cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15869
Views
20
Helpful
16
Replies

Cisco ISE unable to send Accounting messages in RADIUS protocol format to fortigate for RSSO

swathys011
Level 1
Level 1

Hi ,

I am working to get my Cisco ISE send out accounting messages to Fortigate for RSSO(Radius Single Sign On) to work on the Fortigate firewall. I tried adding the Fortigate to the Remote logging targets and added the Fortigate under the Logging categories (Accounting & Radius Accounting).By doing this , I ran a wireshark capture and found that the ISE send the accounting messages to Fortigate in SYSLOG format. I need ISE to send the Accounting info in RADIUS format for RSSO to work on Fortigate firewall.

I have already got this working by using Windows Radius server(NPS). So based on what I did in Windows I tried to replicate the same on ISE. I added Fortigate as External Radius Server. I added Radius server sequence with Radius attribute as class and I keyed in a custom string for it. I have keyed in the same attribute at Fortigate also. Then I added an authentication policy by selecting "Use Proxy Service"(used the Radius server sequence i created) instead of "Allowed Protocols". I brought this policy to the top.

Then I created an authorisation policy for the same. In the Authorisation policy Results--> Authorisation profile, I added the class attribute. But whenever I add there , after saving , the class attribute sits next to ASA VPN.

Please confirm if my settings are ok or is there any other way to get ISE send the accounting messages in RADIUS format to Fortigate.

P.S: I only need to forward the accounting logs and no need to send the authentication requests. There was an option in Windows radius server where I could specify that Authentication should happen on the Windows Radius and send the Accounting info to Remote radius server group.

Any help with this is highly appreciated.

Best Regards,

SSK

2 Accepted Solutions

Accepted Solutions

I'm facing the same problem to send Radius accounting info to an Internet proxy to do a content filter / granularity. Someone have news about that? Maybe someone from Cisco Support.

Rgds,

Vanderlei

View solution in original post

Hi,

i can see 2 possibilities

 

* There is a feature request on ISE:

Enhancement request for Cisco ISE to send RADIUS accounting messages (CSCvd83297) to Fortigate

 

* Preferred solution: Feature request to send duplicate radius accounting messages from our Cisco WLC 5520 to ISE "and" to Fortigate.

TAC case: 685509546 led to this Enhancement request: CSCvn10645

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvn10645

 

best regards,

Wim

View solution in original post

16 Replies 16

b.qawadri
Level 1
Level 1

I am having the same problem too , i am not able to find a way to forward only accounting flow to external radius servers .

swathys011
Level 1
Level 1

Yes.. The authentication requests are also getting redirected to Fortigate along with the accounting messages. The requirement is to only send the accounting messages which is not happening.

Hi,

I got a same issue here. How did you manage to send both authentication and accounting from ISE? Can you block radius auth based on port number ?

is it possible to use syslog-ng? Has anyone succeeded on that?

If it doesnt work, I need to purchase Aruba Clearpass guest manager.....

We got ISE express..

thank for your help,

I asked Cisco TAC to add this feature and thankfully I got enhancement request ID CSCvd83297

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd83297/?referring_site=bugquickviewredir

I hope Cisco add it soon

Diego Cairns
Level 1
Level 1

Did you find the solution to this? I need to replicate accounting messages to Fortigate. Today it is working perfectly with FreeRadius, but want to move to ISE...

Thanks in advance

Diego

Hi Diego,

I was able to see the RSSO logs on the Fortigate after some config changes on ISE. But all the authentications failed because ISE sent both the authentication and accounting info to Fortigate. So we gave up on the project.

This can work perfectly with Free Radius and Microsoft NPS server :(

Regards,

Swathy S

Hi Swathy, 

Thanks for your fast reply. This is a bummer !! I though it was too good to be true ! ISE has plenty of nice features, but not all the ones we need ! I guess I will have to continue using FreeRadius until I find a solution with ISE. 

Thanks,d

I'm facing the same problem to send Radius accounting info to an Internet proxy to do a content filter / granularity. Someone have news about that? Maybe someone from Cisco Support.

Rgds,

Vanderlei

It is solved? I don't know about that aolution...

Would recommend reaching out to account team to request feature to our product management

Hi,

i can see 2 possibilities

 

* There is a feature request on ISE:

Enhancement request for Cisco ISE to send RADIUS accounting messages (CSCvd83297) to Fortigate

 

* Preferred solution: Feature request to send duplicate radius accounting messages from our Cisco WLC 5520 to ISE "and" to Fortigate.

TAC case: 685509546 led to this Enhancement request: CSCvn10645

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvn10645

 

best regards,

Wim

Diego Cairns
Level 1
Level 1

Anyone from Cisco out there to confirm that replication of accounting messages only is possible ?

Thanks

d

tony.parker
Level 1
Level 1

Same issue here.  I need to forward Accounting only to a BlueReef server.

I can set my WLC to send accounting that way, but ISE will then not see the accounting packets.

Future Trustsec plans mean that ISE MUST see the accounting packets.

I can do this on a switch for wired connections by using multiple RADIUS groups.

I need the functionality either in ISE or on the WLC

Help please cisco

Hi tony

I have the same issue. I haven't reallly moved forward with this, but this is what I think might work

Get Cisco ISE to send syslog messages to a linux server, run this script that transforms your syslog messages into accounting messages that you can forward them to your other devices. I know it is a workaround, but until Cisco adds that feature if they ever do, I think it is the only way to go. 

http://liveaverage.com/features/coding/making-cisco-identity-firewall-and-ise-play-nice/

Cheers

d