Security

 View Only
Back to discussions
Expand all | Collapse all

ClearPass Integration with FortiGate firewall (Controller) for Guest network

This thread has been viewed 44 times

  • 1.  ClearPass Integration with FortiGate firewall (Controller) for Guest network

    Posted Dec 24, 2022 09:58 PM

    Hello Community,

     

    We are working on Guest user authentication with sponsor email approval.

     

    1. Configured Self registration page on ClearPass.
    2. Configured 802.1x Service on ClearPass side to handle the request.

    Auth methods- PAP

    Auth Source- [Guest User repository]

    Enforcement

     

     

    1. Created the SSID on FortiGate side with portal type-authentication and Authentication Portal-External, mapped Self registration page URL in SSID.

     

    1. When user tries to connect SSID, User is redirecting to Self-registration page to submit the user information.
    2. Email received for sponsor approval.
    3. User login with username and password.
    4. Request received on ClearPass.
    5. ClearPass is authenticating user and user is getting the network.

     

    Everything is working fine till here.

    But the issue is once the account got expired in guest , User is still connected to network.

    FortiGate side when we checked, FortiGate is keeping session record.

     

    Graphical user interface, application Description automatically generated

     

    After De-authenticating the user record from FortiGate. When new request on ClearPass, ClearPass is denying the access.

     

    So is there anything we lag on ClearPass side. How we can notify NAD (FortiGate) that user is already expired.

     

     

     

    Regards,

    Nilesh

     



  • 2.  RE: ClearPass Integration with FortiGate firewall (Controller) for Guest network

    Posted Jan 02, 2023 06:44 AM
    I'm not a Fortigate expert, but in general there are at least two approaches:
    1) Use the CoA feature in ClearPass Guest to disconnect the user when the user gets disconnected (change NAS type to your device type):
    .. and you may need to set the expiration action to disable and logout under the Guest Manager options:
    2) Second option is to return a Session-Timeout, which if honored by your Fortinet device should remove the user session. I would first try if the session-timeout works, then use the [Guest Repository]:RemainingExpiration to set the Session-Timeout to exactly the remaining time.

    Not sure if both work, but please let us know.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


Related Content