cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1989
Views
5
Helpful
4
Replies

Use Connect-Info [77] as condition in ISE

S-Lemming
Level 1
Level 1

I'm trying to set up authentication for a Fortigate using ISE 2.1. The administrative access authentication is working and the Fortinet VID and corresponding attributes to send to the FG are configured.

The issue starts when I try to use ISE for VPN authentication from the FG as well, all VPN logins land on the same policy as the admin logins and it fails since I don't have the correct attributes to send back to FG as they differ from admin attributes. Authorization is matched on AD Groups so I was thinking I could maybe use these groups to separate the logins, however the admin users use the same login account for VPNs so it won't work either.

 

Looking at the login details in ISE of a admin login vs. a VPN login the only difference between them is the Connect-Info [77] RADIUS attribute, values of the attribute are "admin-login" vs "vpn-ssl" so I thought that would be a perfect attribute to use in the policy to check for each login type. It does though seem as if Connect-Info can't be used as a condition, only as a result, so I'm stuck.

 

Any ideas?
Yes, ISE should be upgraded but it's not an option at the moment.

 

1 Accepted Solution

Accepted Solutions

Create the condition like the attached screenshot and call it in the authentication policy.

View solution in original post

4 Replies 4

Surendra
Cisco Employee
Cisco Employee
You can create a dictionary on the ISE for FG and add this as one of the attributes after which you should be able to use this in the conditions.

Yeah, that was also my thought but when I try to create the attribute in the Dictionary it fails since the attribute name is already configured in IETF.

Create the condition like the attached screenshot and call it in the authentication policy.

Connect-Info is still not visible when I create the condition as suggested, but I was able to search for it in the Attribute search box from there, that didn't work in the Policy Set view. 

 

Thanks for the help.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: