- Products
- Learn
- Local User Groups
- Partners
-
More
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
IDC Spotlight -
Uplevel The SOC
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Edmund_Carbon
Hi, has anyone configured Check Point Gateway to forward VPN request using Certificates to Cisco ISE for authentication to AD.
Basically users with Capsule Connect client will VPN into the Gateway using only a pre-configured certificate push by an MDM. Check Point will receive the request and forward ito ISE. Cisco ISE will authorize and authenticate using Active Directory. The request should come back to Check Point gateway and then user will be allowed access to the network.
Thanks
PhoneBoy
You don't really "forward" requests for certificate authentication anywhere.
You import the relevant CA key into the Check Point management (as an OPSEC CA) and set your gateway (cluster) object to accept this CA as valid for VPN purposes.
We can validate the certificate and the other attributes in the certificate, associating it to the relevant user.
I believe that can be Cisco ISE (via RADIUS), but haven't tried it myself.
Edmund_Carbon
Thanks PhoneBoy,
Are you saying I still need to import the customers CA Key for verification using SSLVPN to do a cert request like the below example?
Will this be one cert per cluster or do I need a cert per gateway?
Do I then to add ISE as a Radius server and the Domain Controller as and LDAP server? I saw a few threads related to needing both configured in smartconsole
PhoneBoy
You would import the CA key once and configure each gateway to accept it.
And yes ISE would be configured as RADIUS and AD for LDAP.
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY
