ClearPass endpoint connector via FortiManager
ClearPass Policy Manager (CPPM) is a network access system that can send information about authenticated users to third party systems, such as a FortiGate or FortiManager.
In this example, communications are established between CPPM and FortiManager, and then the FortiManager forwards information to a managed FortiGate. On the FortiGate, the user information can be used in firewall policies and added to FSSO dynamic addresses.
Configure the FortiManager
Establish communications between FortiManager and CPPM so that FortiManager can synchronize CPPM user groups. See Creating a ClearPass connector in the FortiManager Administration Guide.
FortiManager forwards the group information to managed FortiGates.
Adding CPPM FSSO user groups to a local user group
To add CPPM user groups to a local user group in the GUI:
- On the FortiGate, go to User & Authentication > User Groups.
- Click Create New.
- Enter a name for the group and set Type to Fortinet Single Sign-On (FSSO).
- Click the Members field, and add one or more FSSO groups.
FSSO groups can come from multiple sources; CPPM FSSO groups are prefixed with cp_ and are listed under the FortiManager heading.
- Click OK.
To add CPPM user groups to a local user group in the CLI:
config user group edit fsso-group set group-type fsso-service set member "cp_test_[Employee]" "cp_test_FSSOROLE" next end
Using the local FSSO user group in a firewall policy
To add the local FSSO user group to a firewall policy in the GUI:
- Go to Policy & Objects > Firewall Policy.
- Create a new policy, or edit an existing one.
- Click in the Source field and add the fsso-group user group.
CPPM user groups can also be added directly to the policy.
- Click OK.
To add the local FSSO user group to a firewall policy in the CLI:
config firewall policy edit 1 set name "pol1" set srcintf "port2" set dstintf "port3" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic all set groups "fsso-group" set nat enable next end
Verification
To verify that a user was added to the FSSO list on the FortiGate:
- Log on to the client and authenticate with CPPM.
After successful authentication, the user is added to the FSSO list on the FortiGate.
- On the FortiGate, go to Monitor > Firewall User Monitor to verify that the user was added.
The user group cp_test_FSSOROLE is listed separately because the user is a member of that group on the CPPM.
To verify that traffic can pass the firewall:
- Log on to the client and browse to an external website.
- On the FortiGate, go to FortiView > Sources.
- Double-click on the user and select the Destinations tab to verify that traffic is being passed by the firewall.
To verify the user address groups:
show user adgrp config user adgrp edit "cp_test_FSSOROLE" set server-name "FortiManager" next edit "cp_test_[AirGroup v1]" set server-name "FortiManager" next edit "cp_test_[AirGroup v2]" set server-name "FortiManager" next edit "cp_test_[Aruba TACACS read-only Admin]" set server-name "FortiManager" next edit "cp_test_[Aruba TACACS root Admin]" set server-name "FortiManager" next edit "cp_test_[BYOD Operator]" set server-name "FortiManager" next edit "cp_test_[Contractor]" set server-name "FortiManager" next edit "cp_test_[Device Registration]" set server-name "FortiManager" next ... edit "CN=group1,OU=Testing,DC=Fortinet-FSSO,DC=COM" set server-name "Local FSSO Agent" <----- !!! next end