Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Frederic_Kasmir
Participant

Identity awareness - Access role based on MAC address

Hello guys,

We have identity collector connected to AD servers and ISE servers.

ISE is able to identify some devices based on their MAC address:

# pep show user all | grep 2e:23
127.0.0.1      :00000000; ad11a944  @xx:xx:xx:xx:2e:23                  xx.xx.xx.xx                , 00000000  -


# pdp monitor machine xx:xx:xx:xx:2e:23

Session:  ad11a944
Session UUID:  {D228D90A-0315-B8D8-29D1-B4DFAB3DF4F1}
Ip:  xx.xx.xx.xx
Machine:
 xx:xx:xx:xx:2e:23 {5cce349d}
   Groups: -
   Roles: -
   Client Type: Identity Collector (Cisco ISE)
   Authentication Method: Trust
   Distinguished Name:
   Connect Time: Tue Oct 10 12:38:36 2017
   Next Reauthentication: Thu Oct 19 21:48:43 2017
   Next Connectivity Check: -
   Next Ldap Fetch: -

Packet Tagging Status:  Not Active
Published Gateways:  Local

Is there a way to create access role / firewall rules based on those devices / mac address?

When I am trying to create a access role based on machine section, it seems to lookup only on the AD directory

Thanks,

Frederic

0 Kudos
6 Replies
Marco_Valenti
Advisor

what do you want to achieve? as far as I know it can't be possible to create an access role based on a mac address , you can create one based on machine name for sure

0 Kudos
Frederic_Kasmir
Participant

We would like to create firewall rules for some specific devices like Android / Ipad which are only authenticated by their MAC address.

Marco_Valenti
Advisor

I understand , are user authenticated against an ldap database?  in some scenario you can enable radius accounting in identity awareness and try to get the relevant radius message trough the cisco ise and see if you can receive identity in that way.

Since I don't know in wich way cisco ise work I don't know if this can be really a way to follow for your objective

0 Kudos
Timothy_Hall
Champion
Champion

The MAC address may be showing up in the IA identity mappings, but there is no way to leverage MAC addresses in a gateway policy.  By the time the SecureXL/INSPECT driver on the gateway receives the IP packet for inspection, the Layer 2 header (including MAC addresses) has already been stripped off by the relevant Gaia Ethernet driver.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Felipe_Goulart
Explorer

I think the best step here is to authenticate this users by username and password through Cisco ISE by using 802.1x. Why do you need to authenticate this devices by mac address?

0 Kudos
Tzvi_Katz
Employee
Employee

Hello Fredric, 

There is an RFE (and it is planned to be part of the upcoming R80.20 release) that support a new concept of External Tag which represent a group which is neither internal or LDAP and can be considered as somewhat of a label, so you can create an External Tag which is the same as your Cisco ISE SGT and incorporate it into the Access Role. 

Please follow up with Check Point Solution Center to get this RFE. 

Best regards, 

Tzvi Katz, Identity Awareness & Access Client Group Manager. 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events