ClearPass Policy Manager (CCPM) is a network access system that can send information about authenticated users to third party systems, such as a FortiGate or FortiManager.
In this example, communications are established between CCPM and FortiManager, and then the FortiManager forwards information to a managed FortiGate. On the FortiGate, the user information can be used in firewall policies and added to FSSO dynamic addresses.
Establish communications between FortiManager and CPPM so that FortiManager can synchronize CPPM user groups. See Creating a ClearPass connector in the FortiManager Administration Guide.
FortiManager forwards the group information to managed FortiGates.
- On the FortiGate, go to User & Device > User Groups.
- Click Create New.
- Enter a name for the group and set Type to Fortinet Single Sign-On (FSSO).
- Click the Members field, and add one or more FSSO groups.
FSSO groups can come from multiple sources; CPPM FSSO groups are prefixed with cp_ and are listed under the FortiManager heading.
- Click OK.
config user group edit fsso-group set group-type fsso-service set member "cp_test_[Employee]" "cp_test_FSSOROLE" next end
- Go to Policy & Objects > IPv4 Policy.
- Create a new policy, or edit an existing one.
- Click in the Source field and add the fsso-group user group.
CPPM user groups can also be added directly to the policy.
- Click OK.
config firewall policy edit 1 set name "pol1" set uuid 2b88ed8a-c906-51e9-fb25-8cb12172acd8 set srcintf "port2" set dstintf "port3" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic all set groups "fsso-group" set nat enable next end
- Log on to the client and authenticate with CPPM.
After successful authentication, the user is added to the FSSO list on the FortiGate.
- On the FortiGate, go to Monitor > Firewall User Monitor to verify that the user was added.
The user group cp_test_FSSOROLE is listed separately because the user is a member of that group on the CPPM.
- Log on to the client and browse to an external website.
- On the FortiGate, go to FortiView > Sources.
- Double-click on the user and select the Destinations tab to verify that traffic is being passed by the firewall.
show user adgrp config user adgrp edit "cp_test_FSSOROLE" set server-name "FortiManager" next edit "cp_test_[AirGroup v1]" set server-name "FortiManager" next edit "cp_test_[AirGroup v2]" set server-name "FortiManager" next edit "cp_test_[Aruba TACACS read-only Admin]" set server-name "FortiManager" next edit "cp_test_[Aruba TACACS root Admin]" set server-name "FortiManager" next edit "cp_test_[BYOD Operator]" set server-name "FortiManager" next edit "cp_test_[Contractor]" set server-name "FortiManager" next edit "cp_test_[Device Registration]" set server-name "FortiManager" next ... edit "CN=group1,OU=Testing,DC=Fortinet-FSSO,DC=COM" set server-name "Local FSSO Agent" <----- !!! next end