Solved: Re: Cisco ISE and Fortinet

Davion Stewart · ‎12-17-2018

Good day,

Is there any official support for integrating ISE with fortigate/FortiAPs?

Want to know the possibility of using ISE as the RADIUS server to authenticate wireless users using fortiAPs.

Timothy Abbott · ‎12-17-2018

It depends on how you want them to integrate with ISE. ISE is a standards-based RADIUS server. Chances are good that basic 802.1X authentication will work. However, if you are looking to integrate for use cases such as BYOD then you will most likely have to figure out if they support RADIUS CoA and URL-Redirect. You can also explore using a NAD profile.

Regards,

-Tim

View solution in original post

Timothy Abbott · ‎12-17-2018

It depends on how you want them to integrate with ISE. ISE is a standards-based RADIUS server. Chances are good that basic 802.1X authentication will work. However, if you are looking to integrate for use cases such as BYOD then you will most likely have to figure out if they support RADIUS CoA and URL-Redirect. You can also explore using a NAD profile.

Regards,

-Tim

Davion Stewart · ‎12-17-2018

Oh ok thanks alot for the reply.

That's some good information

Do you know if there are any official documentation to refer to customers that are interested in doing this type of integration.

Jason Kunst · ‎12-17-2018

There is no official documentation, please check with fortigate as well

https://www.google.com/search?q=ise+fortinet+integration&oq=ise+fortinet+integration&aqs=chrome..69i57j0j69i64.5112j1j7&sourceid=chrome&ie=UTF-8

Also look into using our auth vlan if redirection is not an option for byod/guest where needed
https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_01001.html#concept_CDD87F6FE3A54351B27FF35316A23DA3

Some other links
https://community.cisco.com/t5/security-documents/does-ise-support-my-network-access-device/ta-p/3650231
https://community.cisco.com/t5/security-documents/ise-community-resources/ta-p/3621621#Deploy

http://cs.co/ise-guides
check fortigate

Davion Stewart · ‎12-17-2018

Ok cool thanks alot.

Will check the links.

Timothy Abbott · ‎12-17-2018

We don’t have anything specific for integrating the two systems. Are official documentation on ISE and RADIUS standards can be found in the ISE compatibility matrix.

Regards,
-Tim

Davion Stewart · ‎12-17-2018

Got you,

thanks much for the reply.

johan.loven · ‎02-17-2019

did you ever get this to work?

AdamF1 · ‎12-24-2019

I am also curious if you ever got this to work and what dictionary set you used?

Davion Stewart · ‎04-16-2020

Hi guys,

Unfortunately i was unable to configure/test out this kind of implementation. Has anyone been able to?

AdamF1 · ‎08-11-2020

After working with TAC and fortinet support I was able to get this to work for 802.1x authentications.

eiver_fori · ‎11-26-2020

Hi AdamF1,I wish you are very well.

Could you share the configuration that was done so that everything works correctly.

I thank you

AdamF1 · ‎11-30-2020

Create a new device profile for Fortinet controller and apply the appropriate protocols and conditions to 802.1x and MAB.

-MAB- IEEE 802.11 and call check

-802.1x- IEEE 802.11

Build out the controller in network devices and apply the profile.

Depending on your policies you may need to build out a new one that sits above it as authentication may continue to try and use it and fail. You can make it unique by setting it to something like call-station id ( mac address of controller), this way only devices utilizing it will hit the policy. Just be careful when editing your global policy sets and conditions you create as you could impact your current authentications.