last person joined: 22 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).

CPPM 6.7 using Fortinet-Group-Name attribute- factibility 

Feb 02, 2021 02:22 AM

I need to configure 802.1x PEAP authentication using CLEARPASS as NAC and Fortigate100D as NAD. take in consideration that fortigate 100D works as a WLC for FortiAP431F (Tunnel mode), so user authentication and authorization should be done from SSID created on fortiAP. but I want only users belonging to specific group to have access to the network. Users and groups are stored on CLEARPASS as an authentication source through Active directory.

I was researching and found the following fortinet's link that makes me an idea.

It expect that AVP being provided by NAS server (RADIUS server) in Access-Accept (if user pass authentication).
And then FortiGate compare string-by-string what is in group match config and what he got from RADIUS server. If it matches perfectly (100% match) then the user is considered as member of that group in FORTIGATE device, Then it could apply a firewall policy on fortinet based on Source group name.

could the test work with clearpass and fortiAP with those advices?

I attach two screens of planning for clearpass, in enforcement and profiles

please, your advice or support if it is possible or not.

0 Favorited
3 Files
jpg file
enforcement_policy_CPPM.jpg   79 KB   1 version
Uploaded - Feb 02, 2021
JPG file
enforcement_profile_CPPM.JPG   43 KB   1 version
Uploaded - Feb 02, 2021
jpg file
FORTIGATE_GROUP_NAME.jpg   68 KB   1 version
Uploaded - Feb 02, 2021

Related Entries and Links

No Related Resource entered.