Wireless Access

 View Only
  • 1.  ClearPass - Fortigate integration - NAT'ing subset of Guest users

    Posted Sep 25, 2023 04:58 PM

    This is related to a separate post I made, but is a question about a (possible?) different solution to the same problem.

    We have a Guest wireless SSID, a captive portal running on ClearPass. There are a number of login options including social media and self-registration (email). But we need to cater for a group of users who need IP-based access to journals. So we need to NAT those users onto a distinct, public IP range. We can identify those users as they will log in using Azure accounts and those accounts will be in a certain Azure group, so we can identify them and put them eg into a particular role. That part we can do. Plan A is then to NAT them on AOS in that special user role, we have got that working too.

    But for various reasons it would actually potentially be preferable to NAT these users on our Fortigate FW (which is where the rest of the Guest users are NAT'd). But I have no idea how that might be accomplished. So this is really a query to ask whether anyone has attempted something like this? Is there a way that ClearPass can integrate with the FW and pass it, I'm not sure what, a role/policy name and I guess IP and username (I don't know the mechanics of how it might work so I'm guessing) and then the FW could identify traffic from that IP and NAT it separately from the main Guest users? 

    Note - because it's a captive portal devices already have IP addresses at the point of auth'ing and so dropping them onto a different VLAN doesn't work (we don't want to get into the battle of trying to get devices to re-DHCP once dropped onto a new VLAN after auth, so this approach has been ruled out).

    Any advice/shared experience/links to docs much appreciated

    Guy



  • 2.  RE: ClearPass - Fortigate integration - NAT'ing subset of Guest users

    Posted Sep 25, 2023 05:26 PM

    As this is primarily a ClearPass and FortiNet integration question, you'd probably be better off asking over in the Security board.

    ClearPass Docs - Integrations and other useful documentation links

    There are two options documented for integrating with FortiNet.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 3.  RE: ClearPass - Fortigate integration - NAT'ing subset of Guest users

    Posted Sep 26, 2023 06:08 AM

    Thanks - I'll take a look at the docs, and also re-post in Security just in case someone has any real world experience of what we are trying to achieve