This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sergo89
Collaborator
‎2020-04-18 05:12 PM
Jump to solution

Identity Awareness question

Hi All,

Could you advise how to solve this issue. We have Cisco WLC (wireless controller) with RADIUS authentication, everything works fine, users can use own AD credentials and get IPs from Windows DHCP and access finally. CheckPoint uses Identity Awareness blade and get info from AD, i see computer name and username in CheckPoint's logs. Unfortunately it works only with Windows clients, for Linux/Android/Mac/iOS i see only IPs. i know why its happen, Windows automatically register in DNS and it has association with username, but for other OS it doesnt work. do you have any ideas/advises how to solve it? 

 

THANKS

0 Kudos
1 Solution

Accepted Solutions
Chris_Atkinson
Employee Employee
Employee
‎2020-04-22 04:29 PM
In response to Sergo89
Jump to solution

FYI, note the steps may be version dependent in which case you should seek assistance from Cisco but please refer:

https://community.cisco.com/t5/other-wireless-mobility-subjects/how-to-configure-wlc-to-send-account...

CCSM R77/R80/ELITE

View solution in original post

16 Replies
Chris_Atkinson
Employee Employee
Employee
‎2020-04-18 06:11 PM
Jump to solution

Hi

Is Identity Awareness configured for only ADquery,  Radius Accounting or both?

CCSM R77/R80/ELITE
Sergo89
Collaborator
‎2020-04-18 06:36 PM
In response to Chris_Atkinson
Jump to solution

AD query via LDAP, radius not configured. do they can works together?
0 Kudos
PhoneBoy
Admin
Admin
‎2020-04-18 07:05 PM
In response to Sergo89
Jump to solution

Should be able to also configure RADIUS Accounting as an identity source as well.
Sergo89
Collaborator
‎2020-04-21 07:56 AM
In response to PhoneBoy
Jump to solution

Sorry guys, how it should works? i configured Radius in Identity Awareness, but it doesnt work (not sure, maybe it was configured not properly, because Radius config is tricky). Cisco WLC use Radius for auth, and checkpoint use same Radius?
0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2020-04-21 08:21 AM
In response to Sergo89
Jump to solution

WLC will send a copy of Radius Accounting packets to Check Point gateway and we will obtain user/IP info from this based on the field mappings that you define within IA config.

CCSM R77/R80/ELITE
0 Kudos
Sergo89
Collaborator
‎2020-04-21 02:27 PM
In response to Chris_Atkinson
Jump to solution

Chris, do i have to configure something on WLC side?
0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2020-04-21 04:47 PM
In response to Sergo89
Jump to solution

 

Unless your Radius server has the ability to "proxy" accounting records onto Check Point you will need to configure/specify Check Point as an Radius Accounting server on the WLC side yes.

CCSM R77/R80/ELITE
0 Kudos
Sergo89
Collaborator
‎2020-04-22 07:22 AM
In response to Chris_Atkinson
Jump to solution

Hi Chris,
sorry, still not clear for me, how to configure it... i want to try change Radius to LDAP on WLC...
0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2020-04-22 08:16 AM
In response to Sergo89
Jump to solution

If the WLC is already using Radius you need to configure an additional Accounting server entry which is the Check Point IP. (We've not been discussing LDAP here.)

In case it is still unclear I will point you to a similar guide in a separate post soon.

CCSM R77/R80/ELITE
0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2020-04-22 08:36 AM
In response to Sergo89
Jump to solution

 

These guides show different Radius Accounting implementations for Identity Awareness. Depending upon your setup it may be much simpler to have the WLC send the Radius Accounting directly as discussed.

 

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default...

https://community.checkpoint.com/t5/General-Topics/Identity-Awareness-RADIUS-Accounting-mode/m-p/151...

 

CCSM R77/R80/ELITE
0 Kudos
Sergo89
Collaborator
‎2020-04-22 08:46 AM
In response to Chris_Atkinson
Jump to solution

Thanks Chris! will try it today
0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2020-04-22 04:29 PM
In response to Sergo89
Jump to solution

FYI, note the steps may be version dependent in which case you should seek assistance from Cisco but please refer:

https://community.cisco.com/t5/other-wireless-mobility-subjects/how-to-configure-wlc-to-send-account...

CCSM R77/R80/ELITE
Sergo89
Collaborator
‎2020-04-24 05:13 PM
In response to Chris_Atkinson
Jump to solution

Chris,
sorry that bothering you again, two days tried to implement different solutions. First of all, LDAP doesnt work, authentication works (same like Radius), but still nothing in logs (except Windows machines, even if they are not part of domain, i see them and usernames). Your solution, i tried to implement it but, still dont understand how it should works. WLC, i configured an accounting server is CheckPoint, on checkpoint side i configured WLC like Radius Client, i think its wrong. I guess, in my configuration, i have Windows NPS, and turned on Radius accounting there , and WLC and CHeckpoint have to use it like Radius server, no? CHeckpoint support advised to use Captive portal for access to wireless ... but i am not sure... in this case i have to provide open access to wireless corp, and next check users, then they will try to get access to network via checkpoint policy...
0 Kudos
Sergo89
Collaborator
‎2020-04-28 09:00 AM
In response to Chris_Atkinson
Jump to solution

Fixed it! it works!!!
PhoneBoy
Admin
Admin
‎2020-04-21 08:33 AM
In response to Sergo89
Jump to solution

Define "not work."
It's also possible machine ID is not something RADIUS communicates at all.
0 Kudos
Sergo89
Collaborator
‎2020-04-21 09:07 AM
In response to PhoneBoy
Jump to solution

I dont see any changes in CP logs, still IPs no usernames. Also it can be stealth rule (just thinking right now), radius traffic (i guess) not included to Implied rules ..
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events