Security

 View Only
  • 1.  ClearPass - Fortinet integration troubleshooting

    Posted Sep 29, 2023 10:20 AM

    Hello,

    We are setting up CPPM Fortinet integration following the guide here:

    https://support.hpe.com/hpesc/public/docDisplay?docId=a00106091en_us

    We're making good progress, FortiManager gets the list of roles from CPPM, but doesn't look like the login-logout profile action in the enforcement policy is having an effect (the right role is being sent to AOS, so the users end up in the correct role there). Is there anyway to see exactly what CPPM is attempting to send to FortiManager? Anywhere that would show whether the connection to FMG is successful or not (from the ClearPass end)?

    One other question, in the context server actions the content we are sending is:

    {
    "adom":"<adom name>",
    "connector":"ClearPass",
    "user":"%{Authentication:Username}",
    "role":"%{Tips:Role}",
    "ip-addr":"%{ip}"
    }

    But we don't actually do any role mapping in the Service for this SSID, we just send the role we want to use back to AOS. So I don't know what %{Tips:Role} would actually be. We could add a role mapping I guess if that would solve it. Or should we just hard-code the role we want in the json above, like "role":"our_role", ?

    Guy



  • 2.  RE: ClearPass - Fortinet integration troubleshooting

    Posted Sep 29, 2023 07:50 PM

    what version of FMG are you running?



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 3.  RE: ClearPass - Fortinet integration troubleshooting

    Posted Oct 03, 2023 10:55 AM
    Edited by cauliflower Oct 03, 2023 10:56 AM

    Hello,

    Sorry for the delayed reply. We are running:

    FortiManager:

    Firmware Version

    v7.0.7-build0419 230320 (GA)

    FortiGate FW:

    FortiGate 7.0.11,build0489 (GA) 

    In the application logs we occasionally see this:

    Client:    x.x.x.x:17266
    App User:  oauth2:API username
    Script:    /guest/apigility.php
    Function:  NwaPhpFatalErrorHandler
    Arguments: array (
    )
    Details:   array (
      'type' => 1,
      'message' => 'Allowed memory size of 268435456 bytes exhausted (tried to allocate 132136960 bytes)',
      'file' => '/opt/amigopod/www/_include/NwaCore/NwaHttpClient.class.php',
      'line' => 879,
    )

    The IP is the IP of FMG. The username is the API client.

    I'm not sure this is the root cause of our issue, but might be a bug so worth noting. We also see what look like successful calls from the FMG with a list of user roles returned.

    There appears to be traffic between the two systems, and my user login to Guest hits the right service and the right enforcement policy, and it _looks_ like the fortinet login event profile is processed. But I can't see in detail what is happening there. There isn't any sign on the FMG that the login/logout events are doing anything




  • 4.  RE: ClearPass - Fortinet integration troubleshooting

    Posted Oct 03, 2023 06:24 PM

    may be you need to update the firmware to 7.0.12 (looks to be latest in 7.0 series) on the fortigate.



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 5.  RE: ClearPass - Fortinet integration troubleshooting

    Posted Oct 05, 2023 04:02 AM

    Morning,

    We will put the upgrade on our list to do.

    We did eventually get the login message to work - I created the enforcement profile and Context Server Actions again and hey presto. So that is progress. Now I login to our guest network and appear in the correct group on the Fortinet. However about a minute later the Fortinet shows me logged out again, it looks like it receives a logout message from CPPM. Any idea why that might be?

    At a higher level how is this supposed to work? When clients auth and hit the Guest service they prompt the login-logout enforcement. But the docs also talk about Fortinet pulling session data from CPPM, have I understood that right? Does it (Fortinet) poll for session data per client that it knows about? How often does that happen?

    Guy




  • 6.  RE: ClearPass - Fortinet integration troubleshooting

    Posted Oct 05, 2023 09:46 AM

    Quick update:

    We think we have fixed the login and then logout a minute later issue - on the FortiManager ClearPass connector side we had referenced all 5 of our ClearPass servers (soon to be 6) - reducing that to just the Publisher seems to have fixed things on that particular front.




  • 7.  RE: ClearPass - Fortinet integration troubleshooting

    Posted Oct 05, 2023 02:55 PM

    I've tried but it didnt work 




  • 8.  RE: ClearPass - Fortinet integration troubleshooting

    Posted Oct 05, 2023 03:29 PM

    Hello,

    What aspect of it didn't work for you?




  • 9.  RE: ClearPass - Fortinet integration troubleshooting

    Posted Oct 05, 2023 02:55 PM

    I've tried