Fortinet white logo
Fortinet white logo

External Systems Configuration Guide

Cisco Identity Solution Engine (ISE)

Cisco Identity Solution Engine (ISE)

Integration points

Protocol Information Discovered Used For
Syslog AAA log - authentication Security and Compliance

Configuring Cisco ISE

Follow Cisco ISE documentation to send syslog to FortiSIEM.

Configuring FortiSIEM

FortiSIEM automatically recognizes Cisco ISE syslog as long it follows the following format as shown in the sample syslog:

<181>Sep 21 06:50:51 fcmb-hq-psn01 CISE_Passed_Authentications 0000066354 3 0 2016-09-21 06:50:51.516 +01:00 2915312533 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=287, Device IP Address=1.1.1.1, DestinationIPAddress=1.1.1.2, DestinationPort=1812, UserName=00-15-65-20-33-E5, Protocol=Radius, RequestLatency=33, NetworkDeviceName=ACME, User-Name=johndoe, NAS-IP-Address=1.1.1.2, NAS-Port=50009, Service-Type=Call Check, Framed-IP-Address=1.1.1.2, Framed-MTU=1500, Called-Station-ID=38-1C-1A-87-87-09, Calling-Station-ID=00-15-65-20-33-E5, NAS-Port-Type=Ethernet, NAS-Port-Id=FastEthernet0/9, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=AC1B35F8000001240FC38F8A, OriginalUserName=0015652033e5, AcsSessionID=fcmb-hq-psn01/251903157/22970712, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=IP_Phones,

Access Credentials

For Device Type Cisco Identity Solutions Engine, see Access Credentials.

Parsing and Events

Over 20 events are parsed – see event Types in Resources > Event Types and search for 'Cisco-ISE'.

Cisco Identity Solution Engine (ISE)

Cisco Identity Solution Engine (ISE)

Integration points

Protocol Information Discovered Used For
Syslog AAA log - authentication Security and Compliance

Configuring Cisco ISE

Follow Cisco ISE documentation to send syslog to FortiSIEM.

Configuring FortiSIEM

FortiSIEM automatically recognizes Cisco ISE syslog as long it follows the following format as shown in the sample syslog:

<181>Sep 21 06:50:51 fcmb-hq-psn01 CISE_Passed_Authentications 0000066354 3 0 2016-09-21 06:50:51.516 +01:00 2915312533 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=287, Device IP Address=1.1.1.1, DestinationIPAddress=1.1.1.2, DestinationPort=1812, UserName=00-15-65-20-33-E5, Protocol=Radius, RequestLatency=33, NetworkDeviceName=ACME, User-Name=johndoe, NAS-IP-Address=1.1.1.2, NAS-Port=50009, Service-Type=Call Check, Framed-IP-Address=1.1.1.2, Framed-MTU=1500, Called-Station-ID=38-1C-1A-87-87-09, Calling-Station-ID=00-15-65-20-33-E5, NAS-Port-Type=Ethernet, NAS-Port-Id=FastEthernet0/9, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=AC1B35F8000001240FC38F8A, OriginalUserName=0015652033e5, AcsSessionID=fcmb-hq-psn01/251903157/22970712, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=IP_Phones,

Access Credentials

For Device Type Cisco Identity Solutions Engine, see Access Credentials.

Parsing and Events

Over 20 events are parsed – see event Types in Resources > Event Types and search for 'Cisco-ISE'.