Pages

Saturday, July 23, 2016

Checkpoint Gaia Radius authentication with Cisco ISE 2.1

This post describes how to configure Cisco Identity Service Engine (ISE) 2.1 to authenticate Checkpoint Gaia users.

The Checkpoint support article SK105542 on "How to configure a RADIUS server on Cisco ACS for authentication with Gaia OS" is very handy on getting this implemented on Cisco ISE as well.

The first step is to Add the Vendor Specific Attributes for Checkpoint.

For this in ISE Web UI Select Policy -> Policy Elements -> Dictionaries



On the Radius Dictionaries section, expand System -> Radius and click on Radius Vendors.
 

Click on Add to add a new Vendor and complete as follows.

Dictionary Name : Checkpoint
Vendor ID : 2620

Leave the other values as default. 



Under Dictionary Attributes add the below two values.

 

 
  

Next we need to define a Network Device Profile for Checkpoint as by default ISE doesn't have any Network Device Profile for Checkpoint.

For this navigate to Administration -> Network Resources -> Network Device Profiles.

Click on Add to define the new network device profile for Checkpoint devices.

In here, I've define a very basic Network Device Profile to be used only for Radius authentication for Gaia OS.

Name : Checkpoint-Firewalls (or anything that you prefer)
Vendor :  Other
Supported Protocols : RADIUS
Radius Dictionaries : Checkpoint (this is the dictionary that we created above) 

Leave the rest of the attributes to the default values.


 

Now we need to define a Authorization Profiles to be used for each of the authorization policies that we want to create. For this post, I am going to create on authorization profile to be used in admin authentication giving the matching user group Super-User access and adminRole.

Navigate to Work Centers -> Network Resources -> Policy Elements.
Under Policy Elements expand Results and select Authorization Profiles.
Click Add to add a new authorization profile.

Name : checkpoint-admin (or any other name that you prefer)
Access Type : ACCESS_ACCEPT
Network Device Profile : Checkpoint-Firewalls
Advanced Attribute Settings : 
(add the two radius attributes wed defined earlier in the radius dictionaries with the required values)
Checkpoint:CP-Gaia-User-Role = adminRole
Checkpoint:CP-Gaia-SuperUser-Access = 1



Next we define a Authentication Policy. For this I have used domain based authentication. I have not described how to add Microsoft AD as an external authentication source to ISE.

Navigate to Work Centers -> Network Access -> Authentication Policy.

Add a rule on the top:
Rule name: Checkpoint-auth
Condition:
If DEVICE:Device Type Equals Device Type#All Device Types#Checkpoint
Allow Protocols:
Default Network Access (or any profile that you have created)

Under actions, use the default action and set the identity source to your preferred identity source.



Now we define a Authorization Policy.
Navigate to Work Centers -> Network Access -> Authorization Policy.

Here you can create different authorization policies, depending on your requirements. i.e. you can create one rule to allow full admin access, and another rule to allow a different user role like monitorOnly and without super user rights.
In this example I have created an explicit deny rule as by default in ISE there's an catch all allow rule at the bottom.

Admin Allow Rule


Conditions:
If any and
Network Access:AuthenticationStatus Equals AuthenticationPassed and
and
DEVICE:Device Type Equals Device Type#All Device Types#Checkpoint

Permissions:
checkpoint-admin

Deny Rule 






I am not going to describe how to configure Radius authentication in Gaia, please refer to Configuration on Gaia OS section on SK105542 :).