In our previous blog , we explained how to integrate CheckPoint firewalls and Multi-Domain servers with RADIUS. In this blog, we are explain how to integrate Check Point SmartConsole with Active Directory using Cisco ISE and the RADIUS protocol. In our sample environment, on the domain controller, we have created a security group called CheckPointSmartCon. Users who are members of this group will be allowed to authenticate using SmartConsole.





First, we log on to ISE (in our topology it is 10.1.18.104). Next, navigate to Work Centers > Network Access > Ext Id Sources





Then expand Active Directory and click the name of your domain controller (in our instance, it is ad1dc).





Click the Group tab





Click the Add button





Click the “Select Groups from Directory” menu option





Click the “Select Groups from Directory” menu option





Place a check in the newly created “CheckPointSmartCon” group and click “OK.”

Next, navigate to Policy > Policy Elements > Results





Expand Authorization and click Authorization Profiles





Click Add





In the Name field, type “CheckPoint-SmartConsole”

Set the Network Device Profile to the pre-existing “Checkpoint-Devices” we created in the previous blog . Then click “Submit.”





Then navigate to Policy > Policy Elements > Conditions





Click where it says “Click to add an attribute”





Next, click the “Identity group” button, then click the domain controller (in our instance, it is ad1dc).





Then click the “Choose from list or type” pulldown menu and select the “CheckPointSmartCon” group. Then click “Save”









Select the “Save as a new Library Condition,” radio button. Call it If-MDS-SmartCon and click “Save.”





Next, navigate to Policy > Policy Sets





In the row of the existing Policy Set, called CheckPointMDS (from the previous blog), click on the caret on the right side of the row.

Next, expand “Authorization Policy”

Click the plus sign to add a new rule.









In the Rule Name field, call it “CheckPointSmartConRule





Click the plus sign in the Conditions column

Click the Identity group button

Drag the IF-MDS-SmatCon group into the Editor white space





Then click “Use”





Under the “Results/Profiles” box, click “Select from list” and select “CheckPoint-SmartConsole





Then click “Save”





Next, we will want to use SmartConsole to connect to the Multi-Domain server to add ISE as a RADIUS object and create administrative user accounts that will use RADIUS to authenticate their login via ISE and Active Directory.





Open up SmartConsole and connect to the Multi-Domain Server (in our topology, it is 10.1.18.101)





Click the LOGIN button and connect to the domain.





Right click the Global Domain server (circled here in red) and click “Connect to Domain Server.”





Once the policy editor loads, click the “New” button and navigate to More > Server > More > RADIUS





Call it CiscoISERadiusObject, and enter in the shared secret that it will use to communicate with the Cisco ISE server.





Next, click the pulldown menu in the Host field, and click the Asterisk button





Then click “host”





Call it CiscoISEServer, enter in its IP (in our topology, it is 10.1.18.104) and click OK.





Then click OK on the CiscoISERadiusObject





Next, click Publish





Then close the SmartConsole Global Policy Window and navigate back to the SmartConsole MDS window.

Click the Permissions and Administrations button.





Click the New Button









Enter the name of the user – the user must match the name of a user in the Active Directory Security Group we retrieved in ISE (in our case, CheckPointSmartCon). Set the Authentication method to RADIUS. Set the RADIUS server to the CiscoISERadiusObject we created. Set the permissions in the Multi-Domain Permission Profile to “Multi-Domain Super User.” Then click OK.





Then click “Publish.”





Now, you should be able to log in with the Windows user cpsmartconuser, using its active directory password.





If you need any assistance with your enterprise solutions, don't hesitate to reach out to contact@spikefishsolutions.com