Integrate with Cisco ISE
Topology
This topic assumes Cisco ISE has been set up properly as a NAC solution, to work with a switch which has CoA enabled.
To integrate FortiDeceptor with Cisco ISE:
- Configure Cisco ISE.
- Configure the Authorization Policy.
- Check the configuration
- Configure FortiDeceptor.
- Quarantine the endpoint.
- Un-quarantine the endpoint.
1. Configure Cisco ISE
1.1 Configure the ERS on Cisco ISE
Please refer to the Cisco developer documentation on how to enable the ERS interface and configure the ERS admin account on Cisco ISE. This ERS admin account must be enabled with REST API and will be used by FortiDeceptor to communicate with Cisco ISE to quarantine and un-quarantine the attackers by IP.
1.2 Create a new policy in Cisco ISE
- In Cisco ISE, go to Policy > Policy Sets.
- Click the + button, and type a name in the Policy Set Name field such as
Fortinet Policy
. - In the Conditions column, click +.
- In Conditions Studio, click Click to add an attribute.
- In the Editor pop-up window, type
device type
. - In the Attribute box, click Choose from list or type and select All Device Types.
- Click Use.
The new policy will look like the image below.
2. Configure the Authorization Policy
- In the View column, click on the arrow >.
- Click + to the left side of the Status column. A new authorization is generated.
- In the Rule Name column, enter a name such as
ftnt_EPS_rule
. - In the Conditions column, click +.
- In Conditions Studio, in the Editor, click Click to add an attribute.
- in the Attribute box, type
EPS
and select EPSStatus. - Click Choose from list or type and select Quarantine from the dropdown list.
- Click Use.
3 Check the configuration
If each network component is configured properly, the endpoint will be authenticated successfully. In Windows 10, use the Command Prompt of Windows 10, to verify the IP address is acquired and the DHCP server is pingable.
In Cisco ISE go to Operations > RADIUS > Live Logs. The endpoint should be displayed.
4. Configure FortiDeceptor
-
In FortiDeceptor, go to Fabric > Quarantine Integration and click Quarantine Integration With New Device.
- Configure the integration settings and click Save.
- Verify the Status is Ready.
5. Quarantine the endpoint
- Attack a decoy deployed in FortiDeceptor from the endpoint. When FortiDeceptor detects the attack has occurred, a quarantine of REST API with the IP address of the endpoint will be sent to Cisco ISE.
- In FortiDeceptor go to Fabric > Quarantine Status, to verify the quarantine was successful.
- On the endpoint, you should see the status of the network adapter becomes Authentication failed and DHCP server is no longer pingable.
- In Cisco ISE, navigate to the Live Logs.
- In the Authorization Profiles column, you should see PermitAccess is replaced by DenyAccess.
- In the Authorization Policy column Fortinet Policy >> Default changes to Fortinet Policy >> ftnt_EPS_quarantine.
6. Un-quarantine the endpoint
After 120 seconds, un-quarantine of REST API is sent to Cisco ISE from FortiDeceptor. At the same time, Status of Quarantine Status changes to Quarantine stopped.
On the endpoint, the status of the network adapter is Resumed and the DHCP server becomes pingable.
In Cisco ISE go to Live Logs:
- In the Authorization Profiles column, DenyAccess changes to PermitAccess.
- In the Authorization Policy column Fortinet Policy >> ftnt_EPS_quarantine changes to Fortinet Policy >> Default.