You will need to consult the Fortinet Firewall documentation for the required attributes for a successful authorization.
We have not done any explicit testing with Fortinet products but because ISE supports any standard RADIUS communications with Vendor Specific Attributes (VSAs) it should work. I searched for "fortinet radius authorization attributes" and found the Fortinet Knowledge Base article Fortinet RADIUS vendor-specific attributes (VSAs) which lists the following VSAs:
# Fortinet VSAs
VENDOR Fortinet 12356
ATTRIBUTE Fortinet-Group-Name 1 string
ATTRIBUTE Fortinet-Client-IP-Address 2 ipaddr
ATTRIBUTE Fortinet-Vdom-Name 3 string
ATTRIBUTE Fortinet-Access-Profile 6 string
# Integer Translations
I have also attached the above text as a plain text file named Fortinet_VSAs.txt for you to import into ISE.
To import these attributes into ISE:
1) Navigate to Policy > Policy Elements > Dictionaries
2) In the Dictionaries left panel, choose System > RADIUS > RADIUS Vendors
3) You should see a list of RADIUS Vendors that does not include Fortinet
4) Select Import
5) Browse... for the Fortinet_VSAs.txt file then click the Import button and acknowledge the dialog to import the file.
6) You should now see Fortinet in the RADIUS Vendors list:
and all of the Fortinet attributes listed under the Dictionary Attributes tab:
So you can use these attributes in your ISE Authorization Profiles per the Fortinet requirements / recommendations.
Fortinet_VSAs.txt.zip 308 bytes
We do not test this 3rd party device so can't tell how it working exactly.
Remote Admin login with Radius selecting admin access account profile looks like it allows using RADIUS to perform device admin so ...
- Import or define the RADIUS vendor dictionary for Fortigate, as Thomas showed
- Define an allowed-protocol set or use the existing one to match what configured in Fortigate
- Define an authorization profile that returns the required vendor attributes. An example shown in the screenshot
- Define a Network Device group for Fortigate
- Define a Network Device for Fortigate and specify (4) as its group
- Define some internal users or add external ID sources and/or define an ID source sequence
- Create a policy set to condition on (4)
- In the default authentication policy rule, use (6) as the ID source. Or, you may create additional rules as needed.
- In the default authorization policy rule, use (3) as the result. Or, you may create additional rules as needed.