Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4355
Views
5
Helpful
9
Replies

Forescout as a radius client to ISE

SMD28316
Level 1
Level 1

‎06-01-2021 11:40 PM

I want to configure Forescout to be a radius client to ISE, do I just configure it as a NAD or are there some other configurations that needs to be applied on the ISE side?

 

Forescout will be like a radius server by proxy to another network device, are their any thing I should take into consideration on ISE?

0 Helpful
9 Replies 9

lrojaslo
Cisco Employee
Cisco Employee

‎06-02-2021 07:29 AM

Is not the common integration with ISE for this product, but if your purpose is just to forward auths then you should be fine with only that config.

0 Helpful

thomas
Cisco Employee
Cisco Employee

‎06-02-2021 11:46 AM

As a RADIUS server, ISE should support requests from any RADIUS client.

Yes, if ForeScout would be a RADIUS client is should defined in ISE as a network device.

 

 

 

0 Helpful

Afolarin Omole
Level 1
Level 1
In response to thomas

‎06-03-2021 03:29 AM

For all i know of Forescout , the device only work via SNMP Walk (traffic mirroring) contrary to ISE. Let say we add only the EM as radius client with cisco ISE :

  • This is will be conflict of interest , Forescout claimed to be a NAC solution ( so it shouldn't need other NAC device to make it work as expected).
  • How will ISE handle the radius request with forscout having for example at least 80k endpoint or 2m endpoints which has been the highest of clients endpoint i'd worked with using Forescout. Are we saying cisco licensing will be free ? if not then :

A) why would customer buy more license from Cisco to make Forescout work ? (at least they will need a base License to start with radius request)

B) why will the customer not make use of the base license if they can afford it , and work with ISE using only that via context visibility and place their ISE Policy on it ?

 

To me orchestrating both devices makes no technology sense , either buy into one and bin the other. If Cisco can advance more on DTLS tunnelling with legacy devices to work with ISE and leverage their license to be affordable , then most customer won't buy into any other product. 

 

Also Forescout is the only product out there the offer no free trial on their software for personal Lab evaluation ( with this you will know is still a work in progress)

Many Thanks

0 Helpful

Afolarin Omole
Level 1
Level 1
In response to thomas

‎06-06-2021 01:37 AM

How @thomas ?

 

 @SMD28316  need to be explicit , how this is a solution as stated on the thread. Forescout is a security device like Cisco ISE , if this is a helpful solution then what we are saying here is that we can as well defined Cisco ISE as radius client on another Cisco ISE ?

 

Forescout is meant to do what Cisco ISE is doing , either agentless or with agent (Secureconnector) . And @SMD28316  should defend what makes this helpful as stated below on this thread where he / she has been tagged.

 

We are here to educated one another not to mislead others especially new colleague on this same career path. Any helpful solution means such is viable and applicable but in this case is not, i have work with both tools and the device here (forescout) as SME / Technical design Architect for the same whilst cisco remain my strength. 

Afolarin Omole
Level 1
Level 1

‎06-03-2021 02:50 AM - edited ‎06-03-2021 03:07 AM

first i will say good luck because this vendor Forescout is still going through cascading . Also remember the platform it works on even though they claim is a NAC solution which i had done several meeting with vendors to proof wrong. Forescout architecture is below :

1. Enterprise Server

2. Counteract Appliance

Now this vendor claim they are NAC solution and agentless , though you end up using secure connector to perfect this work and since they are not Radius Server Like Cisco ISE then it can never be a NAC product but rather application access control ( more like traffic assessment).

Also if you familiar with ISE you will definitely know that the only aspect used by the vendor "Forescout" is the context visibility and their licensing structure is affordable , which conform with the security architecture saying of "security to be affordable" also they are legacy devices friendly.

 

Above is just a brief for you to have explicit understanding between this kits and why customers are using it . 

 

Back to you question, I will say the only way to do this is via Forescout orchestration ( that's if there is api in place for that) , aside this i don't see any other way , except you want to add Forescout EM and its numerous CouterACT appliances on ISE and this will be cumbersome if you have over 50 Forescout CounterACT appliance.

 

I guess you are trying to make use of 802.1x feature of ISE ? or be explicit of the reason you are doing this. I don't know if Cisco will allow this anyways.

Store in mind Forescout HPS inspection is based on WMI , RPC / SMB and for Linux / OSX is SSH and all this is made possible through SNMP walk which the Vendor is still updating anyway and has nothing to do with Radius attribute like Cisco ISE.

 

Go back to vendor to ask for ISE API ( which is part of their Eye extend ).

0 Helpful

Afolarin Omole
Level 1
Level 1

‎06-06-2021 01:09 AM

Hello SMD28316 ,

Please can you educate us all how you are able to do this. First , Forescout can only use proxy radius . Please can you let us know below :

  1. Did you add Forescout EM as radius client or Proxy radius ?
  2. How did you manage ISE radius request from Forescout in terms of License ?
  3. What is the motive of the whole architecture i.e adding Forescout EM on to ISE as Radius Server ?
  4. Can you explain how you can about Forescout as a Network Device (NAD) instead of it as a NAC solution device ?

Above question will help on this forum, so we just don't accept solution that will mislead others. Saying this because i have 4years hand on with Forescout on job and also same roles use cisco ISE. Above has been tried with no joy do too below :

 

  1. Forescout performance issues (as you know the solution is built on Unix server
  2. Forescout radius settings as seeen here : CounterACT RADIUS Plugin Configuration Guide (forescout.com)
  3. Also conversation with Forescout architect on radius request with ISE , no such explanation on Cisco ISE License usage.

Solutions : to above issue from past experience , is using Forescout within legacy NAD segment of the organisation (is independent of any NAD device as long as is SNMP enabled , and port can be mirrored) and placing Cisco ISE on other segments that is compatible with ISE

@thomas  , I agreed with you but we need to know if Forescout is a radius client or Network Device ? Please educate us  all , many come here to get qucik solution to problem not to be confuse the more.

Thanks

0 Helpful

Afolarin Omole
Level 1
Level 1

‎06-06-2021 01:38 AM - edited ‎06-06-2021 01:41 AM

@SMD28316  

 

Please unmark this as solution until such time we all have your response. Tell us how you are able to add this on ISE as NAD

0 Helpful

thomas
Cisco Employee
Cisco Employee
In response to Afolarin Omole

‎06-06-2021 05:57 PM

@Afolarin Omole , network devices are RADIUS clients.

ForeScout would be configured as a RADIUS Client to ISE if they do RADIUS proxy to ISE.

0 Helpful

Afolarin Omole
Level 1
Level 1
In response to thomas

‎06-07-2021 02:13 AM - edited ‎06-07-2021 02:31 AM

@thomas  Thanks for your reply , please may i ask if you have use Forescout before or aware of its architect ? Also whichever way to configure NAD  as radius client to ISE either by radius proxy or the other , the purpose of such configuration is to send or request radius authentication from Radius Server , following below flow based on 802.1x which I think is the purpose of all these:

 

Endpoints |clients (Supplicant) ---->NAD (Authenticator)------> Authentication Server (RADIUS Server)

 

in above scenerio:

Endpoints | clients are all the radius (dot1x) enabled devices , NAD is our network access devices and Authentication server (Radius Server) is our ISE. Between the Endpoints | Clients and NAD is where our EAPol negotiation / authentication happens whilst we have Radius access request | access challenge and access accept between the NAD and Radius Server (ISE).

 

Now that we have explicit understanding of above , then i hope you will agree with me the purpose of any devices added on ISE as NAD (Radius Client)  either via radius proxy or other way will have to perform Radius access request | access challenge and access accept against ISE .

 

Remember Forescout is to do whatever ISE is intended to be doing which means the technology is also use as NAC device like FortiNAC , ClearPass etc . So of what use is the device added on to ISE ?  if it intention is to do what ISE is meant to do ? 

 

Forescout is completely different to all other NAC solution out there because to me it is not NAC solution but rather traffic assessment tool. The device work using various plugins e'g radius plugins , HPS inspection ( uses : WMI | RPC |SMB) for windows devices , SSH for Unix and OSX all these plugin works on traffic mirrored on to the Forecout CounterAct  appliances and manage by Forescout Enterprise Server ( A GUI where you configure your policy based on Forescout 4C's : Classification , Clarrification , Compliance and Control) .  That means to say Forescout in not dealing with any of the aforementioned Radius request (EaPol) above for 802.1x , so no such network interaction but only interested in activities (mirrored traffic) and can based it control on the NAD via configured policy to reject supplicant access via port 22 onto network devices.

 

Now Lets talk about Forescout radius configuration  ; 

  1. First add AD onto Forescout via plugin
  2. Configure condition (policy) based on reply messages from the authentication source (AD)
  3. Configure radius setting for port 1812 and 1813 and other advance setting for LDAP .
  4. Global policy via FS Enterprise Management Server only check for port configuration eg if the port is configure for thing like MAB , port-control , dot1x pae authenticator etc

After the above , Forescout implore all port to be configured for 802.1x . with the above forescout expect to sniff all traffic (Eapol negations) messages between Endpoints |clients (Supplicant) ---->NAD (Authenticator)------> Authentication Server (RADIUS Server)  which it can then place its own policy on for control purposes. Remember , Forescout configured AD as authentication source which stand as the authentication server .

 

Experience :

My live work on this shows no joy ,

  1. Whenever forescout get pen tested it fails policy regulation, because this happen to be open authentication kind of a thing not close authentication , so the time it get Forescout to enforce it control PEN Tester already on the network and they can dynamically change MAC addresses to get the device head confused.
  2. The global policy also didn't do the right thing , you can plug non dot1x enabled device on the port and since the port has the configuration forescout is looking for is allowed.

Inclusion, this is why Forescout think if it can be integrated onto ISE then they would be able to get confirmed traffic but lets be serious what sense is in that. Any customer able to buy into ISE will never need other NAC solution and Forescout is not expected to stand in as NAD when such can do what authenticator is meant to with ISE. And do you consider ISE Licensing or conflict of interest ? 

 

Please let @SMD28316 tell us if he / she was able to do that . we are all learning , helpful or accepted solution should be what has been proven 100% that such work either via LAB or Live experience.

0 Helpful
Customers Also Viewed These Support Documents