FMG 5.6 Authentication with RADIUS (Cisco ISE) users

mitm2010 · ‎10-23-2019

Hello

When configuring FortiManager with Cisco ISE RADIUS Server, FMG don't attribute the good profile to the user as asked by ISE.

You find below my configuration:

On ISE side:

[ol]

i created a a new user user_ro memeber of group GROUP-RO

I configured FMG device as a Network device in ISE with a PSK.

I imported Fortinet RADIUS dictionary in ISE.

I created an RADIUS profile based on the Fortinet dictionary (please refer to the screenshot to see the attributes sent by ISE)

I creaed the AuthC and AutZ policies in ISE: If a user is member of GROUP_RO and device type is Fortinet, the Profile shoud be "AuthZ-RADIUS-GROUP-RO" (please refer to the screenshot).[/ol]

on FMG side:

[ol]

I added the RADIUS server (Authentication type Auto)

I created the profile PROFILE_RO with RO access.

I created a wildcard user (I consider it as a group) from RADIUS profile and the profile is PROFILE_RO (please refer to the screenshot).[/ol]

The problem is when I connect on the FMG with a user member of GROUP-RO, ISE send the necessary attributed of the Access Profile with PROFILE_RO, but the FMG consider the user as member of another profile as described below.

# diagnose system admin-session list

*** entry 7 *** session_id: 12427 (seq: 0) username: user_ro admin template: GROUP-RW from: GUI(1.1.1.1) (type 1) profile: SUPERUSER (type 1) adom: root session length: 559 (seconds)

idle: 301 (seconds)

Anyone has any idea how to resolve this issue?

Thank you for your help!

mitm2010 · ‎10-23-2019

Please find in the attached file the group config in FMG.