Fortinet white logo
Fortinet white logo

Cookbook

ClearPass endpoint connector via FortiManager

ClearPass endpoint connector via FortiManager

ClearPass Policy Manager (CPPM) is a network access system that can send information about authenticated users to third party systems, such as a FortiGate or FortiManager.

In this example, communications are established between CPPM and FortiManager, and then the FortiManager forwards information to a managed FortiGate. On the FortiGate, the user information can be used in firewall policies and added to FSSO dynamic addresses.

Configure the FortiManager

Establish communications between FortiManager and CPPM so that FortiManager can synchronize CPPM user groups. See Creating a ClearPass connector in the FortiManager Administration Guide.

FortiManager forwards the group information to managed FortiGates.

Add CPPM FSSO user groups to a local user group

To add CPPM user groups to a local user group in the GUI:
  1. On the FortiGate, go to User & Device > User Groups.
  2. Click Create New.
  3. Enter a name for the group and set Type to Fortinet Single Sign-On (FSSO).
  4. Click the Members field, and add one or more FSSO groups.

    FSSO groups can come from multiple sources; CPPM FSSO groups are prefixed with cp_ and are listed under the FortiManager heading.

  5. Click OK.
To add CPPM user groups to a local user group in the CLI:
config user group
    edit fsso-group
        set group-type fsso-service
        set member "cp_test_[Employee]" "cp_test_FSSOROLE"
    next
end

Use the local FSSO user group in a firewall policy

To add the local FSSO user group to a firewall policy in the GUI:
  1. Go to Policy & Objects > IPv4 Policy.
  2. Create a new policy, or edit an existing one.
  3. Click in the Source field and add the fsso-group user group.

    CPPM user groups can also be added directly to the policy.

  4. Click OK.
To add the local FSSO user group to a firewall policy in the CLI:
config firewall policy
    edit 1
        set name "pol1"
        set uuid 2b88ed8a-c906-51e9-fb25-8cb12172acd8
        set srcintf "port2"
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set groups "fsso-group"
        set nat enable
    next
end

Verification

To verify that a user was added to the FSSO list on the FortiGate:
  1. Log on to the client and authenticate with CPPM.

    After successful authentication, the user is added to the FSSO list on the FortiGate.

  2. On the FortiGate, go to Monitor > Firewall User Monitor to verify that the user was added.

    The user group cp_test_FSSOROLE is listed separately because the user is a member of that group on the CPPM.

To verify that traffic can pass the firewall:
  1. Log on to the client and browse to an external website.
  2. On the FortiGate, go to FortiView > Sources.
  3. Double-click on the user and select the Destinations tab to verify that traffic is being passed by the firewall.
To verify the user address groups:
show user adgrp
    config user adgrp
        edit "cp_test_FSSOROLE"
            set server-name "FortiManager"
        next
        edit "cp_test_[AirGroup v1]"
            set server-name "FortiManager"
        next
        edit "cp_test_[AirGroup v2]"
            set server-name "FortiManager"
        next
        edit "cp_test_[Aruba TACACS read-only Admin]"
            set server-name "FortiManager"
        next
        edit "cp_test_[Aruba TACACS root Admin]"
            set server-name "FortiManager"
        next
        edit "cp_test_[BYOD Operator]"
            set server-name "FortiManager"
        next
        edit "cp_test_[Contractor]"
            set server-name "FortiManager"
        next
        edit "cp_test_[Device Registration]"
            set server-name "FortiManager"
        next
        ...
        edit "CN=group1,OU=Testing,DC=Fortinet-FSSO,DC=COM"
            set server-name "Local FSSO Agent"   <----- !!!
        next
    end

Related Videos

sidebar video

Fabric Connector: ClearPass

  • 3,836 views
  • 5 years ago

More Links

ClearPass endpoint connector via FortiManager

ClearPass endpoint connector via FortiManager

ClearPass Policy Manager (CPPM) is a network access system that can send information about authenticated users to third party systems, such as a FortiGate or FortiManager.

In this example, communications are established between CPPM and FortiManager, and then the FortiManager forwards information to a managed FortiGate. On the FortiGate, the user information can be used in firewall policies and added to FSSO dynamic addresses.

Configure the FortiManager

Establish communications between FortiManager and CPPM so that FortiManager can synchronize CPPM user groups. See Creating a ClearPass connector in the FortiManager Administration Guide.

FortiManager forwards the group information to managed FortiGates.

Add CPPM FSSO user groups to a local user group

To add CPPM user groups to a local user group in the GUI:
  1. On the FortiGate, go to User & Device > User Groups.
  2. Click Create New.
  3. Enter a name for the group and set Type to Fortinet Single Sign-On (FSSO).
  4. Click the Members field, and add one or more FSSO groups.

    FSSO groups can come from multiple sources; CPPM FSSO groups are prefixed with cp_ and are listed under the FortiManager heading.

  5. Click OK.
To add CPPM user groups to a local user group in the CLI:
config user group
    edit fsso-group
        set group-type fsso-service
        set member "cp_test_[Employee]" "cp_test_FSSOROLE"
    next
end

Use the local FSSO user group in a firewall policy

To add the local FSSO user group to a firewall policy in the GUI:
  1. Go to Policy & Objects > IPv4 Policy.
  2. Create a new policy, or edit an existing one.
  3. Click in the Source field and add the fsso-group user group.

    CPPM user groups can also be added directly to the policy.

  4. Click OK.
To add the local FSSO user group to a firewall policy in the CLI:
config firewall policy
    edit 1
        set name "pol1"
        set uuid 2b88ed8a-c906-51e9-fb25-8cb12172acd8
        set srcintf "port2"
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set groups "fsso-group"
        set nat enable
    next
end

Verification

To verify that a user was added to the FSSO list on the FortiGate:
  1. Log on to the client and authenticate with CPPM.

    After successful authentication, the user is added to the FSSO list on the FortiGate.

  2. On the FortiGate, go to Monitor > Firewall User Monitor to verify that the user was added.

    The user group cp_test_FSSOROLE is listed separately because the user is a member of that group on the CPPM.

To verify that traffic can pass the firewall:
  1. Log on to the client and browse to an external website.
  2. On the FortiGate, go to FortiView > Sources.
  3. Double-click on the user and select the Destinations tab to verify that traffic is being passed by the firewall.
To verify the user address groups:
show user adgrp
    config user adgrp
        edit "cp_test_FSSOROLE"
            set server-name "FortiManager"
        next
        edit "cp_test_[AirGroup v1]"
            set server-name "FortiManager"
        next
        edit "cp_test_[AirGroup v2]"
            set server-name "FortiManager"
        next
        edit "cp_test_[Aruba TACACS read-only Admin]"
            set server-name "FortiManager"
        next
        edit "cp_test_[Aruba TACACS root Admin]"
            set server-name "FortiManager"
        next
        edit "cp_test_[BYOD Operator]"
            set server-name "FortiManager"
        next
        edit "cp_test_[Contractor]"
            set server-name "FortiManager"
        next
        edit "cp_test_[Device Registration]"
            set server-name "FortiManager"
        next
        ...
        edit "CN=group1,OU=Testing,DC=Fortinet-FSSO,DC=COM"
            set server-name "Local FSSO Agent"   <----- !!!
        next
    end