Solved: Sending user-ip matching information from ISE to Fortigate Firewall

Sp@wn · ‎05-13-2020

Hi,

We have ISE 2.6 and Fortigate firewall 6.0.4. Mobile device users use domain user information when connecting to wifi network. we want to use username to create firewall rule for mobile devices. Some documents say fortimanager version 6.2 supports pxgrid but we don't have fortimanager device. We tried sending it as syslog but it didn't work. Is there any other way to send user-ip matching information to fortinet firewall itself?

Note: Firewall already use FSSO for active directory. I have read some RSSO related documents but I can't solve if it's usable for ISE

thomas · ‎05-16-2020

See Security Technical Alliance Partners for the official list of Cisco Security partners for things like pxGrid.

You can also see the specific capabilities of partners implementing pxGrid @ Cisco ISE Ecosystem Partners.

To get asynchronous event information out of ISE, your options would be pxGrid or syslog.

Alternatively, you could try to pull/query it using the ISE Monitor REST API :

https://ise-mnt.domain.com/admin/API/mnt/Session/ActiveList

or

https://ise-mnt.domain.com/admin/API/mnt/Session/UserName/graham_hancock

<sessionParameters>
<passed xsi:type="xs:boolean">true</passed>
<failed xsi:type="xs:boolean">false</failed>
<user_name>graham_hancock</user_name>
<nas_ip_address>10.203.107.161</nas_ip_address>
<nas_ipv6_address>2001:cdba::357:965</nas_ipv6_address>
..

View solution in original post

Arne Bier · ‎05-13-2020

Is there any chance that the Fortigate can process a RADIUS Accounting request? If so then perhaps you could forfeit the Accounting request going to ISE, and instead, configure the WLC to send Accounting to Fortigate?

I have worked with one Web Proxy solution that required RADIUS Accounting to be sent to it - we configured the WLC to send to an F5 LTM, which then sent one copy to ISE, and a duplicate copy to the web proxy. Sadly Cisco NAS's don't allow parallel copies of RADIUS Accounting to be sent - other vendors do it (it's not a technical impossibility)

thomas · ‎05-16-2020

See Security Technical Alliance Partners for the official list of Cisco Security partners for things like pxGrid.

You can also see the specific capabilities of partners implementing pxGrid @ Cisco ISE Ecosystem Partners.

To get asynchronous event information out of ISE, your options would be pxGrid or syslog.

Alternatively, you could try to pull/query it using the ISE Monitor REST API :

https://ise-mnt.domain.com/admin/API/mnt/Session/ActiveList

or

https://ise-mnt.domain.com/admin/API/mnt/Session/UserName/graham_hancock

<sessionParameters>
<passed xsi:type="xs:boolean">true</passed>
<failed xsi:type="xs:boolean">false</failed>
<user_name>graham_hancock</user_name>
<nas_ip_address>10.203.107.161</nas_ip_address>
<nas_ipv6_address>2001:cdba::357:965</nas_ipv6_address>
..

Sp@wn · ‎05-20-2020

Hello Thomas,

Thanks for your information. I checked the "ISE Monitor REST API" page, I could not see an api that gives in one querry all the authenticated users and their associated ip addresses. Even if it tries to find the ip address corresponding to the username mentioned in the firewall's rules using username session search, it is very difficult to apply this for every rule , I don't think it will get a result. Because I didn't see user ip address in the username session search output. I saw only network access device (switch/wlc) ip address. If I'm wrong, please show me the truth.

Regards,

Sp@wn