Security

last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

CPPM + Fortimanager + FSSO

Jump to Best Answer
  • 1.  CPPM + Fortimanager + FSSO

    Posted Dec 09, 2020 02:15 PM
    Hi ,

    I am trying to figure out this puzzle and, so far, falling short.  Hopefully someone like @dannyjump can give me some insight :)


    Here is want I want to achieve :

    • Users connect to VPN SSL on our Fortigate
    • Authentication is made using Radius with CPPM (working correctly)
    • I want FSSO (Fortinet Single Sign On) to work with our VPN Users. I.E: I want all Active Directory security groups sent to FSSO so that they can be used in the Fortigate policies.

    At first  I tried to make this work without a FortiManager by making CPPM PRoxy Accounting to the Fortigate Single Sign On Agent. Only this doesn't work because the "class" attribute sent by CPPM to Fortigate is absent in Fortigate's response and thus the interim accounting never works on CPPM (this has been validated in a TAC case).

    So we bought a FortiManager because it is supposed to be the missing puzzle piece. Well here it is but all I can find are documents to configure it for the connector agent which will only send a single group from CPPM.

    I took a look at @timdaemon modified Doc here :Airheads Community
    It helped for the initial setup but I can't figure out how to use both platforms to achieve my ultimate goal!
    He mentions " Other tricks are out there via Accounting Proxy, setting endpoint attributes and others, however they have been found to be less than totally reliable in getting the session information to the Fortimanager" and I can't seem to build up a search query to get those "accounting proxy tricks"!


    I need to find a way to send Accounting info from CPPM to my FSSO Server and then it will all work by magic haha.

    Thanks in advance for any input

    ​​​​​

    ------------------------------
    Alex Beaudet
    Network/Sysadmin
    Université du Québec à Trois-Rivières
    Quebec, Canada
    ------------------------------
    ​​


  • 2.  RE: CPPM + Fortimanager + FSSO

    Posted Dec 09, 2020 02:33 PM
    You should integrate your VPN directly with your organization's IdP using SAML or OpenID Connect. There is no reason to use CPPM for this.

    ------------------------------
    Tim C
    ------------------------------



  • 3.  RE: CPPM + Fortimanager + FSSO

    Posted Dec 09, 2020 02:47 PM
    Not sure how an SAML approach would be relevant since we run everything on premise here. No Azure AD or anything like it to act as an IDP.
    All we have is an Active Directory on-prem! I'm reading into SAML since I've never seen it mentionned before as an authentication alternative...

    Also, from what I am reading, this is only available for SSL VPN Web Portal on Fortigate. Which is not my use case.

    ------------------------------
    Alex Beaudet
    Network/Sysadmin
    Université du Québec à Trois-Rivières
    Quebec, Canada
    ------------------------------



  • 4.  RE: CPPM + Fortimanager + FSSO

    Posted Dec 09, 2020 02:53 PM
    Looks like you use Office 365, so you are actually using Azure AD. You should use AAD so your users see a common login screen (and potentially get SSO) vs some random login page.

    Avoid legacy AD and legacy protocols wherever possible.

    ------------------------------
    Tim C
    ------------------------------



  • 5.  RE: CPPM + Fortimanager + FSSO

    Posted Dec 09, 2020 02:59 PM
    I get what you're saying but we are only using O365 for mail and nothing AD related is on there.
    What I need is my AD groups to be used for VPN users in the same way they currently are for Wired and Wireless users.

    We have AD groups defined for various network permissions and Fortigate will allow access to a user dynamically based on group membership.
    This makes the firewall config much simpler instead of maintaining all devices' dns names in there with huge groups of devices.

    It was extremely easy to make use of this with Clearpass for wireless clients so I thought to reuse the same authentication platform for VPN.

    either way , as I stated above, Forticlient VPN does not support SAML for the Windows Client so this isn't a viable option. It is only supported for the Web Portal mode which will not be used.

    ------------------------------
    Alex Beaudet
    Network/Sysadmin
    Université du Québec à Trois-Rivières
    Quebec, Canada
    ------------------------------



  • 6.  RE: CPPM + Fortimanager + FSSO

    Posted Dec 09, 2020 03:05 PM
    You may not be using it for other stuff today, but you can (and should). Your legacy AD groups are likely being synced to Azure AD and can be used for policy.

    https://docs.fortinet.com/document/forticlient/6.4.0/new-features/402514/saml-support-for-ssl-vpn

    "FortiClient (Windows) 6.4.0 supports SAML authentication for SSL VPN. FortiClient (Windows) can use a SAML identity provider (IdP) to authenticate an SSL VPN connection."

    ------------------------------
    Tim C
    ------------------------------



  • 7.  RE: CPPM + Fortimanager + FSSO

    Posted Dec 09, 2020 03:15 PM
    I saw that google result earlier but the page gave me a not found on fortinet's website! Thanks for the link.
    We aren't on 6.4 yet because of numerous issues with that version so far. Will be worth a test or two down the road.

    As for O365 I think my colleagues explicitly disabled AD group sync to the cloud (I do not control this part of our enterprise).
    If that is the case I would need a local ADFS server to serve as IDP.

    So, after all that, I am still in the market for a hacky solution to get CPPM and Fortinet talking like right now instead of going down another rabbit hole for a few days/weeks. I am so close to what I need right now its frustrating.

    ------------------------------
    Alex Beaudet
    Network/Sysadmin
    Université du Québec à Trois-Rivières
    Quebec, Canada
    ------------------------------



  • 8.  RE: CPPM + Fortimanager + FSSO

    Posted Dec 10, 2020 05:09 AM
    I did a really quick test based on this document https://docs.fortinet.com/document/fortimanager/6.2.1/administration-guide/733863/creating-clearpass-connector

    Though I think I used it with 802.1X authentication from switch to CPPM then to FortiManager which again syncs the info towards the FortiGates. I think it worked and after authentication to LAN the information on the FortiGate was updates. So it should work just as fine with VPN clients too.

    But maybe it's a bit different case when you need to use FSSO software I'm not very familar with that.. hoping to get some more time to lab this out. But at least using that document it's possible to get it working so that you have AD groups and user in FortiGates with the IPs they currently have in the VPN tunnel


  • 9.  RE: CPPM + Fortimanager + FSSO

    Posted Dec 10, 2020 09:03 AM
    Bonjour,

    CPPM + Fortimanager integration is for 802.1x and not VPN SSL

    but if you are already connect to VPN SSL, the user is already detect by the Fortigate or it is another firewall ?

    ------------------------------
    PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

    PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

    PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

    ACEP / ACMX #107 / ACDX #1281
    ------------------------------



  • 10.  RE: CPPM + Fortimanager + FSSO

    Posted Dec 10, 2020 09:09 AM
    The VPN authentication throught CPPM is working fine.  I need to get the FSSO working and, so far, can't find a way that works.

    The "easiest" seemed to be forwarding accounting to proxy target that will then manage the FSSO but CPPM won't start interim accounting because of a missing "class" attribute in fortigate's response.

    ------------------------------
    Alex Beaudet
    Network/Sysadmin
    Université du Québec à Trois-Rivières
    Quebec, Canada
    ------------------------------



  • 11.  RE: CPPM + Fortimanager + FSSO

    Posted Dec 10, 2020 09:11 AM

    If I'm understanding what your asking, we are doing a similar thing. We have CPPM set to send role information to our FortiGate unit, and then use that role in policies. (And we are doing it straight to our Fortigate, not with a Fortimanager)

    It took a while, we had to do quite a few packet captures to see what Clearpass was sending in the accounting information and then what Fortigate was expecting. 

    What we had to do was add this attribute to the service we were using

    radius:IETF - filter ID = {Whatever Radius attribute you wanna send}

    I'm not sure if I'm 100% understanding what you are trying to do, but I can explain further if it sounds similar to what you are doing



    ------------------------------
    Christopher Wickline
    ------------------------------



  • 12.  RE: CPPM + Fortimanager + FSSO

    Posted Dec 10, 2020 09:16 AM
    That part works for me. I want to go beyond the "single role" that Clearpass sends to Fortigate.

    Fortigate with FSSO car poll ActiveDirectory logons to get a user's group membership and then we can make Policies based on any AD group for those users. Policies are now dynamic and independant of the device/network the user is logged onto.

    Our 802.1X CPPM authentication uses Proxy Accounting to that end and it work flawlessly on the first try.
    For our VPN though no dice. 


    User --> Forticlient VPN --> Authentication CPPM --> Confirms OK to Fortigate --> Fortigate sends back interim accounting to CPPM but without the 'class' attribute --> CPPM never starts an accounting session for this connection and thus will never send info to Accounting Proxy.


    ------------------------------
    Alex Beaudet
    Network/Sysadmin
    Université du Québec à Trois-Rivières
    Quebec, Canada
    ------------------------------



  • 13.  RE: CPPM + Fortimanager + FSSO

    Posted Dec 10, 2020 12:09 PM
    Sorry to ask a dump question, did you review the latest FortiManager/Fortigate integration guide that was posted about 10 weeks back?

    https://support.hpe.com/hpsc/doc/public/display?docId=a00106091en_us


    ------------------------------
    Danny Jump
    "Passionate about CPPM"
    ------------------------------



  • 14.  RE: CPPM + Fortimanager + FSSO

    Posted Dec 10, 2020 12:41 PM
    No dump questions!  Super happy to have you guys challenge me over here.

    I did start with that guide two days ago.  I didn't complete it because of an issue with  Fortimanager and I did that last night. Will go through the guide once-more this afternoon. 

    My 2 'not sure' things about this guide are :
    1. How to use this connector for SSL VPN authentication?
    2. This will indeed alert Fortigate when a user logs on/off and send CPPM Roles to it. But I need the AD roles of the user (potentiel many 10s of security groups) and not strictly a few roles from Clearpass.

    Will get back once I've gone through it again maybe I missed some part and it will make sense then.

    ------------------------------
    Alex Beaudet
    Network/Sysadmin
    Université du Québec à Trois-Rivières
    Quebec, Canada
    ------------------------------



  • 15.  RE: CPPM + Fortimanager + FSSO

    Posted Dec 10, 2020 01:04 PM
    Ah - OK, this latest integration that was developed will NOT send the AD groups, its was built for fortimanager to leverage the CPPM roles to drive policy in fortigate based upon the cppm role assignment.

    ------------------------------
    Danny Jump
    "Passionate about CPPM"
    ------------------------------



  • 16.  RE: CPPM + Fortimanager + FSSO

    Posted Dec 10, 2020 01:08 PM
    That is what I thought at first read.

    Do you have any idea on how to "make it happen" besides the SAML angle that was suggested by Timms? I made the necessary updates to be able to give SAML a try but still it makes me angry and sad to abandon the accounting proxy option haha.


    ------------------------------
    Alex Beaudet
    Network/Sysadmin
    Université du Québec à Trois-Rivières
    Quebec, Canada
    ------------------------------



  • 17.  RE: CPPM + Fortimanager + FSSO

    Posted Dec 13, 2020 08:08 AM
    What your fortigate configuration ?
    because the RADIUS user on fortigate is already mapped to Fortigate Group ?

    FSSO is not for VPN SSL user...

    ------------------------------
    PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

    PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

    PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

    ACEP / ACMX #107 / ACDX #1281
    ------------------------------



  • 18.  RE: CPPM + Fortimanager + FSSO

    Posted Dec 14, 2020 08:18 AM
    FSSO is a concept and I believe it can be leveraged to use on VPN the same way it works for 802.1X and Wired auth.

    I can forward Radius Accounting packets to the FSSO server and make it work for 802.1X easily so it should be doable for VPN in the same manner.

    As for my configuration what do you want to know exactly? You can write to me in private (french is my first language) if you want to chat about it.

    I am trying to setup the ellusive SAML authentication right now and my Fortigate doesn't seem to cooperate for now. Awaiting on a TAC from Fortinet.

    ------------------------------
    Alex Beaudet
    Network/Sysadmin
    Université du Québec à Trois-Rivières
    Quebec, Canada
    ------------------------------



  • 19.  RE: CPPM + Fortimanager + FSSO

    Posted Dec 14, 2020 10:36 AM
    This is exactly what I want to achieve : https://docs.fortinet.com/document/fortigate/6.4.3/administration-guide/639646/dynamic-address-support-for-ssl-vpn-policies

    Replace the FortiAuthenticator with either CPPM or Windows NPS and I'm good!
    In theory it should work.

    ------------------------------
    Alex Beaudet
    Network/Sysadmin
    Université du Québec à Trois-Rivières
    Quebec, Canada
    ------------------------------



  • 20.  RE: CPPM + Fortimanager + FSSO

    Posted Dec 14, 2020 03:04 PM
    Ok, Interresing,

    you can contact me by mail if you want (easy to found !) (i not found how to send PM...)

    ------------------------------
    PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

    PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

    PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

    ACEP / ACMX #107 / ACDX #1281
    ------------------------------



  • 21.  RE: CPPM + Fortimanager + FSSO
    Best Answer

    Posted Dec 14, 2020 03:10 PM

    I did it! I finally made it work with Clearpass AND Fortigate without any other shenanigans involved.

    The following document holds the key if you pay attention to the diagram : https://docs.fortinet.com/document/fortigate/6.4.3/administration-guide/639646/dynamic-address-support-for-ssl-vpn-policies

    Fortigate is the one who needs to make the radius accounting and not Clearpass.
    There is a hidden CLI config for the "radius server" which enables sending Accounting to a 2nd server different than the one used for authentication.

    I always focused on Clearpass being the one forwarding Accounting to the fortigate FSSO Agent.  I was wrong and this is the way and it works flawlessly on the first try.

    User connects to SSL VPN with FortiClient --> Fortigate forwards Authentication to Clearpass --> Upon validation Fortigate sends Radius Accounting to Fortigate FSSO Agent Server --> Dynamic policies using the user's full Active Directory security groups are available !



    ------------------------------
    Alex Beaudet
    Network/Sysadmin
    Université du Québec à Trois-Rivières
    Quebec, Canada
    ------------------------------



  • 22.  RE: CPPM + Fortimanager + FSSO

    Posted Dec 20, 2020 06:34 AM

    hi alex

    i am investigating this topic and scenario

    i did not understand that why you need a sso from ssl vpn users policy

    when somebody connect via forticlient fortigate itself can detect user group and we make a policy with this



    ​​



  • 23.  RE: CPPM + Fortimanager + FSSO

    Posted Dec 21, 2020 06:19 AM

    +1 with GoAruba

    or may it is for auth on another firewall ?



    ------------------------------
    PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

    PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

    PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

    ACEP / ACMX #107 / ACDX #1281
    ------------------------------



  • 24.  RE: CPPM + Fortimanager + FSSO

    Posted Jan 05, 2021 09:56 AM
    Hi guys, I will do my best to explain to your why this is needed on my end. Sorry for the delay but, you know, holidays off work and all that haha.

    Fortigate : We bought this product to leverage its ability to use Active Directory Security Groups to filter firewall policies dynamically based on user memberships instead of devices/IPs (old school Firewall).

    Having the Fortigate Single Sign-On Agent (FSSO) configured on our network makes the magic happen for all wired devices joined to our AD Domain. The Agent scans the Event Logs on Domain Controllers and , in real time, knows who is connected on what device and applies the right FW Policies according to AD group membership. 

    This makes it easy for FW policy management as it is simply "another AD group" to add to the user instead of relying on the network guys to make changes directly in the firewall and maintain device names linked to users, etc.

    That part I believe you knew and understood.

    Wifi : It was extremely easy to make this work for all (Domain joined or not) WiFi clients with Clearpass. Simply Forward the Radius Accounting to the FSSO Agent and voilà the Fortigate now knows that Device X belongs to user Y and all existing policies for the wired devices now also work with the wireless devices for the same users/groups.

    Logically, from home with the VPN, it should be the same way don't you think? Even more so this year since everybody is working from Home and the goal is to be as close to the office environment as possible.  So there was my goal for fall 2020 : Make Fortigate's SSL VPN work with AD Group membership for FW Policies.

    All white papers and documents describe how to "send to Fortigate" a group name and use that on the Fortigate side of things to separate users like employes, guests, etc.  This is all well and easy to use but this is not the solution I needed.  I needed the "big guns" with AD authentication and all group memberships in the same way I use them for wired and wireless. 

    While Fortigate's VPN requires a different set of Firewall Rules than wired/wireless at least I can reuse the same logic and groups to give access to our remote workers.

    Now that this is working it is incredibly smooth to work from home on our own PCs without even being "domain joined". It is a joy to administer and, so far, the tests are conclusive that this is a much better way to "remote work" than the old "remote desktop to your work PC to do your things".

    Don't hesitate if you need more info on any part of this.

    happy new year to all of you!

    ------------------------------
    Alex Beaudet
    Network/Sysadmin
    Université du Québec à Trois-Rivières
    Quebec, Canada
    ------------------------------



  • 25.  RE: CPPM + Fortimanager + FSSO

    Posted Jan 07, 2021 08:05 AM
    Thanks Alex for feedback !

    ------------------------------
    PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

    PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

    PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

    ACEP / ACMX #107 / ACDX #1281
    ------------------------------