Hi,
is there an option to not assign the [user authenticated] role when a user authenticates? Here's why:
For a customer I'm looking into the Fortinet integration. I followed the technote
https://community.arubanetworks.com/t5/Security/NEW-TechNote-ClearPass-6-5-and-Fortinet-Integration-covering/td-p/230619
but as expected the whole role string is sent to the Fortigate firewall. I tried the workaround too, writing the role assigned through the role mapping into an endpoint attribute and use that for the radius proxy output. Unfortunately that will only start working the second time the user logs on because radius accounting is quicker than writing the endpoint attribute.
Testing with a fixed user-group string works as expected.
We tried entering the whole role string into the Fortinet user-group RADIUS Attribute Value but that didn't work either. We were not able to work out wat was received by the Fortigate though so we might missed something there. The spaces in the string seems to be the trouble.
So, would it be possible to not assign the default [User Authenticated] role when a user passes authentication? Has anyone got a reliable solution which would work from the start with just a Fortigate?
Customer has not purchased Fortimanager or Fortiauthenticator because they were told it was not needed for this to function so I won't be able to use Clearpass Exchange.
If not I have to figure out a way to bounce the user after the first authentication which is not a pretty solution.
Clearpass version 6.8. Fortigate version 6.x
thanks,
Erik