cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4129
Views
20
Helpful
15
Replies
Beginner

Cisco ISE unable to send Accounting messages in RADIUS protocol format to fortigate for RSSO

Hi ,

I am working to get my Cisco ISE send out accounting messages to Fortigate for RSSO(Radius Single Sign On) to work on the Fortigate firewall. I tried adding the Fortigate to the Remote logging targets and added the Fortigate under the Logging categories (Accounting & Radius Accounting).By doing this , I ran a wireshark capture and found that the ISE send the accounting messages to Fortigate in SYSLOG format. I need ISE to send the Accounting info in RADIUS format for RSSO to work on Fortigate firewall.

I have already got this working by using Windows Radius server(NPS). So based on what I did in Windows I tried to replicate the same on ISE. I added Fortigate as External Radius Server. I added Radius server sequence with Radius attribute as class and I keyed in a custom string for it. I have keyed in the same attribute at Fortigate also. Then I added an authentication policy by selecting "Use Proxy Service"(used the Radius server sequence i created) instead of "Allowed Protocols". I brought this policy to the top.

Then I created an authorisation policy for the same. In the Authorisation policy Results--> Authorisation profile, I added the class attribute. But whenever I add there , after saving , the class attribute sits next to ASA VPN.

Please confirm if my settings are ok or is there any other way to get ISE send the accounting messages in RADIUS format to Fortigate.

P.S: I only need to forward the accounting logs and no need to send the authentication requests. There was an option in Windows radius server where I could specify that Authentication should happen on the Windows Radius and send the Accounting info to Remote radius server group.

Any help with this is highly appreciated.

Best Regards,

SSK

Everyone's tags (1)
2 ACCEPTED SOLUTIONS

Accepted Solutions

I'm facing the same problem

I'm facing the same problem to send Radius accounting info to an Internet proxy to do a content filter / granularity. Someone have news about that? Maybe someone from Cisco Support.

Rgds,

Vanderlei

Re: I'm facing the same problem

Hi,

i can see 2 possibilities

 

* There is a feature request on ISE:

Enhancement request for Cisco ISE to send RADIUS accounting messages (CSCvd83297) to Fortigate

 

* Preferred solution: Feature request to send duplicate radius accounting messages from our Cisco WLC 5520 to ISE "and" to Fortigate.

TAC case: 685509546 led to this Enhancement request: CSCvn10645

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvn10645

 

best regards,

Wim

15 REPLIES 15
Beginner

I am having the same problem

I am having the same problem too , i am not able to find a way to forward only accounting flow to external radius servers .

Beginner

I resolved it :). If any one

Yes.. The authentication requests are also getting redirected to Fortigate along with the accounting messages. The requirement is to only send the accounting messages which is not happening.

Highlighted

Hi,

Hi,

I got a same issue here. How did you manage to send both authentication and accounting from ISE? Can you block radius auth based on port number ?

is it possible to use syslog-ng? Has anyone succeeded on that?

If it doesnt work, I need to purchase Aruba Clearpass guest manager.....

We got ISE express..

thank for your help,

I asked Cisco TAC to add this

I asked Cisco TAC to add this feature and thankfully I got enhancement request ID CSCvd83297

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd83297/?referring_site=bugquickviewredir

I hope Cisco add it soon

Beginner

Did you find the solution to

Did you find the solution to this? I need to replicate accounting messages to Fortigate. Today it is working perfectly with FreeRadius, but want to move to ISE...

Thanks in advance

Diego

Beginner

Hi Diego,

Hi Diego,

I was able to see the RSSO logs on the Fortigate after some config changes on ISE. But all the authentications failed because ISE sent both the authentication and accounting info to Fortigate. So we gave up on the project.

This can work perfectly with Free Radius and Microsoft NPS server :(

Regards,

Swathy S

Beginner

Hi Swathy, 

Hi Swathy, 

Thanks for your fast reply. This is a bummer !! I though it was too good to be true ! ISE has plenty of nice features, but not all the ones we need ! I guess I will have to continue using FreeRadius until I find a solution with ISE. 

Thanks,d

I'm facing the same problem

I'm facing the same problem to send Radius accounting info to an Internet proxy to do a content filter / granularity. Someone have news about that? Maybe someone from Cisco Support.

Rgds,

Vanderlei

Re: I'm facing the same problem

It is solved? I don't know about that aolution...

Cisco Employee

Re: I'm facing the same problem

Would recommend reaching out to account team to request feature to our product management

Re: I'm facing the same problem

Hi,

i can see 2 possibilities

 

* There is a feature request on ISE:

Enhancement request for Cisco ISE to send RADIUS accounting messages (CSCvd83297) to Fortigate

 

* Preferred solution: Feature request to send duplicate radius accounting messages from our Cisco WLC 5520 to ISE "and" to Fortigate.

TAC case: 685509546 led to this Enhancement request: CSCvn10645

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvn10645

 

best regards,

Wim

Beginner

Anyone from Cisco out there

Anyone from Cisco out there to confirm that replication of accounting messages only is possible ?

Thanks

d

Beginner

Same issue here.  I need to

Same issue here.  I need to forward Accounting only to a BlueReef server.

I can set my WLC to send accounting that way, but ISE will then not see the accounting packets.

Future Trustsec plans mean that ISE MUST see the accounting packets.

I can do this on a switch for wired connections by using multiple RADIUS groups.

I need the functionality either in ISE or on the WLC

Help please cisco

Beginner

Hi tony

Hi tony

I have the same issue. I haven't reallly moved forward with this, but this is what I think might work

Get Cisco ISE to send syslog messages to a linux server, run this script that transforms your syslog messages into accounting messages that you can forward them to your other devices. I know it is a workaround, but until Cisco adds that feature if they ever do, I think it is the only way to go. 

http://liveaverage.com/features/coding/making-cisco-identity-firewall-and-ise-play-nice/

Cheers

d