Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

FortiAuthenticator Not Receiving Syslog Messages from Cisco ISE



We just deployed FAC for a client and the design is to integrate with Cisco ISE as s Syslog source to parse user details to the FAC.


All the interface services are enabled, and integration with Cisco ISE is successful, but no feed from it.


Who can help with this?




Contributor II

I might be able to offer some input on this. When you say all of the interfaces are enabled and integration with Cisco ISE is successful, can you give some more detail? I know one of the built in canned matching rules already has all of the properties of Fields to Extract for Cisco under the Syslog Sources tab. Are you saying you have that all set and successfully ran a rest to confirm? Not sure what format Cisco is supposed to be set at for sending the syslog info to the FAC, so have you confirmed that is set correctly? My non Cisco appliance is set for JSON for example. Lastly, have you confirmed that your Cisco ISE is actually sending syslog information at all (meaning its a configuration issue on the Cisco ISE itself if not)?


Dear Mujeeb,

Can you please verify the following:

- Cisco ISE is actually sending the syslog messages

-> use this command in FortiAuthenticator CLI to see traffic

exe tcpdump -i any host <Cisco IP> and port 514

- FortiAuthenticator has syslog parsing enabled not just on interface

-> check under Fortinet SSO Methods > SSO > General that Syslog SSO is enabled as well

-> the default Cisco rule that Cajuntank mentioned is set up to parse logs that Cisco ISE generates for RADIUS Accounting messages

-> if your Cisco ISE does not actually participate in RADIUS Accounting, the log messages FortiAuthenticator is looking for might not be generated

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Top Kudoed Authors