topic Cisco ISE and Fortinet Standalone Switch integration in Network Access Control

Cisco ISE and Fortinet Standalone Switch integration

poornakumar2542 — Tue, 18 Nov 2025 07:36:39 GMT

Hi Team,

Can anyone tell me how to do the integration between cisco ise and fortiswitch.And in cisco ise side i am using normal cisco network profile only is it enough for basic 802.1x authentication.

Re: Cisco ISE and Fortinet Standalone Switch integration

Ben Weber — Tue, 18 Nov 2025 08:46:18 GMT

Hey @poornakumar2542

You shouldn't need to touch the ISE side of the house. The FortiSwitch can be configured to act as a standard 802.1X authenticator.

Firstly, configure the RADIUS server settings to point at your ISE PSNs.

Then you need to enable 802.1X authN on the relevant switchports and make sure the relevant VLANs that ISE will assign have been configured.

You should also set up RADIUS accounting.

If you are trying to use Fortinet attributes (aka VSAs), you need to import the FortiGate VSAs from this link into ISE: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Fortinet-s-RADIUS-Dictionary-and-VSAs-latest/ta-p/194896

If you just want standard 802.1X authN, that should all be up and running once you've set up the RADIUS settings on the FortiSwitch.

Re: Cisco ISE and Fortinet Standalone Switch integration

RamsesDE — Sat, 25 Apr 2026 13:22:31 GMT

Some notes: Cisco ISE Patch 10/11 — 802.1X Auth Breakes with FortiSwitch

Tthe recent patch 10 or 11 of Cisco ISE breaks the 802.1X authentication requests originated from a FortiSwitch.

This is due to the fact that the Radius attribute service-type=framed is not being sent with the request by default. Cisco ISE now requires this attribute to be present in the radius request.

The fix is the following:

Fortiswitch # config user radius
Fortiswitch (radius) # show
config user radius
edit "ISE_Group"
set nas-ip x.x.x.x
set secret ENC ...
set server "x.x.x.x"
next
end

Fortiswitch (radius) # edit ISE_Group_NAC
Fortiswitch (ISE_Group_NAC) # show full-configuration | grep service
unset service-type <-----

Fortiswitch (ISE_Group_NAC) # set service-type framed <--- add this
Fortiswitch (radius) # end

Hope this helps someone having this issue.

Re: Cisco ISE and Fortinet Standalone Switch integration

Stefan Mihajlov — Sat, 25 Apr 2026 19:03:14 GMT

@poornakumar2542 Cisco porifle might technicaly work, best practice to use strd RADIUS network device profile in ISE you can ensure the FortiSW correctly interprets attributes w/o failing Cisco-prop param's.. to "finish" this integration try to add sw into ISE using shared secret -> configure FortiSW to pint ISE as RADIUS 🙂

Re: Cisco ISE and Fortinet Standalone Switch integration

RamsesDE — Sun, 26 Apr 2026 23:09:37 GMT

Reminder, for dynamic vlan's, use Tag id = 0 instead of the default 1