, some 2days (172000s) on cat9300. We haven't concluded on any different interval to use yet.

Sure is an adventure and will be amazing when it works! Rest assured that you are not alone! We are also trying to use SGT in our rules! 🙂
I've sent you a message directly.

0 Kudos
Highlighted

Can I ask what patch-level your ISE is on? We are on patch3 and I remember seeing sessions that don't have IP-addresses.

What tool is it that you used to dump the session information?
0 Kudos
Highlighted

Version 2.6.0.156
Installed Patches: 1,3
0 Kudos