This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
kishorskmca_kp
Participant
‎2021-01-25 10:49 AM

Integrating with NAC device such as Cisco ISE using Radius protocol for the VPN identity management

we are using AD as identity management to allow users for remote access VPN. We have defined some Access Roles for serveral AD Groups in Access policy , but,  we have observed every AD user can log in via VPN client (end point security), regardless the user has a security policy associated or not. If the user is not included in a security policy, of course, they are not able to access to  some where, but, they still can do the log in successfully on the VPN client.

So, somehow, we would like to allow the AD authentication for remote access VPN  just for those users belonging to the Access Roles or for some specific AD Groups.

Can I integrate with NAC device such as Cisco ISE using Radius protocol for the VPN identity management ?

Preview file
45 KB
0 Kudos
2 Replies
RS_Daniel
Advisor
‎2021-01-25 04:07 PM

Hi,

For "allow the AD authentication for remote access VPN  just for those users belonging to the Access Roles" >> https://community.checkpoint.com/t5/Remote-Access-VPN/How-to-restrict-the-MS-Active-Directory-Authen...

You have to define LDAP groups inside smartconsole and use them in remote access community to define which users/groups con authenticate trough remote access.

For "Can I integrate with NAC device such as Cisco ISE using Radius protocol for the VPN identity management ?" >> i only tested like a regurlar RADIUS server and no problem, did no try for posture or more advanced authorization policy.

0 Kudos
Silesio
Contributor
‎2021-01-25 05:01 PM

Take a look at this post. You don't need ISE.

https://community.checkpoint.com/t5/Remote-Access-VPN/How-To-s-Deploy-Check-Point-Remote-Access-on-G...

 

Regards

Silésio C.