ClearPass SSO/Identity Connector

ClearPass Connector is now supported for SSO/Identity integration.

ClearPass connector for FortiManager centralizes updates from ClearPass for all managed FortiGate devices, and leverages the efficient FSSO protocol to apply dynamic policy updates to FortiGate.

Requirements:

• FortiManager version 5.6 ADOM or later.

  The method described in this topic for creating fabric connectors requires version 6.0 ADOM or later.

• FortiGate is managed by FortiManager.
• The managed FortiGate unit is configured to work with ClearPass.
• Expose JSON API allowing ClearPass to call it.

Complete the following tasks to configure a ClearPass SSO/Identify connector:

1. Configure the ClearPass server. See Configuring ClearPass server.
2. Configure FortiManager. See Configuring FortiManager.

Configuring ClearPass server

To configure ClearPass server:

1. Log on to the ClearPass Policy Manager.

   

2. Create Roles. Go to Configuration > Identity > Roles > Add. Specify the name as mytest1. FortiManager will get this group as an Active Directory group. The Description field is optional.

   

3. Create local users. Go to Configuration > Identity > Local Users > Add. Configure the following:

   

   • User ID - specify the user ID as test1.
   • Name - specify the name as testUser1.
   • Password - specify the password as qa1234.
   • Enable - select the check box.
   • Role - specify the role as mytest1 (created in step 1).
4. Add Ubuntu Simulator. Go to Configuration > Network > Devices > Add. Configure the following settings:

   

   • Name: specify the name as Ubuntu_test.
   • IP or Subnet Address: specify as 10.3.113.61.
   • RADIUS Shared Secret: specify as qa1234.
   • Vendor name: specify as Unix.
5. Configure FortiManager to get packets from ClearPass.
6. Create Endpoint Context Server Action for FortiManager. Go to Administration > Dictionaries > Context Server Actions > Add. Create a Login action.
7. Configure the following settings in the Action tab:

   

   • Server Type: select Generic HTTP.
   • Server Name: specify 10.3.113.57. The is the IP address of FortiManager.
   • Action Name: specify as Frank-FMG-login.
   • Description: inform FortiManager that the user logged on.
   • HTTP Method: select POST.
   • Authentication Method: select Basic.
   • URL: specify /jsonrpc/connector/user/login
8. Configure the following settings in the Header tab:

   

   • Header Name: specify as Content-Type.
   • Header Value: specify as application/json.
   • Content-Type: select JSON.
   • Content: specify the following:

     

{
								"adom": "root",
								"connector": "test", <----------------this will be the connector name created on FMG
								"user": "%{Authentication:Username}",
								"role": "%{Tips:Role}",
								"ip-addr": "%{ip}"
							}

9. Create Endpoint Context Server Action for FortiManager. Go to Administration > Dictionaries > Context Server Actions > Add. Create a Logout action.

   

10. Configure the following settings in the Action tab:

    

    • Server Type: select Generic HTTP.
    • Server Name: specify 10.3.113.57. The is the IP address of FortiManager.
    • Action Name: specify as Frank-FMG-logout.
    • Description: inform FortiManager that user logged out.
    • HTTP Method: select POST.
    • Authentication Method: select Basic.
    • URL: specify /jsonrpc/connector/user/logout
11. Configure the following settings in the Header tab:
    • Header Name: specify as Content-Type.
    • Header Value: specify as application/json.
    • Content-Type: select JSON.
    • Content: specify the following:

      {
      				"adom": "root",
      				"connector": "test", <--this will be the connector name created on FMG
      				"user": "%{Authentication:Username}",
      				"role": "%{Tips:Role}",
      				"ip-addr": "%{ip}"
      						}

12. Add FortiManager as the Endpoint Context Server. Go to Administration > External Servers > Endpoint Context Servers > Add. Configure the following settings:
    • Server Type: select Generic HTTP.
    • Server Name: specify 10.3.113.57. This the FortiManager IP.
    • Authentication Method: select Basic.
    • Username: specify admin. This is the administrator on FortiManager.
13. Check Actions is added to the server. Go to Administration > External Servers > Endpoint Context Servers > 10.3.113.57 > Actions. You can now find Frank-FMG-login and Frank-FMG-Logout.

    

14. Create profile. Go to Configuration > Enforcement > Profiles > Add.
15. Configure the following settings in the Profile tab:

    

    • Template: select Session Notification Management.
    • Name: specify FortiManager Login and Logout.
    • Description: specify FortiManager - Initial SSO integration testing.
    • Type: select Post_Authentication.
16. Configure the following settings in the Attributes tab.

    

17. Type	Name	Value
    Session-Notify	Server Type	Generic HTTP
    Session-Notify	Login Action	Frank-FMG-login
    Session-Notify	Logout Action	Frank-FMG-logout
    Session-Notify	Server IP	10.3.113.57 (FortiManager IP)

18. Create a Policy. Go to Configuration > Enforcement > Policies > Add.
19. Configure the following settings in the Enforcement tab.

    

    • Name: specify FortiManager testing.
    • Enforcement Type: select RADIUS.
    • Default profile: Allow Access Profile.
20. Configure the following settings in the Rules tab:

    

    • Type: select Date.
    • Name: select Date-Time.
    • Operation: select EXISTS.
    • Profile Names: [Post Authentication][FortiManager-Login and Logout]
21. Create API Client. Log on from ClearPass Guest.

    

22. Go to Administration > API Services > API Clients > Create API Client. Configure the following:

    

    • Client ID: specify as test.
    • Description: FortiManager logs on from this client.
    • Operator Profile: Select Super Administrator.
    • Grand Type: select Username and password credentials (grant type=password).
    • Public Client: select the check box.
    • Refresh Tokens: select the check box.

Configuring FortiManager

To configure FortiManager:

1. Log on to FortiManager.
2. Launch the command line and execute the following:

   config system admin user
   edit  admin
   set rpc-permit read-write
   end

3. Create FortiManager GUI connector. Go to Fabric View > Create New. Select aruba ClearPass. Click Next.

   

4. Configure the following settings:

   

   • Name: specify the name as test. This name must be same as used in ClearPass Endpoint Context Server Actions > Frank-FMG-login/Frank-FMG-logout > Content >"Connector":" test".
   • Status: toggle to ON.
   • Server: specify the IP as 10.3.113.102. This is the ClearPass IP.
   • Client: specify as test. This is the name of the API Client created.
   • User: specify as admin. This is the ClearPass login name.
   • Password: specify as Qa1234. This is the ClearPass password.
5. Get role and user from ClearPass. Go to Policy & Objects > Object Configurations > Fabric Connectors >SSO/Identity. Select the connector and click Import, or edit it then click Apply & Refresh. FortiManager then gets the roles and users from ClearPass. Green shows the user has logged on.

   

6. Install adgrp from ClearPass to FortiGate. Policy & Objects > Object Configurations > User & Devices > User Groups. Create user group with type as FSSO/SSO Connectors, and select members as ClearPass adgrp. Use the user group in a policy and install it to FortiGate.