Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
4451
Views
0
Helpful
3
Replies

Flows between an ASA and an ISE with dACL

Go to solution
Jeremy Dubrulle
Level 1
Level 1

‎05-13-2019 09:00 AM

Hello,

 

We are using ASA with Anyconnect VPN clients. The ASA asks the ISE to auth the user and the ISE checks the user with the Domain Controller. Once authentified, the ISE pushes downloadable ACL depending on the user. These ACL are then used by the ASA to restrict the rights of the user.

I'm not sure of how it works, I mean the exchange since the beginning until the ACL on the ASA, I don't know this thing. But I have to tell if we can replace the ASA by Fortigate and Forticlients. So I'm trying to understand how it works so that I can tell if the ISE can still pushes its ACL if it's a Fortigate instead of an ASA. Is it a thing we can only do if we have ASA with the ISE ?

 

Can you help me, provide me documentation ?

 

Thanks,

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎05-13-2019 12:15 PM

I doubt the Fortigate will support dACLs.  If you look at the details of the RADIUS live log record for your VPN traffic you can see the RADIUS Attribute/Value (AV) pairs passed between ISE and the ASA.  The dACL is passed as AV pairs and needs to be supported by the network device.  Only Cisco devices (and not all Cisco devices) support dACLs that I know of.

 

I am guessing you can build ACLs on the Fortigate and assigning the user to a group on the Fortigate that limits their access, but I am not at Fortigate expert.

 

This may help:

 

https://kb.fortinet.com/kb/viewContent.do?externalId=FD36919&sliceId=1

 

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
paul
Level 10
Level 10

‎05-13-2019 12:15 PM

I doubt the Fortigate will support dACLs.  If you look at the details of the RADIUS live log record for your VPN traffic you can see the RADIUS Attribute/Value (AV) pairs passed between ISE and the ASA.  The dACL is passed as AV pairs and needs to be supported by the network device.  Only Cisco devices (and not all Cisco devices) support dACLs that I know of.

 

I am guessing you can build ACLs on the Fortigate and assigning the user to a group on the Fortigate that limits their access, but I am not at Fortigate expert.

 

This may help:

 

https://kb.fortinet.com/kb/viewContent.do?externalId=FD36919&sliceId=1

 

 

0 Helpful

Go to solution
Jeremy Dubrulle
Level 1
Level 1
In response to paul

‎05-15-2019 12:53 AM

Thanks both of you, seems we can't indeed. 

0 Helpful
Customers Also Viewed These Support Documents
Top