dannyjump, I'm so appreciate your time and willingness to support.
Status Unknown is not an issue in my case, finally. We dont apply profiles for endpoints.
BUT, I don't understand WHY CPPM sends RSSO tag not for all sessions. Check for example in screenshot. I see a RSSO tag that should be sent to Fortigate, but Fortigate don't receive that tag. The packet is really similar with the screenshot in my second reply to you in this topic.
The other example, in building A my iPhone is authenticated with RSSO Tag. In building B the same my iPhone is not. Config for both Virtual Controller is the same. Weird, man!!!!
------------------------------
Igor Chu
------------------------------
Original Message:
Sent: Nov 30, 2020 10:20 PM
From: Danny Jump
Subject: ClearPass FortiGate intergtration
Status UNKNOWN relates to the fact that these endpoints have at best not been profiled and this get complicated not had the Status flag set to KNOWN which we typically do as part of a valid authN using the Endpoint enforcement profile to toggle the status..... this status has nothing to do with the source attribute.
------------------------------
Danny Jump
"Passionate about CPPM"
Original Message:
Sent: Nov 30, 2020 01:51 PM
From: Igor Chu
Subject: ClearPass FortiGate intergtration
dannyjump, thanks for explanation,
Probably I have something wrong with my CPPM, cause I see 6540 endpoints, and all status Unknown.
But for example, #2 i see Source Attribute. Check screenshot.
------------------------------
Igor Chu
Original Message:
Sent: Nov 30, 2020 01:32 PM
From: Danny Jump
Subject: ClearPass FortiGate intergtration
If I understand you correctly..... within your service-policy, you've enabled Accounting-Proxy, then as I understand the below,
RADIUS:IETF, Filter-ID, %{Authorization:[Endpoints Repository]:Source}
Is this correct, is so run a filter across your EndpointDb > Attribute, Source, equals <BLANK>.... if you see endpoint in here then if your trying to use Endpoint-Source to populate Filter-Id then these endpoints have no source defined and this could be the reason why you see blank in RSSO.
------------------------------
Danny Jump
"Passionate about CPPM"
Original Message:
Sent: Nov 30, 2020 01:05 PM
From: Igor Chu
Subject: ClearPass FortiGate intergtration
Hey, dannyjump,
What do you mean substituted? I add this string to Accounting proxy as {Endpoint:Source}.
Endpoint sources I assign regarding the presence by listing Allgroups, and looking for specific group in AD.
Check my screenshots. Do you think it is the best way?
Thanks a lot for you time!
------------------------------
Igor Chu
Original Message:
Sent: Nov 30, 2020 12:56 PM
From: Danny Jump
Subject: ClearPass FortiGate intergtration
Thx for getting back to me.
So for the Radius SSO in Fortigate, it looks like your you using AVP Filter-ID 11 to pass a 'group/role', this should be substituted in the RADIUS Accounting Proxy before its sent over to the Fortigate. If you're seeing missing AVP data, can you track this to a specific service or is it general across CPPM? If general and without detailed logs I'd suggest that you look at opening a support case with Aruba TAC.
------------------------------
Danny Jump
"Passionate about CPPM"
Original Message:
Sent: Nov 30, 2020 12:06 PM
From: Igor Chu
Subject: ClearPass FortiGate intergtration
Ok, thanks a lot.
I have a question, probably you can easy my life :)
I have a lot of unauthenticated session on my fortigate (with no group). I have captured packets coming from CPPM, and some packets doesn't contain Filter-ID(11) field with RSSO tag.
Why (what the conditions) CPPM can send RADIUS packet but "forgot" to add RSSO tag into?
Screenshot of packet: pck1
------------------------------
Igor Chu
Original Message:
Sent: Nov 30, 2020 11:51 AM
From: Danny Jump
Subject: ClearPass FortiGate intergtration
Hey Igor,
Today there is no direct approved integration with Fortigate other that using RADIUS accounting, what does the RADIUS Accounting not give you that you need, said another way, please layout the integration use-case you are trying to achieve?
------------------------------
Danny Jump
Original Message:
Sent: Nov 30, 2020 10:11 AM
From: Igor Chu
Subject: ClearPass FortiGate intergtration
Hey, guys,
I'm trying to intergrate Fortigate directly with ClearPass. No luck for the moment.
I have already seen CPPM intergration with FortiAuthentication and FortiManager, I don't have both. Just CPPM and Fortigate.
Previously it was intergrated using RADIUS. I would like to use REST API instead.
Do you have some notes or ideas if it does work?
------------------------------
Igor
------------------------------