04-19-2016 08:51 PM - edited 03-10-2019 11:41 PM
Hi ,
I am working to get my Cisco ISE send out accounting messages to Fortigate for RSSO(Radius Single Sign On) to work on the Fortigate firewall. I tried adding the Fortigate to the Remote logging targets and added the Fortigate under the Logging categories (Accounting & Radius Accounting).By doing this , I ran a wireshark capture and found that the ISE send the accounting messages to Fortigate in SYSLOG format. I need ISE to send the Accounting info in RADIUS format for RSSO to work on Fortigate firewall.
I have already got this working by using Windows Radius server(NPS). So based on what I did in Windows I tried to replicate the same on ISE. I added Fortigate as External Radius Server. I added Radius server sequence with Radius attribute as class and I keyed in a custom string for it. I have keyed in the same attribute at Fortigate also. Then I added an authentication policy by selecting "Use Proxy Service"(used the Radius server sequence i created) instead of "Allowed Protocols". I brought this policy to the top.
Then I created an authorisation policy for the same. In the Authorisation policy Results--> Authorisation profile, I added the class attribute. But whenever I add there , after saving , the class attribute sits next to ASA VPN.
Please confirm if my settings are ok or is there any other way to get ISE send the accounting messages in RADIUS format to Fortigate.
P.S: I only need to forward the accounting logs and no need to send the authentication requests. There was an option in Windows radius server where I could specify that Authentication should happen on the Windows Radius and send the Accounting info to Remote radius server group.
Any help with this is highly appreciated.
Best Regards,
SSK
Solved! Go to Solution.
06-09-2016 04:38 PM
I'm facing the same problem to send Radius accounting info to an Internet proxy to do a content filter / granularity. Someone have news about that? Maybe someone from Cisco Support.
Rgds,
Vanderlei
11-14-2018 12:59 PM - edited 11-15-2018 02:59 AM
Hi,
i can see 2 possibilities
* There is a feature request on ISE:
Enhancement request for Cisco ISE to send RADIUS accounting messages (CSCvd83297) to Fortigate
* Preferred solution: Feature request to send duplicate radius accounting messages from our Cisco WLC 5520 to ISE "and" to Fortigate.
TAC case: 685509546 led to this Enhancement request: CSCvn10645
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvn10645
best regards,
Wim
04-23-2016 09:37 AM
I am having the same problem too , i am not able to find a way to forward only accounting flow to external radius servers .
04-24-2016 08:25 AM
Yes.. The authentication requests are also getting redirected to Fortigate along with the accounting messages. The requirement is to only send the accounting messages which is not happening.
08-21-2016 04:04 AM
Hi,
I got a same issue here. How did you manage to send both authentication and accounting from ISE? Can you block radius auth based on port number ?
is it possible to use syslog-ng? Has anyone succeeded on that?
If it doesnt work, I need to purchase Aruba Clearpass guest manager.....
We got ISE express..
thank for your help,
05-18-2017 05:41 AM
I asked Cisco TAC to add this feature and thankfully I got enhancement request ID CSCvd83297
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd83297/?referring_site=bugquickviewredir
I hope Cisco add it soon
06-06-2016 07:19 AM
Did you find the solution to this? I need to replicate accounting messages to Fortigate. Today it is working perfectly with FreeRadius, but want to move to ISE...
Thanks in advance
Diego
06-07-2016 12:37 AM
Hi Diego,
I was able to see the RSSO logs on the Fortigate after some config changes on ISE. But all the authentications failed because ISE sent both the authentication and accounting info to Fortigate. So we gave up on the project.
This can work perfectly with Free Radius and Microsoft NPS server :(
Regards,
Swathy S
06-07-2016 04:49 AM
Hi Swathy,
Thanks for your fast reply. This is a bummer !! I though it was too good to be true ! ISE has plenty of nice features, but not all the ones we need ! I guess I will have to continue using FreeRadius until I find a solution with ISE.
Thanks,d
06-09-2016 04:38 PM
I'm facing the same problem to send Radius accounting info to an Internet proxy to do a content filter / granularity. Someone have news about that? Maybe someone from Cisco Support.
Rgds,
Vanderlei
08-08-2018 07:25 AM
It is solved? I don't know about that aolution...
08-08-2018 07:38 AM
11-14-2018 12:59 PM - edited 11-15-2018 02:59 AM
Hi,
i can see 2 possibilities
* There is a feature request on ISE:
Enhancement request for Cisco ISE to send RADIUS accounting messages (CSCvd83297) to Fortigate
* Preferred solution: Feature request to send duplicate radius accounting messages from our Cisco WLC 5520 to ISE "and" to Fortigate.
TAC case: 685509546 led to this Enhancement request: CSCvn10645
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvn10645
best regards,
Wim
06-29-2016 07:32 AM
Anyone from Cisco out there to confirm that replication of accounting messages only is possible ?
Thanks
d
07-20-2016 08:13 PM
Same issue here. I need to forward Accounting only to a BlueReef server.
I can set my WLC to send accounting that way, but ISE will then not see the accounting packets.
Future Trustsec plans mean that ISE MUST see the accounting packets.
I can do this on a switch for wired connections by using multiple RADIUS groups.
I need the functionality either in ISE or on the WLC
Help please cisco
07-21-2016 12:37 AM
Hi tony
I have the same issue. I haven't reallly moved forward with this, but this is what I think might work
Get Cisco ISE to send syslog messages to a linux server, run this script that transforms your syslog messages into accounting messages that you can forward them to your other devices. I know it is a workaround, but until Cisco adds that feature if they ever do, I think it is the only way to go.
http://liveaverage.com/features/coding/making-cisco-identity-firewall-and-ise-play-nice/
Cheers
d
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide