Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
641
Views
1
Helpful
11
Replies

Cisco Ise radius cant contact with fortigate

shaikh.zaid22
Level 3
Level 3

‎05-29-2025 11:28 AM

Hi guys,

Recently i have replaced a secondary unit of the cluster firewall a-p mode fortinet firewall, which was integrated with cisco ise as Radius server for AAA.

Now after replacing i lost ise contact with both fgt and am unable to login with AD credentials.

The topology is as follows:

We have a cluster a-p mode in dmz and another pair of fortinet fw in cluster a-p mode in mgmt zone, behind which we have vmware NSX where we have the cisco ise vm appliance sitting for AAA.

Firewalls are having dedicated mgmt interface for web ui/ssh access.

the DMZ fws are communicating with ISE via a transit ip 10.1.1.10 which is allowed in mgmt fws for port 1812 udp for radius.

The NSX is allowed for the same ip and port.

I ran debug on FGT and found ISE connection STARTS and then times-out.

I want to run similar packet capture on ise cli to confirm whether radius request is coming-in or not.

Also, the environment is static no change has been made in recent months, i am not seeing any request coming into ISE from DMZ fws when i test connectivity for radius .

 

0 Helpful
11 Replies 11

Rob Ingram
VIP
VIP

‎05-29-2025 11:40 AM - edited ‎05-29-2025 12:02 PM

@shaikh.zaid22 if the FGT does not receive a response back from ISE, then either ISE does not receive the request or it was denied. Is the request sent to ISE from the correct IP address, as defined in the NAD on ISE? Is the shared secret correct (the same on both the FGT and ISE)?

You capture packets via the GUI on ISE, you cannot do it via the CLI.  Navigate to Diagnostic Tools > Tcpdump - https://video.cisco.com/detail/video/6365837680112

 

shaikh.zaid22
Level 3
Level 3
In response to Rob Ingram

‎06-01-2025 01:00 AM

@Rob Ingram Thanks for the reply.

FGT debugs shows ISE connection STOP duo time-out. ISE diagnostic tcpdump does not receive any packets.

About ISE receive request from correct ip as mentioned in NAD settings: So the answer is>>

>>Since the FGT is sitting in DMZ nw having mgmt ip(10.10.200.10) and transit ip 10.1.1.10 towards the ISE which is in management zone, when i test connection from FGT radius settings for ISE, i see ip 10.1.1.10 as the outgoing ip address from FGT as well as on the management zone FGT as incoming ip 10.1.1.10 towards ISE ip 10.10.50.50.

After this we have NSX fw before it reaches ISE vm.

SO my understanding of the traffic flow is as follows let me know if am right:

> Admin access DMZ FGT via bowser > Put his AD credentials > Enter 

> DMZ FGT request will go towards management FGT with outgoing transit ip 10.1.1.10

> Management FGT receives 10.1.1.10 as incoming interface ip towards dest, ISE 10.10.50.50 as outgoing interface

> NSX Fw will receive incoming request from ip 10.1.1.10 towards ISE ip 

> Finally ISE will receive traffic, however here the glitch is NAD ip here is 10.10.200.10

>  Which i believe is wrong becoz NAD ip configured i different.

So where am going wrong, on the DMZ FGT, where the request should come out from it mgmt ip itself ? becoz the route on it for ISE is from transit ip only 10.1.1.10

0 Helpful

Rob Ingram
VIP
VIP
In response to shaikh.zaid22

‎06-01-2025 01:24 AM

@shaikh.zaid22 under the radius configuration on the FGT, is the source IP address the mgmt IP or not defined? If not defined then it would likely use the egress IP as the RADIUS source. Or could the traffic be natted behind the FGT on 10.1.1.10 instead of 10.10.200.10?

0 Helpful

shaikh.zaid22
Level 3
Level 3
In response to Rob Ingram

‎06-01-2025 02:09 AM

@Rob Ingram Thanks for the reply.

Actually i was thinking the same, to have the source ip set under FGT Radius config or NAT on the fw policy instead.

But again if i do set the source ip as that of its mgmt ip address then i beleive it should work becoz rest across all fws and nsx i see the source ip define is that of the mgmt ip.

I will check tomorw and update you the same.

Btw.. I have RSA config also on FGT as Radius and its source ip is set to the loopback ip (10.1.1.2)of the fgt interface.  

 

0 Helpful

shaikh.zaid22
Level 3
Level 3
In response to Rob Ingram

‎06-02-2025 11:32 AM

@Rob Ingram today tried setting source ip as that of the mgmt ip address, but the command does not work, says, i do not have an interface in the root vdom. Just to give u insight, that the dmz fw have a physical dedicated mgmt interface.

However, when i added the transit ip 10.1.1.10 as the NAD ip, it did work. But this is making all my other dependent configurations go haywire. With this transit ip access, i cant assure if admin is accessing primary or secondary fw

Solarwinds is configured for auto-backup with specific mgmt ip addresses for all fws.

0 Helpful

Rob Ingram
VIP
VIP
In response to shaikh.zaid22

‎06-02-2025 11:44 AM

@shaikh.zaid22 this confirms the problem is with the source of the RADIUS traffic on the Fortigate, not a ISE problem.

As this is the Cisco community, you'd probably be better posting in the Fortinet forum or raising a TAC case with Fortinet.

0 Helpful

shaikh.zaid22
Level 3
Level 3
In response to Rob Ingram

‎06-02-2025 11:52 AM

Yes..I am working with FGT TAC... ISE is working fine.

0 Helpful

ahollifield
VIP
VIP

‎05-29-2025 12:43 PM

Why are you using RADIUS and not SAML? What is the use-case?

0 Helpful

shaikh.zaid22
Level 3
Level 3
In response to ahollifield

‎06-01-2025 01:00 AM

@ahollifield thanks for the reply.

Its on-prem nw.

0 Helpful

ahollifield
VIP
VIP
In response to shaikh.zaid22

‎06-02-2025 11:13 AM

So? You can certainly use SAML for on-prem.

0 Helpful

shaikh.zaid22
Level 3
Level 3
In response to ahollifield

‎06-02-2025 11:33 AM

As of now, priority is to fix the issue.

0 Helpful
Customers Also Viewed These Support Documents