Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14029
Views
20
Helpful
16
Replies

Cisco ISE unable to send Accounting messages in RADIUS protocol format to fortigate for RSSO

Go to solution
swathys011
Level 1
Level 1

‎04-19-2016 08:51 PM - edited ‎03-10-2019 11:41 PM

Hi ,

I am working to get my Cisco ISE send out accounting messages to Fortigate for RSSO(Radius Single Sign On) to work on the Fortigate firewall. I tried adding the Fortigate to the Remote logging targets and added the Fortigate under the Logging categories (Accounting & Radius Accounting).By doing this , I ran a wireshark capture and found that the ISE send the accounting messages to Fortigate in SYSLOG format. I need ISE to send the Accounting info in RADIUS format for RSSO to work on Fortigate firewall.

I have already got this working by using Windows Radius server(NPS). So based on what I did in Windows I tried to replicate the same on ISE. I added Fortigate as External Radius Server. I added Radius server sequence with Radius attribute as class and I keyed in a custom string for it. I have keyed in the same attribute at Fortigate also. Then I added an authentication policy by selecting "Use Proxy Service"(used the Radius server sequence i created) instead of "Allowed Protocols". I brought this policy to the top.

Then I created an authorisation policy for the same. In the Authorisation policy Results--> Authorisation profile, I added the class attribute. But whenever I add there , after saving , the class attribute sits next to ASA VPN.

Please confirm if my settings are ok or is there any other way to get ISE send the accounting messages in RADIUS format to Fortigate.

P.S: I only need to forward the accounting logs and no need to send the authentication requests. There was an option in Windows radius server where I could specify that Authentication should happen on the Windows Radius and send the Accounting info to Remote radius server group.

Any help with this is highly appreciated.

Best Regards,

SSK

7 people had this problem
Labels:
0 Helpful
16 Replies 16

Go to solution
Arne Bier
VIP
VIP
In response to Diego Cairns

‎11-14-2018 03:12 PM

The Cisco WLC won't allow sending Radius Accounting to more than one server in parallel.  Aruba and others do support this, so it's not a technical impossibility.

We had this problem as well and we solved it using a load balancer.  We send the Radius Accounting to a VIP (Virtual IP) and then the load balancer has the brains to send one copy to ISE, and another copy to a web proxy (in our case).  If you don't have the spare cash for an F5/Citrix solution, then you could probably build your own load balancer using nginx (I did this once based on some google searches).  I reckon that perhaps using a Freeradius server would also do the trick. Send your accounting records to a Freeradius server, and then have it proxy the traffic to multiple destinations.

0 Helpful

Go to solution
dcasey1
Level 1
Level 1
In response to Arne Bier

‎05-11-2020 06:38 PM

What did you do to get this to send one copy to ISE and another copy to a web proxy?  An iRule?

0 Helpful
Customers Also Viewed These Support Documents