06-22-2016 04:30 AM
Hi ,
I am authenticating Fortinet with ISE . While ISE successfully authenticates fortinet ,the authentication reply is not reaching Fortinet firewall.
The firewall can ping ISE.
Following is the tcpdump messages. 210.18.5.70 is the fortinet firewall.
210.18.5.70.sify.net.blackjack > ISE.radius: RADIUS, length: 101
Access Request (1), id: 0x5b, Authenticator: 2edd47c7cb141a1488ece685ed655f6e
NAS ID Attribute (32), length: 18, Value: FGT60C3G11032050
Username Attribute (1), length: 10, Value: fortinet
Password Attribute (2), length: 18, Value:
Accounting Session ID Attribute (44), length: 10, Value: 2c4fc294
Connect Info Attribute (77), length: 13, Value: admin-login
Vendor Specific Attribute (26), length: 12, Value: Vendor: Unknown (12356)
Vendor Attribute: 3, Length: 4, Value: root
Access Accept (2), id: 0x5b, Authenticator: 205dabbc626b00d9b8d58e3a7a9e5bc5
Username Attribute (1), length: 10, Value: fortinet
Service Type Attribute (6), length: 6, Value: Login
State Attribute (24), length: 67, Value: ReauthSession:ac1f01092H_GB3Ax4qI/2pYtcAtlpw9f1j3REGu8rBwJbaJ_8Xs
Class Attribute (25), length: 78, Value: CACS:ac1f01092H_GB3Ax4qI/2pYtcAtlpw9f1j3REGu8rBwJbaJ_8Xs:ISE/253643487/93219
Vendor Specific Attribute (26), length: 18, Value: Vendor: Unknown (12356)
Vendor Attribute: 1, Length: 10, Value: test-group
Vendor Specific Attribute (26), length: 19, Value: Vendor: Unknown (12356)
Vendor Attribute: 6, Length: 11, Value: super_admin
09:45:49.178300 IP (tos 0x0, ttl 252, id 1838, offset 0, flags [none], proto ICMP (1), length 56)
segment-119-227.sify.net > ISE: ICMP host 210.18.5.70.sify.net unreachable - admin prohibited filter, length 36
ISE.radius > 210.18.5.70.sify.net.blackjack: [|radius]
Regards
Nimmi
Solved! Go to Solution.
06-23-2016 12:30 PM
The response from ISE is being blocked by this device: segment-119-227.sify.net.
06-22-2016 08:02 AM
Nimmi,
You said the firewall can ping ISE but the RADIUS response is still failing. This sounds like a firewall configuration problem.
Please see our Cisco ISE Ports Reference for the various ports that must be opened in the ISE architecture for different features/capabilities.
For RADIUS between ISE and your network access devices (assuming you do not change from the default ports) you will need to open:
Note: UDP port 3799 is not configurable.
If you continue to have firewall/connectivity problems, you will need to call the TAC.
06-22-2016 10:00 PM
Hi Thomas,
The same ISE is doing radius authentication/authorization with other vendors like HP , Cisco .
Also , the authentication is successful in the ISE server. The problem is the response message is not reaching fortinet firewall.
Regards
Nimmi MP
06-23-2016 02:59 AM
Hi,
This works with a different device. There is something filtering the message from reaching Fortinet.
Thanks for the support.
Regards
Nimmi MP
06-23-2016 12:30 PM
The response from ISE is being blocked by this device: segment-119-227.sify.net.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide