topic Re: Fortigate authorization with ISE in Network Access Control

Fortigate authorization with ISE

nimmi.phasil — Thu, 16 Jun 2016 13:36:04 GMT

Hi,

Anyone has done Fortigate firewall radius authorization with ISE ?

What are the Radius attributes ? I tried with

Fortinet-Group-Name

Fortinet-Access-Profile ; but not successful

Regards

Nimmi

Re: Fortigate authorization with ISE

thomas — Mon, 20 Jun 2016 16:33:42 GMT

Nimmi,

You will need to consult the Fortinet Firewall documentation for the required attributes for a successful authorization.

We have not done any explicit testing with Fortinet products but because ISE supports any standard RADIUS communications with Vendor Specific Attributes (VSAs) it should work. I searched for "fortinet radius authorization attributes" and found the Fortinet Knowledge Base article Fortinet RADIUS vendor-specific attributes (VSAs) which lists the following VSAs:

# Fortinet VSAs

VENDOR Fortinet 12356

BEGIN-VENDOR Fortinet

ATTRIBUTE Fortinet-Group-Name 1 string

ATTRIBUTE Fortinet-Client-IP-Address 2 ipaddr

ATTRIBUTE Fortinet-Vdom-Name 3 string

ATTRIBUTE Fortinet-Access-Profile 6 string

# Integer Translations

END-VENDOR Fortinet

I have also attached the above text as a plain text file named Fortinet_VSAs.txt for you to import into ISE.

To import these attributes into ISE:

1) Navigate to Policy > Policy Elements > Dictionaries

2) In the Dictionaries left panel, choose System > RADIUS > RADIUS Vendors

3) You should see a list of RADIUS Vendors that does not include Fortinet

4) Select Import

5) Browse... for the Fortinet_VSAs.txt file then click the Import button and acknowledge the dialog to import the file.

6) You should now see Fortinet in the RADIUS Vendors list:

and all of the Fortinet attributes listed under the Dictionary Attributes tab:

So you can use these attributes in your ISE Authorization Profiles per the Fortinet requirements / recommendations.

Re: Fortigate authorization with ISE

MISInfrastructure ITWorx — Tue, 14 Nov 2017 18:33:13 GMT

Hi Thomas,

I know this is an old post but I wonder if you can provide me with the rest of the configuration on ISE so I can Authenticate admin login to Fortigate.

Regards

Gamal Mohamed

Re: Fortigate authorization with ISE

hslai — Tue, 14 Nov 2017 18:42:16 GMT

Fortigate is not our product so you are best to consult Fortigate support, as Thomas suggested.

SSL VPN with RADIUS authentication from the Fortinet Cookbook might help.

Re: Fortigate authorization with ISE

MISInfrastructure ITWorx — Tue, 14 Nov 2017 18:52:02 GMT

Hi Hslai,

Many thanks for your reply.

But can you help me configure the ISE part like authentication and authorization rules and any necessary configuration?

Re: Fortigate authorization with ISE

gbekmezi-DD — Tue, 14 Nov 2017 19:46:58 GMT

Have you tried configuring authentication and authorization without success? If so, maybe you can share your configuration and logs so the community can try to help you.

George

Re: Fortigate authorization with ISE

hslai — Tue, 14 Nov 2017 20:12:18 GMT

We do not test this 3rd party device so can't tell how it working exactly.

Remote Admin login with Radius selecting admin access account profile looks like it allows using RADIUS to perform device admin so ...

Import or define the RADIUS vendor dictionary for Fortigate, as Thomas showed
Define an allowed-protocol set or use the existing one to match what configured in Fortigate
Define an authorization profile that returns the required vendor attributes. An example shown in the screenshot
Define a Network Device group for Fortigate
Define a Network Device for Fortigate and specify (4) as its group
Define some internal users or add external ID sources and/or define an ID source sequence
Create a policy set to condition on (4)
In the default authentication policy rule, use (6) as the ID source. Or, you may create additional rules as needed.
In the default authorization policy rule, use (3) as the result. Or, you may create additional rules as needed.

Good luck!

Re: Fortigate authorization with ISE

MISInfrastructure ITWorx — Thu, 16 Nov 2017 11:40:48 GMT

Hi Hslai,

I really appreciate your help.

It works

Regards

Gamal Mohamed

Re: Fortigate authorization with ISE

hslai — Thu, 16 Nov 2017 18:20:44 GMT

I am glad that you are able to get it working. If you have some time, please contribute it as a how-to doc in our community and provide details, such as the product versions you tested.

Re: Fortigate authorization with ISE

hugocarrillo — Wed, 13 Jun 2018 21:03:40 GMT

Hola Gamal Mohamed,

Tienes algun documento de el proceso que realizaste para integrar fortinet?

Podrias compartilo?

Gracias.

Saludos.

Re: Fortigate authorization with ISE

hugocarrillo — Wed, 18 Jul 2018 19:08:23 GMT

Hi Hslai

Can you help with the attributes for the authorization profile, these attributes where they were obtained? because i configure the similar situation.

Thanks for your help.

Regards.

Re: Fortigate authorization with ISE

hslai — Wed, 18 Jul 2018 19:43:24 GMT

Please follow Comment 1. and then Comment 6.