Solved: Re: Cisco ISE & Fortigate ( User based policy)

Nick Mavrou · ‎10-24-2022

Hi Guys,

I have an implantation which requires a Fortigate FW to recognize a user when it is connecting to WiFi over dot1x. The radius server is Cisco ISE and the external ID I am using is an MS Active Directory. The whole communication between the client and the Cisco ISE happens over certificates, so all good here. Is it any way the fortigate to be able to see that and then perform a firewall policy based on user? In other words, is a way an external device to see that log in Cisco ISE and perform custom actions?

Many Thanks

Rob Ingram · ‎10-24-2022

@Nick Mavrou yes, you can use pxgrid between ISE and FortiManager to exchange user/IP mappings for use in firewall rules.

https://docs.fortinet.com/document/fortimanager/6.2.0/new-features/610138/cisco-pxgrid-ise

View solution in original post

Rob Ingram · ‎10-24-2022

@Nick Mavrou yes it works with users authenticated by ISE from external identity store such as AD, LDAP etc.

View solution in original post

Rob Ingram · ‎10-24-2022

@Nick Mavrou yes, you can use pxgrid between ISE and FortiManager to exchange user/IP mappings for use in firewall rules.

https://docs.fortinet.com/document/fortimanager/6.2.0/new-features/610138/cisco-pxgrid-ise

Nick Mavrou · ‎10-24-2022

@Rob Ingram Nice thank you very much. Quick question though, the example shows for local users in ISE. Do you know if this doable with using identities/users from AD?

Rob Ingram · ‎10-24-2022

@Nick Mavrou yes it works with users authenticated by ISE from external identity store such as AD, LDAP etc.

j656 · ‎10-12-2023

Did you ever get this to work? We are looking at doing the something Fortimanager sees the groups, but does not see any users.