cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3160
Views
0
Helpful
3
Replies

Flows between an ASA and an ISE with dACL

Jeremy Dubrulle
Beginner
Beginner

Hello,

 

We are using ASA with Anyconnect VPN clients. The ASA asks the ISE to auth the user and the ISE checks the user with the Domain Controller. Once authentified, the ISE pushes downloadable ACL depending on the user. These ACL are then used by the ASA to restrict the rights of the user.

I'm not sure of how it works, I mean the exchange since the beginning until the ACL on the ASA, I don't know this thing. But I have to tell if we can replace the ASA by Fortigate and Forticlients. So I'm trying to understand how it works so that I can tell if the ISE can still pushes its ACL if it's a Fortigate instead of an ASA. Is it a thing we can only do if we have ASA with the ISE ?

 

Can you help me, provide me documentation ?

 

Thanks,

1 Accepted Solution

Accepted Solutions

paul
Advocate
Advocate

I doubt the Fortigate will support dACLs.  If you look at the details of the RADIUS live log record for your VPN traffic you can see the RADIUS Attribute/Value (AV) pairs passed between ISE and the ASA.  The dACL is passed as AV pairs and needs to be supported by the network device.  Only Cisco devices (and not all Cisco devices) support dACLs that I know of.

 

I am guessing you can build ACLs on the Fortigate and assigning the user to a group on the Fortigate that limits their access, but I am not at Fortigate expert.

 

This may help:

 

https://kb.fortinet.com/kb/viewContent.do?externalId=FD36919&sliceId=1

 

 

View solution in original post

3 Replies 3

paul
Advocate
Advocate

I doubt the Fortigate will support dACLs.  If you look at the details of the RADIUS live log record for your VPN traffic you can see the RADIUS Attribute/Value (AV) pairs passed between ISE and the ASA.  The dACL is passed as AV pairs and needs to be supported by the network device.  Only Cisco devices (and not all Cisco devices) support dACLs that I know of.

 

I am guessing you can build ACLs on the Fortigate and assigning the user to a group on the Fortigate that limits their access, but I am not at Fortigate expert.

 

This may help:

 

https://kb.fortinet.com/kb/viewContent.do?externalId=FD36919&sliceId=1

 

 

Thanks both of you, seems we can't indeed. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers