Fortinet white logo
Fortinet white logo

ClearPass SSO/Identity Connector

ClearPass SSO/Identity Connector

ClearPass Connector is now supported for SSO/Identity integration.

ClearPass connector for FortiManager centralizes updates from ClearPass for all managed FortiGate devices, and leverages the efficient FSSO protocol to apply dynamic policy updates to FortiGate.

Requirements:

  • FortiManager version 5.6 ADOM or later.

    The method described in this topic for creating fabric connectors requires version 6.0 ADOM or later.

  • FortiGate is managed by FortiManager.
  • The managed FortiGate unit is configured to work with ClearPass.
  • Expose JSON API allowing ClearPass to call it.

Complete the following tasks to configure a ClearPass SSO/Identify connector:

  1. Configure the ClearPass server. See Configuring ClearPass server.
  2. Configure FortiManager. See Configuring FortiManager.

Configuring ClearPass server

To configure ClearPass server:
  1. Log on to the ClearPass Policy Manager.

  2. Create Roles. Go to Configuration > Identity > Roles > Add. Specify the name as mytest1. FortiManager will get this group as an Active Directory group. The Description field is optional.

  3. Create local users. Go to Configuration > Identity > Local Users > Add. Configure the following:

    • User ID - specify the user ID as test1.
    • Name - specify the name as testUser1.
    • Password - specify the password as qa1234.
    • Enable - select the check box.
    • Role - specify the role as mytest1 (created in step 1).
  4. Add Ubuntu Simulator. Go to Configuration > Network > Devices > Add. Configure the following settings:

    • Name: specify the name as Ubuntu_test.
    • IP or Subnet Address: specify as 10.3.113.61.
    • RADIUS Shared Secret: specify as qa1234.
    • Vendor name: specify as Unix.
  5. Configure FortiManager to get packets from ClearPass.
  6. Create Endpoint Context Server Action for FortiManager. Go to Administration > Dictionaries > Context Server Actions > Add. Create a Login action.
  7. Configure the following settings in the Action tab:

    • Server Type: select Generic HTTP.
    • Server Name: specify 10.3.113.57. The is the IP address of FortiManager.
    • Action Name: specify as Frank-FMG-login.
    • Description: inform FortiManager that the user logged on.
    • HTTP Method: select POST.
    • Authentication Method: select Basic.
    • URL: specify /jsonrpc/connector/user/login
  8. Configure the following settings in the Header tab:

    • Header Name: specify as Content-Type.
    • Header Value: specify as application/json.
    • Content-Type: select JSON.
    • Content: specify the following:

  9. {
    								"adom": "root",
    								"connector": "test", <----------------this will be the connector name created on FMG
    								"user": "%{Authentication:Username}",
    								"role": "%{Tips:Role}",
    								"ip-addr": "%{ip}"
    							}
  10. Create Endpoint Context Server Action for FortiManager. Go to Administration > Dictionaries > Context Server Actions > Add. Create a Logout action.

  11. Configure the following settings in the Action tab:

    • Server Type: select Generic HTTP.
    • Server Name: specify 10.3.113.57. The is the IP address of FortiManager.
    • Action Name: specify as Frank-FMG-logout.
    • Description: inform FortiManager that user logged out.
    • HTTP Method: select POST.
    • Authentication Method: select Basic.
    • URL: specify /jsonrpc/connector/user/logout
  12. Configure the following settings in the Header tab:
    • Header Name: specify as Content-Type.
    • Header Value: specify as application/json.
    • Content-Type: select JSON.
    • Content: specify the following:
      {
      				"adom": "root",
      				"connector": "test", <--this will be the connector name created on FMG
      				"user": "%{Authentication:Username}",
      				"role": "%{Tips:Role}",
      				"ip-addr": "%{ip}"
      						}
  13. Add FortiManager as the Endpoint Context Server. Go to Administration > External Servers > Endpoint Context Servers > Add. Configure the following settings:
    • Server Type: select Generic HTTP.
    • Server Name: specify 10.3.113.57. This the FortiManager IP.
    • Authentication Method: select Basic.
    • Username: specify admin. This is the administrator on FortiManager.
  14. Check Actions is added to the server. Go to Administration > External Servers > Endpoint Context Servers > 10.3.113.57 > Actions. You can now find Frank-FMG-login and Frank-FMG-Logout.

  15. Create profile. Go to Configuration > Enforcement > Profiles > Add.
  16. Configure the following settings in the Profile tab:

    • Template: select Session Notification Management.
    • Name: specify FortiManager Login and Logout.
    • Description: specify FortiManager - Initial SSO integration testing.
    • Type: select Post_Authentication.
  17. Configure the following settings in the Attributes tab.

  18. Type

    Name

    Value

    Session-Notify Server Type Generic HTTP
    Session-Notify Login Action Frank-FMG-login
    Session-Notify Logout Action Frank-FMG-logout
    Session-Notify Server IP 10.3.113.57 (FortiManager IP)
  19. Create a Policy. Go to Configuration > Enforcement > Policies > Add.
  20. Configure the following settings in the Enforcement tab.

    • Name: specify FortiManager testing.
    • Enforcement Type: select RADIUS.
    • Default profile: Allow Access Profile.
  21. Configure the following settings in the Rules tab:

    • Type: select Date.
    • Name: select Date-Time.
    • Operation: select EXISTS.
    • Profile Names: [Post Authentication][FortiManager-Login and Logout]
  22. Create API Client. Log on from ClearPass Guest.

  23. Go to Administration > API Services > API Clients > Create API Client. Configure the following:

    • Client ID: specify as test.
    • Description: FortiManager logs on from this client.
    • Operator Profile: Select Super Administrator.
    • Grand Type: select Username and password credentials (grant type=password).
    • Public Client: select the check box.
    • Refresh Tokens: select the check box.

Configuring FortiManager

To configure FortiManager:
  1. Log on to FortiManager.
  2. Launch the command line and execute the following:
    config system admin user
    edit  admin
    set rpc-permit read-write
    end
  3. Create FortiManager GUI connector. Go to Fabric View > Create New. Select aruba ClearPass. Click Next.

  4. Configure the following settings:

    • Name: specify the name as test. This name must be same as used in ClearPass Endpoint Context Server Actions > Frank-FMG-login/Frank-FMG-logout > Content >"Connector":" test".
    • Status: toggle to ON.
    • Server: specify the IP as 10.3.113.102. This is the ClearPass IP.
    • Client: specify as test. This is the name of the API Client created.
    • User: specify as admin. This is the ClearPass login name.
    • Password: specify as Qa1234. This is the ClearPass password.
  5. Get role and user from ClearPass. Go to Policy & Objects > Object Configurations > Fabric Connectors >SSO/Identity. Select the connector and click Import, or edit it then click Apply & Refresh. FortiManager then gets the roles and users from ClearPass. Green shows the user has logged on.

  6. Install adgrp from ClearPass to FortiGate. Policy & Objects > Object Configurations > User & Devices > User Groups. Create user group with type as FSSO/SSO Connectors, and select members as ClearPass adgrp. Use the user group in a policy and install it to FortiGate.

Related Videos

sidebar video

Fabric Connector: ClearPass

  • 3,834 views
  • 5 years ago

ClearPass SSO/Identity Connector

ClearPass SSO/Identity Connector

ClearPass Connector is now supported for SSO/Identity integration.

ClearPass connector for FortiManager centralizes updates from ClearPass for all managed FortiGate devices, and leverages the efficient FSSO protocol to apply dynamic policy updates to FortiGate.

Requirements:

  • FortiManager version 5.6 ADOM or later.

    The method described in this topic for creating fabric connectors requires version 6.0 ADOM or later.

  • FortiGate is managed by FortiManager.
  • The managed FortiGate unit is configured to work with ClearPass.
  • Expose JSON API allowing ClearPass to call it.

Complete the following tasks to configure a ClearPass SSO/Identify connector:

  1. Configure the ClearPass server. See Configuring ClearPass server.
  2. Configure FortiManager. See Configuring FortiManager.

Configuring ClearPass server

To configure ClearPass server:
  1. Log on to the ClearPass Policy Manager.

  2. Create Roles. Go to Configuration > Identity > Roles > Add. Specify the name as mytest1. FortiManager will get this group as an Active Directory group. The Description field is optional.

  3. Create local users. Go to Configuration > Identity > Local Users > Add. Configure the following:

    • User ID - specify the user ID as test1.
    • Name - specify the name as testUser1.
    • Password - specify the password as qa1234.
    • Enable - select the check box.
    • Role - specify the role as mytest1 (created in step 1).
  4. Add Ubuntu Simulator. Go to Configuration > Network > Devices > Add. Configure the following settings:

    • Name: specify the name as Ubuntu_test.
    • IP or Subnet Address: specify as 10.3.113.61.
    • RADIUS Shared Secret: specify as qa1234.
    • Vendor name: specify as Unix.
  5. Configure FortiManager to get packets from ClearPass.
  6. Create Endpoint Context Server Action for FortiManager. Go to Administration > Dictionaries > Context Server Actions > Add. Create a Login action.
  7. Configure the following settings in the Action tab:

    • Server Type: select Generic HTTP.
    • Server Name: specify 10.3.113.57. The is the IP address of FortiManager.
    • Action Name: specify as Frank-FMG-login.
    • Description: inform FortiManager that the user logged on.
    • HTTP Method: select POST.
    • Authentication Method: select Basic.
    • URL: specify /jsonrpc/connector/user/login
  8. Configure the following settings in the Header tab:

    • Header Name: specify as Content-Type.
    • Header Value: specify as application/json.
    • Content-Type: select JSON.
    • Content: specify the following:

  9. {
    								"adom": "root",
    								"connector": "test", <----------------this will be the connector name created on FMG
    								"user": "%{Authentication:Username}",
    								"role": "%{Tips:Role}",
    								"ip-addr": "%{ip}"
    							}
  10. Create Endpoint Context Server Action for FortiManager. Go to Administration > Dictionaries > Context Server Actions > Add. Create a Logout action.

  11. Configure the following settings in the Action tab:

    • Server Type: select Generic HTTP.
    • Server Name: specify 10.3.113.57. The is the IP address of FortiManager.
    • Action Name: specify as Frank-FMG-logout.
    • Description: inform FortiManager that user logged out.
    • HTTP Method: select POST.
    • Authentication Method: select Basic.
    • URL: specify /jsonrpc/connector/user/logout
  12. Configure the following settings in the Header tab:
    • Header Name: specify as Content-Type.
    • Header Value: specify as application/json.
    • Content-Type: select JSON.
    • Content: specify the following:
      {
      				"adom": "root",
      				"connector": "test", <--this will be the connector name created on FMG
      				"user": "%{Authentication:Username}",
      				"role": "%{Tips:Role}",
      				"ip-addr": "%{ip}"
      						}
  13. Add FortiManager as the Endpoint Context Server. Go to Administration > External Servers > Endpoint Context Servers > Add. Configure the following settings:
    • Server Type: select Generic HTTP.
    • Server Name: specify 10.3.113.57. This the FortiManager IP.
    • Authentication Method: select Basic.
    • Username: specify admin. This is the administrator on FortiManager.
  14. Check Actions is added to the server. Go to Administration > External Servers > Endpoint Context Servers > 10.3.113.57 > Actions. You can now find Frank-FMG-login and Frank-FMG-Logout.

  15. Create profile. Go to Configuration > Enforcement > Profiles > Add.
  16. Configure the following settings in the Profile tab:

    • Template: select Session Notification Management.
    • Name: specify FortiManager Login and Logout.
    • Description: specify FortiManager - Initial SSO integration testing.
    • Type: select Post_Authentication.
  17. Configure the following settings in the Attributes tab.

  18. Type

    Name

    Value

    Session-Notify Server Type Generic HTTP
    Session-Notify Login Action Frank-FMG-login
    Session-Notify Logout Action Frank-FMG-logout
    Session-Notify Server IP 10.3.113.57 (FortiManager IP)
  19. Create a Policy. Go to Configuration > Enforcement > Policies > Add.
  20. Configure the following settings in the Enforcement tab.

    • Name: specify FortiManager testing.
    • Enforcement Type: select RADIUS.
    • Default profile: Allow Access Profile.
  21. Configure the following settings in the Rules tab:

    • Type: select Date.
    • Name: select Date-Time.
    • Operation: select EXISTS.
    • Profile Names: [Post Authentication][FortiManager-Login and Logout]
  22. Create API Client. Log on from ClearPass Guest.

  23. Go to Administration > API Services > API Clients > Create API Client. Configure the following:

    • Client ID: specify as test.
    • Description: FortiManager logs on from this client.
    • Operator Profile: Select Super Administrator.
    • Grand Type: select Username and password credentials (grant type=password).
    • Public Client: select the check box.
    • Refresh Tokens: select the check box.

Configuring FortiManager

To configure FortiManager:
  1. Log on to FortiManager.
  2. Launch the command line and execute the following:
    config system admin user
    edit  admin
    set rpc-permit read-write
    end
  3. Create FortiManager GUI connector. Go to Fabric View > Create New. Select aruba ClearPass. Click Next.

  4. Configure the following settings:

    • Name: specify the name as test. This name must be same as used in ClearPass Endpoint Context Server Actions > Frank-FMG-login/Frank-FMG-logout > Content >"Connector":" test".
    • Status: toggle to ON.
    • Server: specify the IP as 10.3.113.102. This is the ClearPass IP.
    • Client: specify as test. This is the name of the API Client created.
    • User: specify as admin. This is the ClearPass login name.
    • Password: specify as Qa1234. This is the ClearPass password.
  5. Get role and user from ClearPass. Go to Policy & Objects > Object Configurations > Fabric Connectors >SSO/Identity. Select the connector and click Import, or edit it then click Apply & Refresh. FortiManager then gets the roles and users from ClearPass. Green shows the user has logged on.

  6. Install adgrp from ClearPass to FortiGate. Policy & Objects > Object Configurations > User & Devices > User Groups. Create user group with type as FSSO/SSO Connectors, and select members as ClearPass adgrp. Use the user group in a policy and install it to FortiGate.