Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Scott_Bily
Participant
Jump to solution

Cisco ISE integration with Identity Awareness

Has anybody gotten Cisco ISE pxGrid integration working with Identity Collector?   And how(or can)identity based rules be used if identities are learned from ISE(via Identity Collector).    Currently all of our identity based rules are based on Active directory group memberships.  Most of our LAN users would be authenticated via AD.  And when the Identity Collect learns those event logs it seems to pass the users groups as well.    

But As far as I can tell I will only be getting a users login id and IP address from ISE.   So I’m guessing non of my existing Identity rules would work for users being authenticated via ISE?     I’m just wondering if anybody else has encountered this and what they had to do.

we are using ISE for network device with,  but also for Wifi user authentication, and potentially VPN. Which are user who may potentially need identity based access thru our Checkpoint firewalls.

 

Thanks in advance for any feedback

0 Kudos
1 Solution

Accepted Solutions
tcp_vs_uucp
Explorer

Hi

i wonder if your experience is not the result of PxGrid 2.0 on ISE whilst CheckPoint still only supports PxGrid 1.0 (this is my assumption as i cannot find any references on it).  

View solution in original post

0 Kudos
8 Replies
Danny
Champion Champion
Champion
Sorin_Gogean
Advisor

Hello Scott,
We followed this document when we first set-up and tested the ISE & Checkpoint Identity Collector . 
In ISE you have to set SGT's to different policies where you map your users or machines and authorize them, and based on those SGT's, you can address them in your CKP GW policies/rules. 
(https://community.checkpoint.com/fyrhh23835/attachments/fyrhh23835/general-topics/10644/1/Check%20Po...

Have a nice week,

0 Kudos
lolith
Contributor

Hello,

 

Sorry to ask my query in here. But I could only see this one more relevant to my query:

Checkpoint IDC - 81.028.000

Checkpoint PDP and PEP: R80.40

I have integrate IDC with Cisco Pxgrid v2 (Cisco ISE3.1.0.518) and is working quite well for learning the SGT and enforcing the SGT in access policy. The problem is the IDC only learns the ISE logs when it imports it in bulk and not instantly when new authentoication happens on ISE. Which makes the user access fail as it does not match any SGT rules and create issues.

 

The ia_ise_extension.log says the below error:

[3728][0015][2023.04.18 15:16:55.569] GatheringManager::updateSessions: failed to query session 10.xx.xx.xx from ISE rnxx1tc1xxxxx.xxxx-01.net
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source)
at com.checkpoint.ISE.GatheringManager.PxgridControl.sendRequest(PxgridControl.java:53)
at com.checkpoint.ISE.GatheringManager.PxgridControl.getSessionByIP(PxgridControl.java:167)
at com.checkpoint.ISE.GatheringManager.ISEServerPxgV2.querySessionByIp(ISEServerPxgV2.java:197)
at com.checkpoint.ISE.GatheringManager.GatheringManager.updateSessions(GatheringManager.java:485)
at com.checkpoint.ISE.GatheringManager.GatheringManager.access$000(GatheringManager.java:33)
at com.checkpoint.ISE.GatheringManager.GatheringManager$UpdateSessionDBTimerTask.run(GatheringManager.java:79)
at java.util.TimerThread.mainLoop(Unknown Source)
at java.util.TimerThread.run(Unknown Source)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
... 21 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)

 

But every 30 mins or so, it does a bulk import and gets all the machine records:

[3728][0031][2023.04.18 15:16:56.178] GatheringManager::processSession: new event received during bulk download, will exclude 10.xx.xx.xx from further bulk download operations

 

I tried to play around with certificate, but unable to find a solution.

 

I have created the jks cert using this white paper document and as you see, it works partially. Anyone has any idea how to fix this issue to get the instant machine authentication records on IDC.

Regards,

Lolith

0 Kudos
tcp_vs_uucp
Explorer

Hi

i wonder if your experience is not the result of PxGrid 2.0 on ISE whilst CheckPoint still only supports PxGrid 1.0 (this is my assumption as i cannot find any references on it).  

0 Kudos
lolith
Contributor

Hello,

Sorry for not updating the case earlier. The issue got fixed after importing the self signed cert chain into java keystore.

The problem I had was that the pxgrid cert was signed using system and IDC was not trusting the pxgrid cert.

Also the ISE ver 3 with patch 3 was having a bug that everytime you patch/upgrade ISE, the self signed cert also get renewed, which is fixed in patch 4 and above.

 

Conclusion, the IDC and PxGrid 2 works fine with right set of certs in the java keystore.

 

Thanks and Regards,

Lolith

(1)
Chris_Atkinson
Employee Employee
Employee

For reference sk134312 / sk108235 outline that Pxgrid 2.0 is supported

CCSM R77/R80/ELITE
(1)
anstelios
Collaborator

Hello,

 

Can you please verify that below white paper is still valid for ISE 3.1 and IDC running on Server 2019?

https://community.checkpoint.com/fyrhh23835/attachments/fyrhh23835/general-topics/10644/1/Check%20Po...

 

0 Kudos
lolith
Contributor

Hello All,

 

Its been a while now on this topic and thought to update my experience on this setup as its working quite smoothly for us and may help other fellow integrators.

We are running ISE version 3.3 with Pxgrid 2.0 (default) and latest IDC version and it works just fine.

The whitepaper is indeed old, but works just fine for generating certificate, but the SGT part of that is slightly different. (Identity tags, with the exact external identifier inside it)

 

The core logic to work smoothly is to get all the certificate chain into keystore and it should work just fine. some tweaking may be required to registry if following error occurs:

https://support.checkpoint.com/results/sk/sk182767

All the best with the integration.

Thanks & Regards,

Lolith

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events