Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1926
Views
35
Helpful
1
Replies

Cisco ISE unable to send Accounting messages in RADIUS protocol format

Go to solution
mciarcia
Level 1
Level 1

‎03-03-2022 06:45 AM

Hi ,
I am working to get my Cisco ISE send out accounting messages to Fortigate for RSSO (Radius Single Sign On) to work on the Fortigate firewall. I tried adding the Fortigate to the Remote logging targets and added the Fortigate under the Logging categories (Accounting & Radius Accounting).By doing this , I ran a wireshark capture and found that the ISE send the accounting messages to Fortigate in SYSLOG format. I need ISE to send the Accounting info in RADIUS format for RSSO to work on Fortigate firewall.

1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎03-03-2022 01:18 PM

Hello @mciarcia 

 

ISE does not generate RADIUS Accounting records on its own accord. No RADIUS server does that. It's only the NAS/NAD (RADIUS clients) who generate the RADIUS Accounting records and then send them to a RADIUS server.

There are two approaches you could take:

  1. Add the Fortigate as an additional RADIUS Server (IP address of the Fortigate device(s)) to all the relevant client devices (switches, routers, WLC etc.) - in the Cisco world this is not always possible to send RADIUS Accounting to more than one server concurrently - but other vendors allow that. Your mileage may vary.
  2. Send all of your RADIUS Accounting traffic to a load balancer, instead of directly to ISE. The Load Balancer can replicate the traffic to more than one destination - ISE is one destination, and Fortigate is another destination. The F5 LTM for example can do this.

 

Hope that sort of helps. None of these approaches are simple.

View solution in original post

1 Reply 1

Go to solution
Arne Bier
VIP
VIP

‎03-03-2022 01:18 PM

Hello @mciarcia 

 

ISE does not generate RADIUS Accounting records on its own accord. No RADIUS server does that. It's only the NAS/NAD (RADIUS clients) who generate the RADIUS Accounting records and then send them to a RADIUS server.

There are two approaches you could take:

  1. Add the Fortigate as an additional RADIUS Server (IP address of the Fortigate device(s)) to all the relevant client devices (switches, routers, WLC etc.) - in the Cisco world this is not always possible to send RADIUS Accounting to more than one server concurrently - but other vendors allow that. Your mileage may vary.
  2. Send all of your RADIUS Accounting traffic to a load balancer, instead of directly to ISE. The Load Balancer can replicate the traffic to more than one destination - ISE is one destination, and Fortigate is another destination. The F5 LTM for example can do this.

 

Hope that sort of helps. None of these approaches are simple.

Customers Also Viewed These Support Documents