Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Creating ClearPass connector

ClearPass Policy Manager (CCPM) is a network access system that can send information about authenticated users to third party systems, such as a FortiGate or FortiManager. ClearPass connector for FortiManager centralizes updates from ClearPass for all FortiGate devices and leverages the efficient FSSO protocol to apply dynamic policy updates to FortiGate.

Requirements:

  • FortiManager version 5.6 or later ADOM

    This example applies to version 6.0 or later ADOMs.

  • FortiGate is managed by FortiManager and configured to work with ClearPass
  • JSON API is exposed, allowing ClearPass to call it
To configure ClearPass:
  1. Log in to ClearPass Policy Manager..
  2. Create roles:
    1. Go to Configuration > Identity > Roles.
    2. Click Add.
    3. For the name, enter mytest1.

      FortiManager will get this group as an Active Directory group.

      The Description field is optional.

    4. Click Save.
  3. Create local users:
    1. Go to Configuration > Identity > Local Users.
    2. Click Add.
    3. Configure the following:
      • Set User ID to test1.
      • Set Name to testUser1.
      • Set Password to qa1234.
      • Select Enable.
      • Set Role to mytest1.

    4. Click Add.
  4. Add an Ubuntu simulator:
    1. Go to Configuration > Network > Devices.
    2. Click Add.
    3.  Configure the following settings:
      • Set Name to Ubuntu_test.
      • Set IP or Subnet Address to 10.3.113.61.
      • Set RADIUS Shared Secret to qa1234.
      • Set Vendor Name to Unix.

    4. Click Add.
  5. Configure FortiManager to get packets from ClearPass:
    1. Add FortiManager as the Endpoint Context Server:
      1. Go to Administration > External Servers > Endpoint Context Servers.
      2. Click Add.
      3. Configure the following:
        • Set Server Type to Generic HTTP.
        • Set Server Name to 10.3.113.57 (the FortiManager IP address).
        • Set Authentication Method to Basic.
        • Set Username to admin (the administrator on FortiManager).
    2. Create Endpoint Context Server Login action for FortiManager:
      1. Go to Administration > Dictionaries > Context Server Actions
      2. Click Add.
      3. On the Action tab, configure the following:
        • Set Server Type to Generic HTTP.
        • Set Server Name to 10.3.113.57 (the FortiManager IP address).
        • Set Action Name to Frank-FMG-login.
        • Set Description to Inform FortiManager that the user logged on.
        • Set HTTP Method to POST.
        • Set Authentication Method to Basic.
        • Set URL to /jsonrpc/connector/user/login

      4. On the Header tab, configure the following:
        • Set Header Name to Content-Type.
        • Set Header Value to application/json.

      5. On the Content tab, configure the following:

        • Set Content-Type to JSON.
        • Set Content to:
          {
              "adom": "root",
              "connector": "test", <--------the connector name created on FortiManager
              "user": "%{Authentication:Username}",
              "role": "%{Tips:Role}",
              "ip-addr": "%{ip}"
          }

      6. Click Save.
    3. Create Endpoint Context Server Logout action for FortiManager:
      1. Go to Administration > Dictionaries > Context Server Actions
      2. Click Add.
      3. On the Action tab, configure the following:
        • Set Server Type to Generic HTTP.
        • Set Server Name to 10.3.113.57 (the FortiManager IP address).
        • Set Action Name to Frank-FMG-logout.
        • Set Description to Inform FortiManager that the user logged out.
        • Set HTTP Method to POST.
        • Set Authentication Method to Basic.
        • Set URL to /jsonrpc/connector/user/logout

      4. On the Header tab, configure the following:
        • Set Header Name to Content-Type.
        • Set Header Value to application/json.
      5. On the Content tab, configure the following:
        • Set Content-Type to JSON.
        • Set Content to:
          {
              "adom": "root",
              "connector": "test",
              "user": "%{Authentication:Username}",
              "role": "%{Tips:Role}",
              "ip-addr": "%{ip}"
          }
      6. Click Save.
    4. Check that the actions are added to the server:
      1. Go to Administration > External Servers > Endpoint Context Servers > 10.3.113.57 > Actions.
      2. Locate the two just created actions.

  6. Create a profile:
    1. Go to Configuration > Enforcement > Profiles.
    2. Click Add.
    3. On the Profile tab, configure the following:
      • Set Template to Session Notification Management.
      • Set Name to FortiManager Login and Logout.
      • Set Description to FortiManager - Initial SSO integration testing.
      • Set Type to Post_Authentication.

    4. On the Attributes tab, configure the following attributes:

      Type

      Name

      Value

      Session-Notify

      Server Type

      Generic HTTP

      Session-Notify

      Login Action

      Frank-FMG-login

      Session-Notify

      Logout Action

      Frank-FMG-logout

      Session-Notify

      Server IP

      10.3.113.57

    5. Click Save.
  7. Create a policy:
    1. Go to Configuration > Enforcement > Policies.
    2. Click Add.
    3. On the Enforcement tab, configure the following:
      • Set Name to FortiManager testing.
      • Set Enforcement Type to RADIUS.
      • Set Default Profile to Allow Access Profile.

    4. On the Rules tab, configure the following:
      • Set Type to Date.
      • Set Name to Date-Time.
      • Set Operation to EXISTS.
      • Set Profile Names to [Post Authentication][FortiManager - Login and Logout].

    5. Click Save.
  8. Create services:
    1. Go to Configuration > Services.
    2. Click Add.
    3. On the Service tab, configure the following:
      • Set Name to API Test Access OAuth2 API User Access.
      • Set Description to Authentication service for API access using OAuth2.
      • Set Type to Aruba Application Authentication.
      • Set Status to Enabled.

    4. On the Authentication tab, set Authentication Sources to:

      [Local User Repository] [Local SQL DB]

      [Admin User Repository] [Local SQL DB]

    5. On the Enforcement tab, configure the following:
      • Set Enforcement Policy to [Guest Operator Logins].
      • Set Description to Enforcement policy controlling access to Guest application.
      • Set Default Profile to [Deny Application Access Profile].
      • Set Rules Evaluation Algorithm to first-applicable.
      • Create the following two conditions:

         

        Conditions

        Enforcement Profiles

        1.

        (Tips:Role EQUALS [User Authenticated])

        AND  (Authentication:Source EQUALS [Local User Repository])

        [Operator Login - Local Users]

        2.

        (Tips:Role EQUALS [User Authenticated])

        AND  (Authentication:Source EQUALS [Admin User Repository])

        [Operator Login - Admin Users]

    6. Click Save.
    7. Click Add again to add another service.
    8. On the Service tab, configure the following:
      • Set Name to AuthN user for Fortimanager Testing.
      • Set Description to Authorization service for AirGroup device access.
      • Set Type to RADIUS Enforcement ( Generic ).
      • Set Status to Enabled.
      • Create the following service rule:

        Type

        Name

        Operator

        Value

        Radius:IEFT

        NAS-IP-Address

        EQUALS

        10.0.0.1

    9. On the Authentication tab, configure the following:
      • Set Authentication Methods to [PAP].
      • Set Authentication Sources to [Local User Repository] [Local SQL DB].
    10. On the Enforcement tab, configure the following:
      • Set Enforcement Policy to fortimanager testing .
      • Set Default Profile to [AllowAccess Profile].
      • Set Rules Evaluation Algorithm to evaluate-all.
      • Create the following condition:

         

        Conditions

        Enforcement Profiles

        1.

        (GuestUser:Company Name NOT_EQUALS ABCDE)

        [FortiManager-login and Logout]

    11. Click Save.
  9. Configure the administrator the FortiManager fabric connector uses to access CPPM APIs:
    1. Go to Administration > Admin Users.
    2. Click Add.
    3. Configure the following:
      • Set User ID to admin.
      • Set Name to admin.
      • Set Password to qa987654.
      • In Verify Password enter the password again.
      • Select Enable User.
      • Set Privilege Level to API Administrator.
    4. Click Save.
  10. Create an API Client:
    1. Log in to ClearPass Guest.

    2. Go to Administration > API Services > API Clients.
    3. Click Create API Client.
    4. Configure the following:
      • Set Client ID to test.
      • Set Desciption to FMG login from it.
      • Select Enable API client.
      • Set Operator Profile to Super Administrator.
      • Set Grand Type to Username and password credentials (grant_type=password).
      • In Public Client select This client is public (trusted) client.
      • In Refresh Token select Allow the use of refresh tokens for this client.

    5. Click Save.
To configure FortiManager:
  1. Log in to FortiManager.
  2. Run the following CLI command:
    config system admin user
        edit  admin
            set rpc-permit read-write
        next
    end
  3. Go to Fabric View > Fabric Connectors.
  4. Click Create New.

  5. Select ClearPass, then click Next.
  6. Configure the following:
    • Set Name to test. This name must be same as the one used in the ClearPass actions.
    • Set Status to On.
    • Set Server to 10.3.113.102 (the ClearPass IP address).
    • Set Client to test (the previously created ClearPass API client).
    • Set User to admin (the ClearPass login name).
    • Set Password to qa1234 (the ClearPass login password).

  7. Click OK.
  8. Get the role and user from ClearPass:
    1. Go to Policy & Objects > Object Configurations > Fabric Connectors >SSO/Identity.
    2. Edit the ClearPass connector and click Apply & Refresh.

      FortiManager retrieves the roles and users from ClearPass. Users with green icons are currently logged in.

  9. Install the address group from ClearPass to FortiGate:
    1. On the FortiManager, go to Policy & Objects > Object Configurations > User & Devices > User Groups.
    2. Click Create New.
    3. Configure the following:
      • Set Group Name to cpp1.
      • Set Type to FSSO/SSO Connectors.
      • Select Members as ClearPass adgrp.

  10. Use the new user group in a policy to install it to FortiGate.
  11. To check that the group was installed on the FortiGate:
    1. On the FortiGate, go to User & Device > User Groups. The group will be in the user group list.
    2. Edit the group to view its members.
    3. In the CLI console, enter the following:
      # diagnose debug authd fsso list
      ----FSSO logons----
      IP: 10.210.15.185  User: user1  Groups: cp_test_Finance  Workstation:  MemberOf: cpp1
      Total number of logons listed: 1, filtered: 0
      ----end of FSSO logons----

Creating ClearPass connector

ClearPass Policy Manager (CCPM) is a network access system that can send information about authenticated users to third party systems, such as a FortiGate or FortiManager. ClearPass connector for FortiManager centralizes updates from ClearPass for all FortiGate devices and leverages the efficient FSSO protocol to apply dynamic policy updates to FortiGate.

Requirements:

  • FortiManager version 5.6 or later ADOM

    This example applies to version 6.0 or later ADOMs.

  • FortiGate is managed by FortiManager and configured to work with ClearPass
  • JSON API is exposed, allowing ClearPass to call it
To configure ClearPass:
  1. Log in to ClearPass Policy Manager..
  2. Create roles:
    1. Go to Configuration > Identity > Roles.
    2. Click Add.
    3. For the name, enter mytest1.

      FortiManager will get this group as an Active Directory group.

      The Description field is optional.

    4. Click Save.
  3. Create local users:
    1. Go to Configuration > Identity > Local Users.
    2. Click Add.
    3. Configure the following:
      • Set User ID to test1.
      • Set Name to testUser1.
      • Set Password to qa1234.
      • Select Enable.
      • Set Role to mytest1.

    4. Click Add.
  4. Add an Ubuntu simulator:
    1. Go to Configuration > Network > Devices.
    2. Click Add.
    3.  Configure the following settings:
      • Set Name to Ubuntu_test.
      • Set IP or Subnet Address to 10.3.113.61.
      • Set RADIUS Shared Secret to qa1234.
      • Set Vendor Name to Unix.

    4. Click Add.
  5. Configure FortiManager to get packets from ClearPass:
    1. Add FortiManager as the Endpoint Context Server:
      1. Go to Administration > External Servers > Endpoint Context Servers.
      2. Click Add.
      3. Configure the following:
        • Set Server Type to Generic HTTP.
        • Set Server Name to 10.3.113.57 (the FortiManager IP address).
        • Set Authentication Method to Basic.
        • Set Username to admin (the administrator on FortiManager).
    2. Create Endpoint Context Server Login action for FortiManager:
      1. Go to Administration > Dictionaries > Context Server Actions
      2. Click Add.
      3. On the Action tab, configure the following:
        • Set Server Type to Generic HTTP.
        • Set Server Name to 10.3.113.57 (the FortiManager IP address).
        • Set Action Name to Frank-FMG-login.
        • Set Description to Inform FortiManager that the user logged on.
        • Set HTTP Method to POST.
        • Set Authentication Method to Basic.
        • Set URL to /jsonrpc/connector/user/login

      4. On the Header tab, configure the following:
        • Set Header Name to Content-Type.
        • Set Header Value to application/json.

      5. On the Content tab, configure the following:

        • Set Content-Type to JSON.
        • Set Content to:
          {
              "adom": "root",
              "connector": "test", <--------the connector name created on FortiManager
              "user": "%{Authentication:Username}",
              "role": "%{Tips:Role}",
              "ip-addr": "%{ip}"
          }

      6. Click Save.
    3. Create Endpoint Context Server Logout action for FortiManager:
      1. Go to Administration > Dictionaries > Context Server Actions
      2. Click Add.
      3. On the Action tab, configure the following:
        • Set Server Type to Generic HTTP.
        • Set Server Name to 10.3.113.57 (the FortiManager IP address).
        • Set Action Name to Frank-FMG-logout.
        • Set Description to Inform FortiManager that the user logged out.
        • Set HTTP Method to POST.
        • Set Authentication Method to Basic.
        • Set URL to /jsonrpc/connector/user/logout

      4. On the Header tab, configure the following:
        • Set Header Name to Content-Type.
        • Set Header Value to application/json.
      5. On the Content tab, configure the following:
        • Set Content-Type to JSON.
        • Set Content to:
          {
              "adom": "root",
              "connector": "test",
              "user": "%{Authentication:Username}",
              "role": "%{Tips:Role}",
              "ip-addr": "%{ip}"
          }
      6. Click Save.
    4. Check that the actions are added to the server:
      1. Go to Administration > External Servers > Endpoint Context Servers > 10.3.113.57 > Actions.
      2. Locate the two just created actions.

  6. Create a profile:
    1. Go to Configuration > Enforcement > Profiles.
    2. Click Add.
    3. On the Profile tab, configure the following:
      • Set Template to Session Notification Management.
      • Set Name to FortiManager Login and Logout.
      • Set Description to FortiManager - Initial SSO integration testing.
      • Set Type to Post_Authentication.

    4. On the Attributes tab, configure the following attributes:

      Type

      Name

      Value

      Session-Notify

      Server Type

      Generic HTTP

      Session-Notify

      Login Action

      Frank-FMG-login

      Session-Notify

      Logout Action

      Frank-FMG-logout

      Session-Notify

      Server IP

      10.3.113.57

    5. Click Save.
  7. Create a policy:
    1. Go to Configuration > Enforcement > Policies.
    2. Click Add.
    3. On the Enforcement tab, configure the following:
      • Set Name to FortiManager testing.
      • Set Enforcement Type to RADIUS.
      • Set Default Profile to Allow Access Profile.

    4. On the Rules tab, configure the following:
      • Set Type to Date.
      • Set Name to Date-Time.
      • Set Operation to EXISTS.
      • Set Profile Names to [Post Authentication][FortiManager - Login and Logout].

    5. Click Save.
  8. Create services:
    1. Go to Configuration > Services.
    2. Click Add.
    3. On the Service tab, configure the following:
      • Set Name to API Test Access OAuth2 API User Access.
      • Set Description to Authentication service for API access using OAuth2.
      • Set Type to Aruba Application Authentication.
      • Set Status to Enabled.

    4. On the Authentication tab, set Authentication Sources to:

      [Local User Repository] [Local SQL DB]

      [Admin User Repository] [Local SQL DB]

    5. On the Enforcement tab, configure the following:
      • Set Enforcement Policy to [Guest Operator Logins].
      • Set Description to Enforcement policy controlling access to Guest application.
      • Set Default Profile to [Deny Application Access Profile].
      • Set Rules Evaluation Algorithm to first-applicable.
      • Create the following two conditions:

         

        Conditions

        Enforcement Profiles

        1.

        (Tips:Role EQUALS [User Authenticated])

        AND  (Authentication:Source EQUALS [Local User Repository])

        [Operator Login - Local Users]

        2.

        (Tips:Role EQUALS [User Authenticated])

        AND  (Authentication:Source EQUALS [Admin User Repository])

        [Operator Login - Admin Users]

    6. Click Save.
    7. Click Add again to add another service.
    8. On the Service tab, configure the following:
      • Set Name to AuthN user for Fortimanager Testing.
      • Set Description to Authorization service for AirGroup device access.
      • Set Type to RADIUS Enforcement ( Generic ).
      • Set Status to Enabled.
      • Create the following service rule:

        Type

        Name

        Operator

        Value

        Radius:IEFT

        NAS-IP-Address

        EQUALS

        10.0.0.1

    9. On the Authentication tab, configure the following:
      • Set Authentication Methods to [PAP].
      • Set Authentication Sources to [Local User Repository] [Local SQL DB].
    10. On the Enforcement tab, configure the following:
      • Set Enforcement Policy to fortimanager testing .
      • Set Default Profile to [AllowAccess Profile].
      • Set Rules Evaluation Algorithm to evaluate-all.
      • Create the following condition:

         

        Conditions

        Enforcement Profiles

        1.

        (GuestUser:Company Name NOT_EQUALS ABCDE)

        [FortiManager-login and Logout]

    11. Click Save.
  9. Configure the administrator the FortiManager fabric connector uses to access CPPM APIs:
    1. Go to Administration > Admin Users.
    2. Click Add.
    3. Configure the following:
      • Set User ID to admin.
      • Set Name to admin.
      • Set Password to qa987654.
      • In Verify Password enter the password again.
      • Select Enable User.
      • Set Privilege Level to API Administrator.
    4. Click Save.
  10. Create an API Client:
    1. Log in to ClearPass Guest.

    2. Go to Administration > API Services > API Clients.
    3. Click Create API Client.
    4. Configure the following:
      • Set Client ID to test.
      • Set Desciption to FMG login from it.
      • Select Enable API client.
      • Set Operator Profile to Super Administrator.
      • Set Grand Type to Username and password credentials (grant_type=password).
      • In Public Client select This client is public (trusted) client.
      • In Refresh Token select Allow the use of refresh tokens for this client.

    5. Click Save.
To configure FortiManager:
  1. Log in to FortiManager.
  2. Run the following CLI command:
    config system admin user
        edit  admin
            set rpc-permit read-write
        next
    end
  3. Go to Fabric View > Fabric Connectors.
  4. Click Create New.

  5. Select ClearPass, then click Next.
  6. Configure the following:
    • Set Name to test. This name must be same as the one used in the ClearPass actions.
    • Set Status to On.
    • Set Server to 10.3.113.102 (the ClearPass IP address).
    • Set Client to test (the previously created ClearPass API client).
    • Set User to admin (the ClearPass login name).
    • Set Password to qa1234 (the ClearPass login password).

  7. Click OK.
  8. Get the role and user from ClearPass:
    1. Go to Policy & Objects > Object Configurations > Fabric Connectors >SSO/Identity.
    2. Edit the ClearPass connector and click Apply & Refresh.

      FortiManager retrieves the roles and users from ClearPass. Users with green icons are currently logged in.

  9. Install the address group from ClearPass to FortiGate:
    1. On the FortiManager, go to Policy & Objects > Object Configurations > User & Devices > User Groups.
    2. Click Create New.
    3. Configure the following:
      • Set Group Name to cpp1.
      • Set Type to FSSO/SSO Connectors.
      • Select Members as ClearPass adgrp.

  10. Use the new user group in a policy to install it to FortiGate.
  11. To check that the group was installed on the FortiGate:
    1. On the FortiGate, go to User & Device > User Groups. The group will be in the user group list.
    2. Edit the group to view its members.
    3. In the CLI console, enter the following:
      # diagnose debug authd fsso list
      ----FSSO logons----
      IP: 10.210.15.185  User: user1  Groups: cp_test_Finance  Workstation:  MemberOf: cpp1
      Total number of logons listed: 1, filtered: 0
      ----end of FSSO logons----