06-01-2021 11:40 PM
I want to configure Forescout to be a radius client to ISE, do I just configure it as a NAD or are there some other configurations that needs to be applied on the ISE side?
Forescout will be like a radius server by proxy to another network device, are their any thing I should take into consideration on ISE?
06-02-2021 07:29 AM
Is not the common integration with ISE for this product, but if your purpose is just to forward auths then you should be fine with only that config.
06-02-2021 11:46 AM
As a RADIUS server, ISE should support requests from any RADIUS client.
Yes, if ForeScout would be a RADIUS client is should defined in ISE as a network device.
06-03-2021 03:29 AM
For all i know of Forescout , the device only work via SNMP Walk (traffic mirroring) contrary to ISE. Let say we add only the EM as radius client with cisco ISE :
A) why would customer buy more license from Cisco to make Forescout work ? (at least they will need a base License to start with radius request)
B) why will the customer not make use of the base license if they can afford it , and work with ISE using only that via context visibility and place their ISE Policy on it ?
To me orchestrating both devices makes no technology sense , either buy into one and bin the other. If Cisco can advance more on DTLS tunnelling with legacy devices to work with ISE and leverage their license to be affordable , then most customer won't buy into any other product.
Also Forescout is the only product out there the offer no free trial on their software for personal Lab evaluation ( with this you will know is still a work in progress)
Many Thanks
06-06-2021 01:37 AM
How @thomas ?
@SMD28316 need to be explicit , how this is a solution as stated on the thread. Forescout is a security device like Cisco ISE , if this is a helpful solution then what we are saying here is that we can as well defined Cisco ISE as radius client on another Cisco ISE ?
Forescout is meant to do what Cisco ISE is doing , either agentless or with agent (Secureconnector) . And @SMD28316 should defend what makes this helpful as stated below on this thread where he / she has been tagged.
We are here to educated one another not to mislead others especially new colleague on this same career path. Any helpful solution means such is viable and applicable but in this case is not, i have work with both tools and the device here (forescout) as SME / Technical design Architect for the same whilst cisco remain my strength.
06-03-2021 02:50 AM - edited 06-03-2021 03:07 AM
first i will say good luck because this vendor Forescout is still going through cascading . Also remember the platform it works on even though they claim is a NAC solution which i had done several meeting with vendors to proof wrong. Forescout architecture is below :
1. Enterprise Server
2. Counteract Appliance
Now this vendor claim they are NAC solution and agentless , though you end up using secure connector to perfect this work and since they are not Radius Server Like Cisco ISE then it can never be a NAC product but rather application access control ( more like traffic assessment).
Also if you familiar with ISE you will definitely know that the only aspect used by the vendor "Forescout" is the context visibility and their licensing structure is affordable , which conform with the security architecture saying of "security to be affordable" also they are legacy devices friendly.
Above is just a brief for you to have explicit understanding between this kits and why customers are using it .
Back to you question, I will say the only way to do this is via Forescout orchestration ( that's if there is api in place for that) , aside this i don't see any other way , except you want to add Forescout EM and its numerous CouterACT appliances on ISE and this will be cumbersome if you have over 50 Forescout CounterACT appliance.
I guess you are trying to make use of 802.1x feature of ISE ? or be explicit of the reason you are doing this. I don't know if Cisco will allow this anyways.
Store in mind Forescout HPS inspection is based on WMI , RPC / SMB and for Linux / OSX is SSH and all this is made possible through SNMP walk which the Vendor is still updating anyway and has nothing to do with Radius attribute like Cisco ISE.
Go back to vendor to ask for ISE API ( which is part of their Eye extend ).
06-06-2021 01:09 AM
Hello SMD28316 ,
Please can you educate us all how you are able to do this. First , Forescout can only use proxy radius . Please can you let us know below :
Above question will help on this forum, so we just don't accept solution that will mislead others. Saying this because i have 4years hand on with Forescout on job and also same roles use cisco ISE. Above has been tried with no joy do too below :
Solutions : to above issue from past experience , is using Forescout within legacy NAD segment of the organisation (is independent of any NAD device as long as is SNMP enabled , and port can be mirrored) and placing Cisco ISE on other segments that is compatible with ISE
@thomas , I agreed with you but we need to know if Forescout is a radius client or Network Device ? Please educate us all , many come here to get qucik solution to problem not to be confuse the more.
Thanks
06-06-2021 01:38 AM - edited 06-06-2021 01:41 AM
Please unmark this as solution until such time we all have your response. Tell us how you are able to add this on ISE as NAD
06-06-2021 05:57 PM
@Afolarin Omole , network devices are RADIUS clients.
ForeScout would be configured as a RADIUS Client to ISE if they do RADIUS proxy to ISE.
06-07-2021 02:13 AM - edited 06-07-2021 02:31 AM
@thomas Thanks for your reply , please may i ask if you have use Forescout before or aware of its architect ? Also whichever way to configure NAD as radius client to ISE either by radius proxy or the other , the purpose of such configuration is to send or request radius authentication from Radius Server , following below flow based on 802.1x which I think is the purpose of all these:
Endpoints |clients (Supplicant) ---->NAD (Authenticator)------> Authentication Server (RADIUS Server)
in above scenerio:
Endpoints | clients are all the radius (dot1x) enabled devices , NAD is our network access devices and Authentication server (Radius Server) is our ISE. Between the Endpoints | Clients and NAD is where our EAPol negotiation / authentication happens whilst we have Radius access request | access challenge and access accept between the NAD and Radius Server (ISE).
Now that we have explicit understanding of above , then i hope you will agree with me the purpose of any devices added on ISE as NAD (Radius Client) either via radius proxy or other way will have to perform Radius access request | access challenge and access accept against ISE .
Remember Forescout is to do whatever ISE is intended to be doing which means the technology is also use as NAC device like FortiNAC , ClearPass etc . So of what use is the device added on to ISE ? if it intention is to do what ISE is meant to do ?
Forescout is completely different to all other NAC solution out there because to me it is not NAC solution but rather traffic assessment tool. The device work using various plugins e'g radius plugins , HPS inspection ( uses : WMI | RPC |SMB) for windows devices , SSH for Unix and OSX all these plugin works on traffic mirrored on to the Forecout CounterAct appliances and manage by Forescout Enterprise Server ( A GUI where you configure your policy based on Forescout 4C's : Classification , Clarrification , Compliance and Control) . That means to say Forescout in not dealing with any of the aforementioned Radius request (EaPol) above for 802.1x , so no such network interaction but only interested in activities (mirrored traffic) and can based it control on the NAD via configured policy to reject supplicant access via port 22 onto network devices.
Now Lets talk about Forescout radius configuration ;
After the above , Forescout implore all port to be configured for 802.1x . with the above forescout expect to sniff all traffic (Eapol negations) messages between Endpoints |clients (Supplicant) ---->NAD (Authenticator)------> Authentication Server (RADIUS Server) which it can then place its own policy on for control purposes. Remember , Forescout configured AD as authentication source which stand as the authentication server .
Experience :
My live work on this shows no joy ,
Inclusion, this is why Forescout think if it can be integrated onto ISE then they would be able to get confirmed traffic but lets be serious what sense is in that. Any customer able to buy into ISE will never need other NAC solution and Forescout is not expected to stand in as NAD when such can do what authenticator is meant to with ISE. And do you consider ISE Licensing or conflict of interest ?
Please let @SMD28316 tell us if he / she was able to do that . we are all learning , helpful or accepted solution should be what has been proven 100% that such work either via LAB or Live experience.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide