Configure Check Point SmartConsole with Windows logins, via ISE and RADIUS

In our previous blog, we explained how to integrate CheckPoint firewalls and Multi-Domain servers with RADIUS. In this blog, we are explain how to integrate Check Point SmartConsole with Active Directory using Cisco ISE and the RADIUS protocol. In our sample environment, on the domain controller, we have created a security group called CheckPointSmartCon. Users who are members of this group will be allowed to authenticate using SmartConsole.

First, we log on to ISE (in our topology it is 10.1.18.104). Next, navigate to Work Centers > Network Access > Ext Id Sources

Then expand Active Directory and click the name of your domain controller (in our instance, it is ad1dc).

Click the Group tab

Click the Add button

Click the “Select Groups from Directory” menu option

Click the “Select Groups from Directory” menu option

Place a check in the newly created “CheckPointSmartCon” group and click “OK.”

Next, navigate to Policy > Policy Elements > Results

Expand Authorization and click Authorization Profiles

Click Add

In the Name field, type “CheckPoint-SmartConsole”

Set the Network Device Profile to the pre-existing “Checkpoint-Devices” we created in the previous blog. Then click “Submit.”

Then navigate to Policy > Policy Elements > Conditions

Click where it says “Click to add an attribute”

Next, click the “Identity group” button, then click the domain controller (in our instance, it is ad1dc).

Then click the “Choose from list or type” pulldown menu and select the “CheckPointSmartCon” group. Then click “Save”

Select the “Save as a new Library Condition,” radio button. Call it If-MDS-SmartCon and click “Save.”

Next, navigate to Policy > Policy Sets

In the row of the existing Policy Set, called CheckPointMDS (from the previous blog), click on the caret on the right side of the row.

Next, expand “Authorization Policy”

Click the plus sign to add a new rule.

In the Rule Name field, call it “CheckPointSmartConRule

Click the plus sign in the Conditions column

Click the Identity group button

Drag the IF-MDS-SmatCon group into the Editor white space

Then click “Use”

Under the “Results/Profiles” box, click “Select from list” and select “CheckPoint-SmartConsole

Then click “Save”

Next, we will want to use SmartConsole to connect to the Multi-Domain server to add ISE as a RADIUS object and create administrative user accounts that will use RADIUS to authenticate their login via ISE and Active Directory.

Open up SmartConsole and connect to the Multi-Domain Server (in our topology, it is 10.1.18.101)

Click the LOGIN button and connect to the domain.

Right click the Global Domain server (circled here in red) and click “Connect to Domain Server.”

Once the policy editor loads, click the “New” button and navigate to More > Server > More > RADIUS

Call it CiscoISERadiusObject, and enter in the shared secret that it will use to communicate with the Cisco ISE server.

Next, click the pulldown menu in the Host field, and click the Asterisk button

Then click “host”

Call it CiscoISEServer, enter in its IP (in our topology, it is 10.1.18.104) and click OK.

Then click OK on the CiscoISERadiusObject

Next, click Publish

Then close the SmartConsole Global Policy Window and navigate back to the SmartConsole MDS window.

Click the Permissions and Administrations button.

Click the New Button

Enter the name of the user – the user must match the name of a user in the Active Directory Security Group we retrieved in ISE (in our case, CheckPointSmartCon). Set the Authentication method to RADIUS. Set the RADIUS server to the CiscoISERadiusObject we created. Set the permissions in the Multi-Domain Permission Profile to “Multi-Domain Super User.” Then click OK.

Then click “Publish.”

Now, you should be able to log in with the Windows user cpsmartconuser, using its active directory password.

If you need any assistance with your enterprise solutions, don't hesitate to reach out to contact@spikefishsolutions.com