11-24-2022 01:05 PM
Hi rangers,
I have written a couple of posts regarding the integration of Cisco ISE and other platforms/devices and so far looks that everything works as it should be. In more details, for authentication Cisco ISE uses Active Directory to check if a user is vaild and if so, under the authorization part, it uses conditions for different domain groups along with the MDM integration to check if the device(laptop) is registered in Intune. At the same time, Cisco ISE uses different security groups on authorization rules in order to pass them to Fortimanager via pxGrid. Therefore, Fortimanager sees these security groups and apply firewall policies.
Nonetheless, I have an "issue" which I am not sure if there is a solution. Not all the users from the same active directory group will requite the same firewall policies. So lets say that I have an AD group called HR and I use that under the authorization condition. Furthermore I give to that condition a security group called HR_sgt. In that case all the AD users who belongs to that AD group will get the same firewall policies. As I mentioned above the requirement here is the users on the same group to have different firewall policies by Fortigate which uses the security groups from ISE. I think there is workaround by using conditions for every single user form AD but we are talking about 400 users. By all means a big portion of the users will share the same firewall policies so that is easy but all other users is completed random. The rest users belong to many groups and users on the same groups will .need to have different policies. Is there is a much easier way to do it than to create conditions for every single user? Unless there is another way by using the Intune in the equation. Fortigate uses the AD agent and every time someone logs into a domain pc, the firewall picks up that form the AD and perform policies. I would believe It is not the same with intune (hybrid). By logging in to a MS Intune device the firewall doesn't have some similar(agent) to recognize it.
Anyway, too much stuff and not sure what would be the most beneficial way to do it. Any help will be really helpful.
Many Thanks
Solved! Go to Solution.
12-01-2022 12:33 PM
Integrate FortiManager with ISE via pxGrid.
11-25-2022 12:33 PM
12-01-2022 12:33 PM
Integrate FortiManager with ISE via pxGrid.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide