New Member

Solved

Cisco WLC + ISE + FORTIGATE

Forum|Forum|8 years ago
April 9, 2018
1 reply
14555 views

Hello fellow Fortinet users,

I have a Cisco 55xx WLC that's currently using Cisco ISE for AAA.

Considering the fact that the ISE and fortigate are incompatible when it comes to accounting my only choice was to configure the WLC to send accounting messages directly to the fortigate.

While I can see all the different types of accounting messages from the WLC on the fortigate, it's unable to fingerprint users in the logs.

I went through support and they kinda gave up on me and said that the logs HAVE to come from a RADIUS server.

Has anyone got this working or can suggest a way for me to overcome this problem?

Cheers,

Vignesh

Best answer by xsilver_FTNT

Hi,

not sure about ISE, never used it, but in general there is not important who is sending Accounting to FGT, but it has to come with certain fields populated (basically and in default FGT looks for Calling-Station-Id, Framed-IP-Address and Class).

Minimal config on FGT is then :

---

config user radius

edit "RAD_RSSO" set rsso enable next

end

config system interface edit "port1" set vdom "root" set ip 10.0.0.254 255.255.252.0 set allowaccess ping https ssh radius-acct set type physical set snmp-index 1 next end

config user group edit "RSSO" set group-type rsso <--- set sso-attribute-value "rsso-auth-group" <--- This string has to full match to content of AVP set in sso-attribute (Class by default) next end

As far as the source (NAS (WLC) or RADIUS server) is able to send those AVPs populated with correct data it will work.

Both user identification (set rsso-endpoint-attribute Calling-Station-Id) and profile/group match attribute string (set sso-attribute + set sso-attribute-value) are optional.

!! Content of the sso-attribute-value has to be found and string matching to what is received value of AVP set in sso-attribute !!

Troubleshoot:

- check WLC config that it is sending accounting to correct IP

- diag sniff packet / Wireshark the RADIUS traffic (default port is 1813) and check AVPs and the content

- diag test app radiusd X <--- where X is debug code , 0 for codes listing

- diag debug app radiusd -1

Kind regards,

Tomas

xsilver_FTNTAnswer

Staff

Hi,

not sure about ISE, never used it, but in general there is not important who is sending Accounting to FGT, but it has to come with certain fields populated (basically and in default FGT looks for Calling-Station-Id, Framed-IP-Address and Class).

Minimal config on FGT is then :

---

config user radius

edit "RAD_RSSO" set rsso enable next

end

config system interface edit "port1" set vdom "root" set ip 10.0.0.254 255.255.252.0 set allowaccess ping https ssh radius-acct set type physical set snmp-index 1 next end

config user group edit "RSSO" set group-type rsso <--- set sso-attribute-value "rsso-auth-group" <--- This string has to full match to content of AVP set in sso-attribute (Class by default) next end

As far as the source (NAS (WLC) or RADIUS server) is able to send those AVPs populated with correct data it will work.

Both user identification (set rsso-endpoint-attribute Calling-Station-Id) and profile/group match attribute string (set sso-attribute + set sso-attribute-value) are optional.

!! Content of the sso-attribute-value has to be found and string matching to what is received value of AVP set in sso-attribute !!

Troubleshoot:

- check WLC config that it is sending accounting to correct IP

- diag sniff packet / Wireshark the RADIUS traffic (default port is 1813) and check AVPs and the content

- diag test app radiusd X <--- where X is debug code , 0 for codes listing

- diag debug app radiusd -1

Kind regards,

Tomas

vigneshsAuthor

New Member

Hi Tomas,

Thanks for your reply.

I'm not looking to do any group matching as yet to be honest.I just want to be able to see a username/ID in front of the IP in the logs ( like with the FSSO ).

Here's an excerpt of my configuration:

edit "INTERNAL-LAN" set vdom "DATA" set ip x.x.x.x 255.255.255.0 set allowaccess ping https ssh http fgfm radius-acct capwap ftm

edit "RADIUS-SSO" set rsso enable set rsso-radius-response enable set rsso-validate-request-secret enable set rsso-secret ENC lhzoQJnp7ZvUIDggrQhlWN3s/UqPZP0FOcC9D5Kquleu6Bxh8l//W06n6Jpk1aLhy8yjse5WRgqiEkXW6ud73V+1LU6HC5viTM476Jc+edFYJ0YqBRRqFnkyNGkW1hgvnGVZz+abVO67nvvGTVSx+oPE/bUr9+LWz/mZa/irWMy25mvLC0EOdVxe2vJU8+7Sv7b40g== set rsso-endpoint-attribute User-Name

edit "RADIUS-GROUP1" set group-type rsso set sso-attribute-value "GROUP1" next

From my packet capture, I can tell that the class attribute appears mangled and there sure is a problem and thereby I understand the group mapping will not work but I'm wondering why I don't see the username beside the IP in the logs.

To make this clear:

Please see

Screenshot-1: User-Name, called statid ID, calling station ID etc are visible.

Screenshot-2: For Framed-IP-Address 10.84.3.36 under logs, there's no user mapped to this.

Screenshot-3: Works perfectly for FSSO.

My question is, am I missing something here? I've set the set rsso-endpoint-attribute User-Name and this is what my account message is seeing but just does not log it. Please note that I do not see any RSSO under user monitor in the logs either.

Any help here would be greatly appreciated.

Cheers,

Vignesh

SCreenshot-1.JPG

patrick_casavant

New Member

Hi Vignesh,

i know it's an old post but did you find a way to make this work?

I'm trying to do exacly the same thing!

Thanks!

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded