Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3186
Views
0
Helpful
3
Replies

Fortigate authentication with Cisco ISE and RSA integration issue.

Grzegorz86
Level 1
Level 1

‎07-22-2020 05:55 AM

Hi ,

I have a customer facing issues with authentication to his fortigate firewalls with the use of Cisco ISE as Radius server.

ISE is integrated with RSA Secure ID and authentication policy works for majority of devices. However there are two new Fortigate firewalls that cannot authenticate against RSA. There are old Fortigates in the network that works completely fine with ISE and RSA on the same policy. Only difference between working and not working Fortigates is that new ones are using dedicated management interface for authentication. Old ACS server deployment that exists in the network works correctly with new firewalls and ISE RSA setup.

Authentication requests are reaching ISE and credentials between ISE and fortigates are correct. However requests are failing.

I do not have screenshot of actual ISE error but it states to check RSA logs for authentication issues.

RSA mentions bad token but correct PIN as on the below. It happens for multiple users. 

ISE.png

 

I believe I seen a similar issue in the past so I do not think this is that uncommon. Has anyone got an idea what can be the problem here?

0 Helpful
3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

‎07-22-2020 08:25 PM

Hi

Just a quick thought. Have you tried to increase the timeout or at least compare timeout on old vs new devices?
Just to make sure i understood correctly. If you use acs + rsa on these new devices it works but not when using ise + rsa?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Grzegorz86
Level 1
Level 1
In response to Francesco Molino

‎07-23-2020 01:05 AM

Hi

Yes thats correct. ACS + RSA works fine ISE + RSA does not work on these devices. However, ISE + RSA works for other devices in the network so I do not suspect there is something incorrect in the integration or radius policies. 

Do you mean timeout on Fortigate authentication or on integration between ISE and RSA ?

Regards,

Grzegorz 

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to Grzegorz86

‎07-25-2020 05:55 PM

If ISE and RSA works for others, it means the timeout between them should be ok.
However, I would probably do a debug on Fortigate to see what are messages exchanged and why it is falling. Do you have at least a Fortigate working with ISE+RSA or none of them are working?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents