Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Employee
Employee

How to Configure Check Point to forward VPN Certificate authentication request to Cisco ISE

Hi, has anyone configured Check Point Gateway to forward VPN request using Certificates to Cisco ISE for authentication to AD.

Basically users with Capsule Connect client  will VPN into the Gateway using only a pre-configured certificate push by an MDM. Check Point will receive the request and forward ito ISE. Cisco ISE will authorize and authenticate using Active Directory. The request should come back to Check Point gateway and then user will be allowed access to the network.

Thanks

 

 

0 Kudos
3 Replies
Highlighted
Admin
Admin

You don't really "forward" requests for certificate authentication anywhere.
You import the relevant CA key into the Check Point management (as an OPSEC CA) and set your gateway (cluster) object to accept this CA as valid for VPN purposes.
We can validate the certificate and the other attributes in the certificate, associating it to the relevant user.
I believe that can be Cisco ISE (via RADIUS), but haven't tried it myself. 

0 Kudos
Highlighted
Employee
Employee

Thanks PhoneBoy,

Are you saying I still need to import the customers CA Key for verification using SSLVPN to do a cert request like the below example?

Will this be one cert per cluster or do I need a cert per gateway?

Do I then to add ISE as a Radius server and the Domain Controller as and LDAP server? I saw a few threads related to needing both configured in smartconsole

0 Kudos
Highlighted
Admin
Admin

You would import the CA key once and configure each gateway to accept it.
And yes ISE would be configured as RADIUS and AD for LDAP.

0 Kudos