Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Michalis89
Participant

Integrate ISE with Checkpoint Firewall for Azure MFA

Jump to solution

Hi Checkmates, i want to implement MFA Authentication for all the VPN users of my company.

I am going to use the below flow. Does exists any implementation guide for this scope;

Thank you!

 

End Users --> Checkpoint Firewall--> Cisco ISE-->AD-->Azure AD-->MFA

0 Kudos
1 Solution

Accepted Solutions
tmorgan
Contributor

Okay Cool, I have to confess it is something I keep meaning to lab up however other work keeps taking priority as I haven’t had a customer with this requirement yet. There is an extra jump in this chain that needs to be accounted for, you need to configure some local NPS servers to relay the requests to Azure. I did see somewhere this wasn’t required any more but I have only ever seen it mentioned once and I don’t have the source anymore. The best advice I can give you is break it down into three chunks and test each chunk before going to the next one (one for each of the authentication steps). 

Firstly: you need to configure a Windows NPS server (I recommend two if this is a production setup) to run the Azure NPS extension. This guide looks like it covers most of the process off (just ignore the ASA stuff) http://cloudexchangers.com/configuring-azure-mfa-for-cisco-vpn-using-the-nps-server/

Secondly: You then need to configure these NPS servers in Cisco ISE as an external RADIUS server. You also need to configure the Check Points just like any other RADIUS network device (ie switches, wireless LAN controllers etc). Once this is done you need to create a policy basically saying if the Check Point is sending a request relay it to the NPS servers (to start off with keep the policy dead simple but there is nothing stopping you throwing in other ISE magic later on should you wish).

Thirdly: You need to configure the Cisco ISE appliances as RADIUS serves in the Check Point Smart Console. Start by configuring a group and then add each of your PSNs. Unless you have the RADIUS service of the PSNs in front of a load balancer, in this case just create a RADIUS server not a group. You should then be able to create an additional authentication sequence for RADIUS (there should be a tick box in the RADIUS settings saying something like “this is MFA ask for a password as well”).

The one closing comment I would make is this is a bit of a long-winded way of MFA’ing the user and there might be some timeout issues somewhere along the lines. Make sure adding ISE into the picture is going to give you some tangible benefits.

 

View solution in original post

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

The integration with Cisco ISE is done via Identity Collector: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 
However, if you're ultimately trying to use Azure AD with some sort of MFA on the VPN client, you probably want to do this: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

0 Kudos
Michalis89
Participant

Hello PhoneBoy and thank you for your answer! Both hyperlinks that you send me guides lead to the same URL. Can you please send me again the solution which integrates Azure AD for MFA;

Thank you! 

0 Kudos
tmorgan
Contributor

I think I am in correct at saying that you want to set the Check Point for Remote Access VPN blade to send authentication requests via RADIUS to Cisco ISE. Cisco ISE will then relay the authentication request of to your Azure MFA setup?

0 Kudos
Michalis89
Participant

Exactly, this is the flow that i want to implement. I have already implement an Identity collector for the Identity Awareness of my users. Do you have any implementation guide for the rest of the solution;

0 Kudos
tmorgan
Contributor

Okay Cool, I have to confess it is something I keep meaning to lab up however other work keeps taking priority as I haven’t had a customer with this requirement yet. There is an extra jump in this chain that needs to be accounted for, you need to configure some local NPS servers to relay the requests to Azure. I did see somewhere this wasn’t required any more but I have only ever seen it mentioned once and I don’t have the source anymore. The best advice I can give you is break it down into three chunks and test each chunk before going to the next one (one for each of the authentication steps). 

Firstly: you need to configure a Windows NPS server (I recommend two if this is a production setup) to run the Azure NPS extension. This guide looks like it covers most of the process off (just ignore the ASA stuff) http://cloudexchangers.com/configuring-azure-mfa-for-cisco-vpn-using-the-nps-server/

Secondly: You then need to configure these NPS servers in Cisco ISE as an external RADIUS server. You also need to configure the Check Points just like any other RADIUS network device (ie switches, wireless LAN controllers etc). Once this is done you need to create a policy basically saying if the Check Point is sending a request relay it to the NPS servers (to start off with keep the policy dead simple but there is nothing stopping you throwing in other ISE magic later on should you wish).

Thirdly: You need to configure the Cisco ISE appliances as RADIUS serves in the Check Point Smart Console. Start by configuring a group and then add each of your PSNs. Unless you have the RADIUS service of the PSNs in front of a load balancer, in this case just create a RADIUS server not a group. You should then be able to create an additional authentication sequence for RADIUS (there should be a tick box in the RADIUS settings saying something like “this is MFA ask for a password as well”).

The one closing comment I would make is this is a bit of a long-winded way of MFA’ing the user and there might be some timeout issues somewhere along the lines. Make sure adding ISE into the picture is going to give you some tangible benefits.

 

View solution in original post

0 Kudos
Michalis89
Participant

Thank you tmorgan for your analytical answer!!You helped me very much!! In my previous job we had implemented the said MFA with Azure-Checkpoint and ISE and it was really cool, but because we had an integrator who made the implementation i did not have the completed technical view of the way that they implement it.

Indeed some times the messages were not coming fast enough from Azure AD to the Microsoft Authenticator but most of the times this was either problem of the 4G signal or a problem of the mobile device(because it did not run the Microsoft application properly).

Despite this i and from my personal point of view this MFA solution is fantastic.