This is related to a separate post I made, but is a question about a (possible?) different solution to the same problem.
TL;DR - we want to NAT a subset of our Guest SSID users (based on Azure group membership) on our FortiGate FW, but don't know how to make the NATing part of that happen for just these particular users. (Currently all our Guest users are NAT'd on this FW, but we need to NAT this subset to a different NAT pool). Can ClearPass/AOS integrate with the FW to make that happen?
We have a Guest wireless SSID, a captive portal running on ClearPass. We need to cater for a group of users who need IP-based access to journals. So we need to NAT those users onto a distinct, public IP range. We can identify those users as they will log in using Azure accounts and those accounts will be in a certain Azure group, so we can identify them and put them eg into a particular role. That part we can do. Plan A is then to NAT them on AOS in that special user role, we have got that working too.
But for various reasons (logging and access to logs for our security team being a big reason) it would actually be preferable to NAT these users on our Fortigate FW (which is where the rest of the Guest users are already NAT'd). But I have no idea how that might be accomplished. So this is really a query to ask whether anyone has attempted something like this? Is there a way that ClearPass can integrate with the FW and pass it, I'm not sure what, a role/policy name? (I don't know the mechanics of how it might work) and then the FW could identify traffic from those users' devices and NAT to the special pool?
Note - because it's a captive portal devices already have IP addresses at the point of auth'ing and so dropping them onto a different VLAN doesn't work (we don't want to get into the battle of trying to get devices to re-DHCP once dropped onto a new VLAN after auth, so this approach has been ruled out).
I have looked at the docs for integration:
One from 2015 uses FortiAuthenticator/RestAPI/RADIUS accounting, and a later 2020 doc uses the API and Aruba-Roles.
I'm not sure of the pros & cons of the different approaches outlined, but in theory it looks like they all allows us to send a role to the FortiGates. What that means in terms of how the FG then identifies traffic coming from the controllers and NATs it as we want I'm not sure.
Any advice/shared experience much appreciated
I've done something very similar with Cisco ISE pxGrid. ClearPass also has a similar integration with FortiGates, it does require FortiManager to disseminate the Roles to managed FortiGates.
ClearPass integration for dynamic address objects | Administration Guide
Thank you, these docs look like useful additions to the Aruba ones. I'll get together with the FortiGate guy here and we can look at configuring this.
So is it purely IP based - ClearPass tells FortiManager/Gate that x.x.x.x should have a particular policy (in this case to be NAT'd to a particular pool) and when traffic from that client IP hits the FW via the wireless controllers it hits that dynamic rule? I just wasn't sure if there was anything more fancy going on.
Original Message:Sent: Sep 26, 2023 11:54 AMFrom: cauliflowerSubject: ClearPass - Fortigate integration - NAT'ing subset of Guest users
Great, thanks, sounds like it'll do what we want
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.