Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Scott_Bily
Participant

Cisco ISE integration with Identity Awareness

Has anybody gotten Cisco ISE pxGrid integration working with Identity Collector?   And how(or can)identity based rules be used if identities are learned from ISE(via Identity Collector).    Currently all of our identity based rules are based on Active directory group memberships.  Most of our LAN users would be authenticated via AD.  And when the Identity Collect learns those event logs it seems to pass the users groups as well.    

But As far as I can tell I will only be getting a users login id and IP address from ISE.   So I’m guessing non of my existing Identity rules would work for users being authenticated via ISE?     I’m just wondering if anybody else has encountered this and what they had to do.

we are using ISE for network device with,  but also for Wifi user authentication, and potentially VPN. Which are user who may potentially need identity based access thru our Checkpoint firewalls.

 

Thanks in advance for any feedback

0 Kudos
7 Replies
Danny
Champion Champion
Champion

Sorin_Gogean
Advisor

Hello Scott,
We followed this document when we first set-up and tested the ISE & Checkpoint Identity Collector . 
In ISE you have to set SGT's to different policies where you map your users or machines and authorize them, and based on those SGT's, you can address them in your CKP GW policies/rules. 
(https://community.checkpoint.com/fyrhh23835/attachments/fyrhh23835/general-topics/10644/1/Check%20Po...

Have a nice week,

0 Kudos
lolith
Participant

Hello,

 

Sorry to ask my query in here. But I could only see this one more relevant to my query:

Checkpoint IDC - 81.028.000

Checkpoint PDP and PEP: R80.40

I have integrate IDC with Cisco Pxgrid v2 (Cisco ISE3.1.0.518) and is working quite well for learning the SGT and enforcing the SGT in access policy. The problem is the IDC only learns the ISE logs when it imports it in bulk and not instantly when new authentoication happens on ISE. Which makes the user access fail as it does not match any SGT rules and create issues.

 

The ia_ise_extension.log says the below error:

[3728][0015][2023.04.18 15:16:55.569] GatheringManager::updateSessions: failed to query session 10.xx.xx.xx from ISE rnxx1tc1xxxxx.xxxx-01.net
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source)
at com.checkpoint.ISE.GatheringManager.PxgridControl.sendRequest(PxgridControl.java:53)
at com.checkpoint.ISE.GatheringManager.PxgridControl.getSessionByIP(PxgridControl.java:167)
at com.checkpoint.ISE.GatheringManager.ISEServerPxgV2.querySessionByIp(ISEServerPxgV2.java:197)
at com.checkpoint.ISE.GatheringManager.GatheringManager.updateSessions(GatheringManager.java:485)
at com.checkpoint.ISE.GatheringManager.GatheringManager.access$000(GatheringManager.java:33)
at com.checkpoint.ISE.GatheringManager.GatheringManager$UpdateSessionDBTimerTask.run(GatheringManager.java:79)
at java.util.TimerThread.mainLoop(Unknown Source)
at java.util.TimerThread.run(Unknown Source)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
... 21 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)

 

But every 30 mins or so, it does a bulk import and gets all the machine records:

[3728][0031][2023.04.18 15:16:56.178] GatheringManager::processSession: new event received during bulk download, will exclude 10.xx.xx.xx from further bulk download operations

 

I tried to play around with certificate, but unable to find a solution.

 

I have created the jks cert using this white paper document and as you see, it works partially. Anyone has any idea how to fix this issue to get the instant machine authentication records on IDC.

Regards,

Lolith

0 Kudos
tcp_vs_uucp
Explorer

Hi

i wonder if your experience is not the result of PxGrid 2.0 on ISE whilst CheckPoint still only supports PxGrid 1.0 (this is my assumption as i cannot find any references on it).  

0 Kudos
lolith
Participant

Hello,

Sorry for not updating the case earlier. The issue got fixed after importing the self signed cert chain into java keystore.

The problem I had was that the pxgrid cert was signed using system and IDC was not trusting the pxgrid cert.

Also the ISE ver 3 with patch 3 was having a bug that everytime you patch/upgrade ISE, the self signed cert also get renewed, which is fixed in patch 4 and above.

 

Conclusion, the IDC and PxGrid 2 works fine with right set of certs in the java keystore.

 

Thanks and Regards,

Lolith

(1)
Chris_Atkinson
Employee Employee
Employee

For reference sk134312 / sk108235 outline that Pxgrid 2.0 is supported

CCSM R77/R80/ELITE
(1)
anstelios
Collaborator

Hello,

 

Can you please verify that below white paper is still valid for ISE 3.1 and IDC running on Server 2019?

https://community.checkpoint.com/fyrhh23835/attachments/fyrhh23835/general-topics/10644/1/Check%20Po...

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events