ClearPass SSO/Identity Connector
ClearPass Connector is now supported for SSO/Identity integration.
ClearPass connector for FortiManager centralizes updates from ClearPass for all managed FortiGate devices, and leverages the efficient FSSO protocol to apply dynamic policy updates to FortiGate.
Requirements:
-
FortiManager version 5.6 ADOM or later.
The method described in this topic for creating fabric connectors requires version 6.0 ADOM or later.
- FortiGate is managed by FortiManager.
- The managed FortiGate unit is configured to work with ClearPass.
- Expose JSON API allowing ClearPass to call it.
Complete the following tasks to configure a ClearPass SSO/Identify connector:
- Configure the ClearPass server. See Configuring ClearPass server.
- Configure FortiManager. See Configuring FortiManager.
Configuring ClearPass server
To configure ClearPass server:
- Log on to the ClearPass Policy Manager.
- Create Roles. Go to Configuration > Identity > Roles > Add. Specify the name as mytest1. FortiManager will get this group as an Active Directory group. The Description field is optional.
- Create local users. Go to Configuration > Identity > Local Users > Add. Configure the following:
- User ID - specify the user ID as test1.
- Name - specify the name as testUser1.
- Password - specify the password as qa1234.
- Enable - select the check box.
- Role - specify the role as mytest1 (created in step 1).
- Add Ubuntu Simulator. Go to Configuration > Network > Devices > Add. Configure the following settings:
- Name: specify the name as Ubuntu_test.
- IP or Subnet Address: specify as 10.3.113.61.
- RADIUS Shared Secret: specify as qa1234.
- Vendor name: specify as Unix.
- Configure FortiManager to get packets from ClearPass.
- Create Endpoint Context Server Action for FortiManager. Go to Administration > Dictionaries > Context Server Actions > Add. Create a Login action.
- Configure the following settings in the Action tab:
- Server Type: select Generic HTTP.
- Server Name: specify 10.3.113.57. The is the IP address of FortiManager.
- Action Name: specify as Frank-FMG-login.
- Description: inform FortiManager that the user logged on.
- HTTP Method: select POST.
- Authentication Method: select Basic.
- URL: specify /jsonrpc/connector/user/login
- Configure the following settings in the Header tab:
- Header Name: specify as Content-Type.
- Header Value: specify as application/json.
- Content-Type: select JSON.
- Content: specify the following:
- Create Endpoint Context Server Action for FortiManager. Go to Administration > Dictionaries > Context Server Actions > Add. Create a Logout action.
- Configure the following settings in the Action tab:
- Server Type: select Generic HTTP.
- Server Name: specify 10.3.113.57. The is the IP address of FortiManager.
- Action Name: specify as Frank-FMG-logout.
- Description: inform FortiManager that user logged out.
- HTTP Method: select POST.
- Authentication Method: select Basic.
- URL: specify /jsonrpc/connector/user/logout
- Configure the following settings in the Header tab:
- Header Name: specify as Content-Type.
- Header Value: specify as application/json.
- Content-Type: select JSON.
- Content: specify the following:
{ "adom": "root", "connector": "test", <--this will be the connector name created on FMG "user": "%{Authentication:Username}", "role": "%{Tips:Role}", "ip-addr": "%{ip}" }
- Add FortiManager as the Endpoint Context Server. Go to Administration > External Servers > Endpoint Context Servers > Add. Configure the following settings:
- Server Type: select Generic HTTP.
- Server Name: specify 10.3.113.57. This the FortiManager IP.
- Authentication Method: select Basic.
- Username: specify admin. This is the administrator on FortiManager.
- Check Actions is added to the server. Go to Administration > External Servers > Endpoint Context Servers > 10.3.113.57 > Actions. You can now find Frank-FMG-login and Frank-FMG-Logout.
- Create profile. Go to Configuration > Enforcement > Profiles > Add.
- Configure the following settings in the Profile tab:
- Template: select Session Notification Management.
- Name: specify FortiManager Login and Logout.
- Description: specify FortiManager - Initial SSO integration testing.
- Type: select Post_Authentication.
- Configure the following settings in the Attributes tab.
-
Type Name
Value
Session-Notify Server Type Generic HTTP Session-Notify Login Action Frank-FMG-login Session-Notify Logout Action Frank-FMG-logout Session-Notify Server IP 10.3.113.57 (FortiManager IP) - Create a Policy. Go to Configuration > Enforcement > Policies > Add.
- Configure the following settings in the Enforcement tab.
- Name: specify FortiManager testing.
- Enforcement Type: select RADIUS.
- Default profile: Allow Access Profile.
- Configure the following settings in the Rules tab:
- Type: select Date.
- Name: select Date-Time.
- Operation: select EXISTS.
- Profile Names: [Post Authentication][FortiManager-Login and Logout]
- Create API Client. Log on from ClearPass Guest.
- Go to Administration > API Services > API Clients > Create API Client. Configure the following:
- Client ID: specify as test.
- Description: FortiManager logs on from this client.
- Operator Profile: Select Super Administrator.
- Grand Type: select Username and password credentials (grant type=password).
- Public Client: select the check box.
- Refresh Tokens: select the check box.
{ "adom": "root", "connector": "test", <----------------this will be the connector name created on FMG "user": "%{Authentication:Username}", "role": "%{Tips:Role}", "ip-addr": "%{ip}" }
Configuring FortiManager
To configure FortiManager:
- Log on to FortiManager.
- Launch the command line and execute the following:
config system admin user edit admin set rpc-permit read-write end
- Create FortiManager GUI connector. Go to Fabric View > Create New. Select aruba ClearPass. Click Next.
- Configure the following settings:
- Name: specify the name as test. This name must be same as used in ClearPass Endpoint Context Server Actions > Frank-FMG-login/Frank-FMG-logout > Content >"Connector":" test".
- Status: toggle to ON.
- Server: specify the IP as 10.3.113.102. This is the ClearPass IP.
- Client: specify as test. This is the name of the API Client created.
- User: specify as admin. This is the ClearPass login name.
- Password: specify as Qa1234. This is the ClearPass password.
- Get role and user from ClearPass. Go to Policy & Objects > Object Configurations > Fabric Connectors >SSO/Identity. Select the connector and click Import, or edit it then click Apply & Refresh. FortiManager then gets the roles and users from ClearPass. Green shows the user has logged on.
- Install adgrp from ClearPass to FortiGate. Policy & Objects > Object Configurations > User & Devices > User Groups. Create user group with type as FSSO/SSO Connectors, and select members as ClearPass adgrp. Use the user group in a policy and install it to FortiGate.