Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1015
Views
5
Helpful
2
Replies

Cisco ISE , Fortimanager, MS Intune

Go to solution
Nick Mavrou
Level 1
Level 1

‎11-24-2022 01:05 PM

Hi rangers,

I have written a couple of posts regarding the integration of Cisco ISE and other platforms/devices and so far looks that everything works as it should be. In more details, for authentication Cisco ISE uses Active Directory to check if a user is vaild and if so, under the authorization part, it uses conditions for different domain groups along with the MDM integration to check if the device(laptop) is registered in Intune. At the same time, Cisco ISE uses different security groups on authorization rules in order to pass them to Fortimanager via pxGrid. Therefore, Fortimanager sees these security groups and apply firewall policies.

Nonetheless, I have an "issue" which I am not sure if there is a solution. Not all the users from the same active directory group will requite the same firewall policies. So lets say that I have an AD group called HR and I use that under the authorization condition. Furthermore I give to that condition a security group called HR_sgt. In that case all the AD users who belongs to that AD group will get the same firewall policies. As I mentioned above the requirement here is the users on the same group to have different firewall policies by Fortigate which uses the security groups from ISE. I think there is workaround by using conditions for every single user form AD but we are talking about 400 users. By all means a big portion of the users will share the same firewall policies so that is easy but all other users is completed random. The rest users belong to many groups and users on the same groups will .need to have different policies. Is there is a much easier way to do it  than to create conditions for every single user? Unless there is another way by using the Intune in the equation. Fortigate uses the AD agent and every time someone logs into a domain pc, the firewall picks up that form the AD and perform policies. I would believe It is not the same with intune (hybrid). By logging in to a MS Intune device the firewall doesn't have some similar(agent) to recognize it.

Anyway, too much stuff and not sure what would be the most beneficial way to do it. Any help will be really helpful.

Many Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ahollifield
VIP
VIP
In response to Nick Mavrou

‎12-01-2022 12:33 PM

Integrate FortiManager with ISE via pxGrid.

View solution in original post

2 Replies 2

Go to solution
Nick Mavrou
Level 1
Level 1

‎11-25-2022 12:33 PM

It turns out that the complexity starts with all
the components of the network and systems which have to integrate.
Fortigate uses AD FSSO agent for AD so it can pickup all the groups of
the AD user and implement policies according to the group. This is when a
user logs in from a domain PC. On the other hand for the intune hybrid
PCs, As far I can tell Cisco ISE cannot provide the same behaviour and
to be honest it doesn’t have to. Firstly when a intune PC connects to
WiFi and the user adds his credentials, AD does not see that user as
active like the domain PC and secondly, the most important part, it cannot replicate
the groups the user has in AD and send them as tags into Fortimanager.
It can send only 1 to 1 mapping tag per condition under the authz rule.
Any ideas ??
0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to Nick Mavrou

‎12-01-2022 12:33 PM

Integrate FortiManager with ISE via pxGrid.

Customers Also Viewed These Support Documents