topic Re: Authentication of VPN users from CISCO ISE in Network Access Control

Authentication of VPN users from CISCO ISE

s.gupta — Fri, 24 May 2019 06:21:08 GMT

Hi all,

Can we authenticate Fortigate VPN users from Cisco ISE & can we do posture check on them? If yes can anyone help me in creating Network Device profile for Fotigate Firewall on cisco ISE & how will the redirection work for users to Client Provisioning portal on ISE.

Sooner reply will be appreciated..

Regards

Saurabh Gupta

Re: Authentication of VPN users from CISCO ISE

Jason Kunst — Fri, 24 May 2019 10:35:20 GMT

The only known network devices to support posture AFAIK are Cisco vpn concentrator (such as the ASA) that support COA. Change of authorization allows a session to switch states and update ACLs vlans or tags. It also requires a URL redirection. If running ise 2.2+ then that might not be required .

This allows a device to come in and be evaluated before given full access.

Does fortigate have support of these functions?

Re: Authentication of VPN users from CISCO ISE

maf_1 — Wed, 13 Oct 2021 06:48:15 GMT

hi,

i believe fortigate does support CoA as it is RFC 5176. please refer to link below.
FortiOS Supported RFCs (fortinetweb.s3.amazonaws.com)

I too am looking to do the same. Our scenario is User-> Fortigate -> ISE( AD integrated ) -> FortiAuthenticator ( AD integrated, Using for MFA). We have done plain authentication but need clues to implement posture.

Re: Authentication of VPN users from CISCO ISE

maf_1 — Wed, 13 Oct 2021 06:49:47 GMT

As for URL redirect, i think that could work since Fortinet does push portals. But would be great to know how ISE could be setup for such a thing.