Solved: Cisco ISE device control over IPsec and SSL

Rizwan Haider · ‎01-01-2022

Hi,

I have a scenario where multiple offices (different customers) are connecting with same data center via FortiGate firewall IPsec tunnel and SSL users (Forti client). We wanted to manually allow each Laptop/ Mobile device (non domain) connecting with us. All device uses LDAP credentials to login SSL as well as to access network resources.

If we deploy Cisco ISE in our network, can we control all remote devices (laptops and mobiles) who get authentication from LDAP to connect with our resources? We want to ensure each employee login only from allowed device even they have credentials to connect but without our permission they shouldn't get connected.

Thanks.

Arne Bier · ‎01-06-2022

Hello @Rizwan Haider

If your question relates to the Fortigate VPN authentication with ISE, then yes that is doable.

The Fortigate VPN would need to send RADIUS requests to ISE to request Authentication/Authorization. I haven't done this myself, and I am not sure what version of Fortigate you're using, but perhaps you can follow the hints in this Cookbook to setup how to talk to ISE? If the Fortigate device requires custom RADIUS attribute responses from ISE, then you can check out this link that discusses how to do that in ISE.

View solution in original post

Arne Bier · ‎01-06-2022

Hello @Rizwan Haider

If your question relates to the Fortigate VPN authentication with ISE, then yes that is doable.

The Fortigate VPN would need to send RADIUS requests to ISE to request Authentication/Authorization. I haven't done this myself, and I am not sure what version of Fortigate you're using, but perhaps you can follow the hints in this Cookbook to setup how to talk to ISE? If the Fortigate device requires custom RADIUS attribute responses from ISE, then you can check out this link that discusses how to do that in ISE.