Security

Hi Danny 

Could you unblock the support portal so users with no login can read these docs

 

kind regards, jane

All Aruba documentation is available without a support account.

 

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=7961

This must be 'THE' Jane Cox, i'f your asking about CPPM + Fortinet..!!!

 

Jane, as Tim, say ANYONE can get to the TechNotes, no credentials required.....

 

Note: I sent a copy of the original (1.0) and latest version (1.1) of this doc to Kash & Graham in the UK.

Hello 

Could you explain what benefits you would get by integrating with clearpass?

 

We are a Fortinet platinium partner, so we do have a lot of clients with fortigates, and im interested in this, but i would like to know of what benefit someone having a fortigate will have integrating with clearpass?

 

Cheers

Carlos

---

@NightShade1 wrote:

Hello 

Could you explain what benefits you would get by integrating with clearpass?

 

We are a Fortinet platinium partner, so we do have a lot of clients with fortigates, and im interested in this, but i would like to know of what benefit someone having a fortigate will have integrating with clearpass?

 

Cheers

Carlos

---

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=17064

We have this configured and it is working well for most users.  Guest SSID with MAC cache is coming through the MAC address as the user, anyone have any thoughts on how to ensure it uses their Guest username instead? 

On the mac auth apply this enforcement and see if it works.

Is this technote stiil available? I am trying to find it on the aruba support center documentation but cannot get it.

Help will be much appreciated.

Try here:  https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/7961/Default.aspx

 

Yep, its still their......

Thanks! How did you know that I just ordered a pair of FortiGate firewalls?

Hello,

 

we are trying to configure this on a setup with one of our customers.  But when we send back the {Tips:Role} it is sending all the Tips Roles back to the fortigate, (we are giving several roles to the users, here below is only an example)

if a user gets the roles "[User Authenticated], guest, example" back in Clearpass, we now only can send back "[User Authenticated], guest, example". But we only want to filter on "example" part on the side of the fortigate and this need to be an exact match apparently, is there a possibility to only send example back to the fortigate? (we need to be flexible, since other roles can be send back too, like "example2" in stead of "example". this since a we can have different roles in our setup and we can filter on it on our enforcement policies

Or is it possible to send back the role we use in our enforcement and send back our Aruba role to the fortigate in stead of the %{Tips:Role} ?

 

I hope my question is clear enough?

 

Thanks in advance,

Thomas

Hey Thomas,

 

Did you see my 1.1 version where I built a work-around to calculate a tips-role and just send the tips-role?

Hello Danny,

 

yes I did read your document, and our configuration is based on your document, but it is always sending the complete string with all Tips Roles and for this we only need 1 Tips Role

 

kind regards,

Thomas

But I show how to overcome that in the Version 1.1 of the document. Page 19-20 where we assign a {Tips-Role} and then send this single value. 

 

Does this not work for you?

 

 

Yes it is, but since at the Role selection part we are using the option "evaluate all" it is sometimes getting more than 1 role on which we make some decisions in the enforcment policy to send vlan and user-role back to the Aruba controllers;

So the Tips:Role consists of several roles on that point and not 1 in particular, while after we made the decisions on our enforcement policy, we only send 1 user role back to the Aruba; we would like to send the same Aruba role back to the fortinet as well. (it is the request of our customer)

 

I will provide you with an example:

If employees are logging in we can receive the TIPS role:

* employee and engineer

* employee and admin

* employee and sales

If a contractor logs in:

* contractor and engineer

* contractor and admin

Then we are always sending these 2 roles back to the fortinet, while we only send 1 role back to the Aruba controller, but we want to differentiate on our clearpass if it is a contractor or employee and if it is together with that an engineer role or a contractor role? So we need to select the evaluate all in the role mapping, and in the enforcement profile we are using the apply first applicable. And then we want this user-role that is send back to the controller also to be send back in the accounting message to the fortinet.

any thoughts on how to solve this?

 

kind regards,

---

@Thomasds wrote:

Yes it is, but since at the Role selection part we are using the option "evaluate all" it is sometimes getting more than 1 role on which we make some decisions in the enforcment policy to send vlan and user-role back to the Aruba controllers;

So the Tips:Role consists of several roles on that point and not 1 in particular, while after we made the decisions on our enforcement policy, we only send 1 user role back to the Aruba; we would like to send the same Aruba role back to the fortinet as well. (it is the request of our customer)

 

I will provide you with an example:

If employees are logging in we can receive the TIPS role:

* employee and engineer

* employee and admin

* employee and sales

If a contractor logs in:

* contractor and engineer

* contractor and admin

Then we are always sending these 2 roles back to the fortinet, while we only send 1 role back to the Aruba controller, but we want to differentiate on our clearpass if it is a contractor or employee and if it is together with that an engineer role or a contractor role? So we need to select the evaluate all in the role mapping, and in the enforcement profile we are using the apply first applicable. And then we want this user-role that is send back to the controller also to be send back in the accounting message to the fortinet.

---

Hi Thomas,

Do you have some feedback ?

Because i have the same issue (ClearPass send 2 role... my role and also [User Authentificated])...

 

Unfortunately not. We are going to try to do this directly from the Aruba controller with accounting. But still need to test this again if it would work that way.

---

@Thomasds wrote:
Unfortunately not. We are going to try to do this directly from the Aruba controller with accounting. But still need to test this again if it would work that way.

---

Ok, i interresed by your feedback...

 

Ok I will keep you posted, but since I am at atmosphere emea, it won't be for this week

Hello Guys,

 

Has anyone found a solution for this problem?, i'm also having the same problem.

 

Regards,

Erdem

Hello Erdem,

We discussed this via pm before. but together we have a working solution:

Basically, I am making use of the Endpoint object to store the role we would like to send to Fortinet:
 
Create an Endpoint attribute, e.g "ShortRole"
 
Create a 'Clearpass Entity Update Enforcement' profiles for each role you would like to send to Fortinet
E.g.
Profile1: Write MARKETING role  : Endpoint:ShortRole = MARKETING
Profile2: Write GUEST role : Endpoint:ShortRole = GUEST
etc.
 
In your Enforcement Policy, you can make a rule like:
Tips:Role CONTAINS Marketing  ==> Your Radius Enforcement profile(s) + "Write MARKETING role"
Tips:Role CONTAINS Guest  ==> Your Radius Enforcement profile(s) + "Write GUEST role"
etc.
 
The Short Role will be written in the corresponding Endpoint object.
 
Next, Set you Accounting Proxy to:
RadiusIETF: Filter-Id = %{Endpoint:ShortRole}

But after testing this, it was not always working, so:
The problem is that the endpoint is updated too slow, so the attribute is not existing at the moment the accounting message is sent to the Fortigate.
In our situation, I found a workaround, since we are working with guest authentication with mac-caching: After the first authentication (Web), I do a Change of Authorization, and I kick the user of the network. He will automatically reconnect with MAC-authentication, and the attribute is sent successfully to the Fortinet!

 

I hope you are able to use this in your setup.

 

Hey All,

I have read the through this thread and I am to facing the same issue with clearpass forwarding multiple roles. Has anyone found a better way to go about sendind the account packets to Fortigate? 

 

Right now we do have somewhat of a working soultion, however instead of haveing the group just as BYOD-Student we also have to add BYOD-Student, [User Authenticated]. Since clearpass forwards the default roles as well : /

Hello,

 

As thomas mentioned in the previous message, there is a way arround,

 

 

i have tried after thomas posted the resolution but as he says there is a small problem, and if you are gonna use this in a POC environment, make sure to clear controller cache regularly becouse it can not recognize the first time users and if you connect with multiple accounts in one device it can not recognize the role you send. i have tried to explain how to do it in the word document, i think it will be of use to you.

 

by the way thanks thomas.