https://community.cisco.com/t5/network-access-control/cisco-ise-fortimanager-ms-intune/m-p/4727719#M578489 <P>Hi rangers,</P> <P>I have written a couple of posts regarding the integration of Cisco ISE and other platforms/devices and so far looks that everything works as it should be. In more details, for authentication Cisco ISE uses Active Directory to check if a user is vaild and if so, under the authorization part, it uses conditions for different domain groups along with the MDM integration to check if the device(laptop) is registered in Intune. At the same time, Cisco ISE uses different security groups on authorization rules in order to pass them to Fortimanager via pxGrid. Therefore, Fortimanager sees these security groups and apply firewall policies.</P> <P>Nonetheless, I have an "issue" which I am not sure if there is a solution. Not all the users from the same active directory group will requite the same firewall policies. So lets say that I have an AD group called HR and I use that under the authorization condition. Furthermore I give to that condition a security group called HR_sgt. In that case all the AD users who belongs to that AD group will get the same firewall policies. As I mentioned above the requirement here is the users on the same group to have different firewall policies by Fortigate which uses the security groups from ISE. I think there is workaround by using conditions for every single user form AD but we are talking about 400 users. By all means a big portion of the users will share the same firewall policies so that is easy but all other users is completed random. The rest users belong to many groups and users on the same groups will .need to have different policies. Is there is a much easier way to do it&nbsp; than to create conditions for every single user? Unless there is another way by using the Intune in the equation. Fortigate uses the AD agent and every time someone logs into a domain pc, the firewall picks up that form the AD and perform policies. I would believe It is not the same with intune (hybrid). By logging in to a MS Intune device the firewall doesn't have some similar(agent) to recognize it.</P> <P>Anyway, too much stuff and not sure what would be the most beneficial way to do it. Any help will be really helpful.</P> <P>Many Thanks</P> Thu, 24 Nov 2022 21:05:40 GMT Nick Mavrou 2022-11-24T21:05:40Z https://community.cisco.com/t5/network-access-control/cisco-ise-fortimanager-ms-intune/m-p/4727719#M578489 <P>Hi rangers,</P> <P>I have written a couple of posts regarding the integration of Cisco ISE and other platforms/devices and so far looks that everything works as it should be. In more details, for authentication Cisco ISE uses Active Directory to check if a user is vaild and if so, under the authorization part, it uses conditions for different domain groups along with the MDM integration to check if the device(laptop) is registered in Intune. At the same time, Cisco ISE uses different security groups on authorization rules in order to pass them to Fortimanager via pxGrid. Therefore, Fortimanager sees these security groups and apply firewall policies.</P> <P>Nonetheless, I have an "issue" which I am not sure if there is a solution. Not all the users from the same active directory group will requite the same firewall policies. So lets say that I have an AD group called HR and I use that under the authorization condition. Furthermore I give to that condition a security group called HR_sgt. In that case all the AD users who belongs to that AD group will get the same firewall policies. As I mentioned above the requirement here is the users on the same group to have different firewall policies by Fortigate which uses the security groups from ISE. I think there is workaround by using conditions for every single user form AD but we are talking about 400 users. By all means a big portion of the users will share the same firewall policies so that is easy but all other users is completed random. The rest users belong to many groups and users on the same groups will .need to have different policies. Is there is a much easier way to do it&nbsp; than to create conditions for every single user? Unless there is another way by using the Intune in the equation. Fortigate uses the AD agent and every time someone logs into a domain pc, the firewall picks up that form the AD and perform policies. I would believe It is not the same with intune (hybrid). By logging in to a MS Intune device the firewall doesn't have some similar(agent) to recognize it.</P> <P>Anyway, too much stuff and not sure what would be the most beneficial way to do it. Any help will be really helpful.</P> <P>Many Thanks</P> Thu, 24 Nov 2022 21:05:40 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-fortimanager-ms-intune/m-p/4727719#M578489 Nick Mavrou 2022-11-24T21:05:40Z https://community.cisco.com/t5/network-access-control/cisco-ise-fortimanager-ms-intune/m-p/4728259#M578507 <DIV data-reddit-rtjson="{&quot;entityMap&quot;:{},&quot;blocks&quot;:[{&quot;key&quot;:&quot;6ab41&quot;,&quot;text&quot;:&quot;Thank you for the reply, It turns out that the complexity starts with all\n the components of the network and systems which have to integrate. \nFortigate uses AD FSSO agent for AD so it can pickup all the groups of \nthe AD user and implement policies according to the group. This is when a\n user logs in from a domain PC. On the other hand for the intune hybrid \nPCs, As far I can tell Cisco ISE cannot provide the same behaviour and \nto be honest it doesn’t have to. Firstly when a intune PC connects to \nWiFi and the user adds his credentials, AD does not see that user as \nactive like the domain PC and secondly, the most important part, it cannot replicate \nthe groups the user has in AD and send them as tags into Fortimanager. \nIt can send only 1 to 1 mapping tag per condition under the authz rule. \nAny ideas ??&quot;,&quot;type&quot;:&quot;unstyled&quot;,&quot;depth&quot;:0,&quot;inlineStyleRanges&quot;:[],&quot;entityRanges&quot;:[],&quot;data&quot;:{}}]}"> <DIV data-reddit-rtjson="{&quot;entityMap&quot;:{},&quot;blocks&quot;:[{&quot;key&quot;:&quot;6ab41&quot;,&quot;text&quot;:&quot;Thank you for the reply, It turns out that the complexity starts with all\n the components of the network and systems which have to integrate. \nFortigate uses AD FSSO agent for AD so it can pickup all the groups of \nthe AD user and implement policies according to the group. This is when a\n user logs in from a domain PC. On the other hand for the intune hybrid \nPCs, As far I can tell Cisco ISE cannot provide the same behaviour and \nto be honest it doesn’t have to. Firstly when a intune PC connects to \nWiFi and the user adds his credentials, AD does not see that user as \nactive like the domain PC and secondly, the most important part, it cannot replicate \nthe groups the user has in AD and send them as tags into Fortimanager. \nIt can send only 1 to 1 mapping tag per condition under the authz rule. \nAny ideas ??&quot;,&quot;type&quot;:&quot;unstyled&quot;,&quot;depth&quot;:0,&quot;inlineStyleRanges&quot;:[],&quot;entityRanges&quot;:[],&quot;data&quot;:{}}]}"> <DIV data-reddit-rtjson="{&quot;entityMap&quot;:{},&quot;blocks&quot;:[{&quot;key&quot;:&quot;6ab41&quot;,&quot;text&quot;:&quot;Thank you for the reply, It turns out that the complexity starts with all\n the components of the network and systems which have to integrate. \nFortigate uses AD FSSO agent for AD so it can pickup all the groups of \nthe AD user and implement policies according to the group. This is when a\n user logs in from a domain PC. On the other hand for the intune hybrid \nPCs, As far I can tell Cisco ISE cannot provide the same behaviour and \nto be honest it doesn’t have to. Firstly when a intune PC connects to \nWiFi and the user adds his credentials, AD does not see that user as \nactive like the domain PC and secondly, the most important part, it cannot replicate \nthe groups the user has in AD and send them as tags into Fortimanager. \nIt can send only 1 to 1 mapping tag per condition under the authz rule. \nAny ideas ??&quot;,&quot;type&quot;:&quot;unstyled&quot;,&quot;depth&quot;:0,&quot;inlineStyleRanges&quot;:[],&quot;entityRanges&quot;:[],&quot;data&quot;:{}}]}">It turns out that the complexity starts with all<BR />the components of the network and systems which have to integrate.<BR />Fortigate uses AD FSSO agent for AD so it can pickup all the groups of<BR />the AD user and implement policies according to the group. This is when a<BR />user logs in from a domain PC. On the other hand for the intune hybrid<BR />PCs, As far I can tell Cisco ISE cannot provide the same behaviour and<BR />to be honest it doesn’t have to. Firstly when a intune PC connects to<BR />WiFi and the user adds his credentials, AD does not see that user as<BR />active like the domain PC and secondly, the most important part, it cannot replicate<BR />the groups the user has in AD and send them as tags into Fortimanager.<BR />It can send only 1 to 1 mapping tag per condition under the authz rule.<BR />Any ideas ??</DIV> </DIV> </DIV> Fri, 25 Nov 2022 20:33:19 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-fortimanager-ms-intune/m-p/4728259#M578507 Nick Mavrou 2022-11-25T20:33:19Z https://community.cisco.com/t5/network-access-control/cisco-ise-fortimanager-ms-intune/m-p/4731203#M578596 <P>Integrate FortiManager with ISE via pxGrid.</P> Thu, 01 Dec 2022 20:33:13 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-fortimanager-ms-intune/m-p/4731203#M578596 ahollifield 2022-12-01T20:33:13Z