Many thanks, that is very helpful.
Exactly, don't have any helpful information from Fortinet, other than the actual integration guide. The only useful bits I found was in this forum.
I am trying to use the user-IP mapping from ClearPass in FortiManager for user-based rules. FortiManager is not communicated with AD and hence using the roles from FMG for identity based policies.
The issue regarding COA was highlighted where possibly CoA reauth is not caught. For instance, user had Role X and after CoA, you get Role Y, FMG will be unaware since post-auth since notification is on disconnect and re-connect.
Thanks.
------------------------------
many thanks
------------------------------
Original Message:
Sent: May 14, 2024 12:24 PM
From: Mflowers@beta.team
Subject: Fortimanager CPPM integration
The Fortimanager integration guide/documentation is pretty trash on both Aruba side and Fortigate side.
This might help you out:
here is the JSON that I use for Fortimanager:
{
"adom": "root",
"user": "%{Radius:IETF:User-Name}",
"role": "%{Radius:IETF:Class}",
"ip-addr": "%{Authorization:[Endpoints Repository]:IP Address}",
"connector": "CPPM - FSSO"
}
I send %{Radius:IETF:Class} and %{Radius:Aruba:Aruba-User-Role} in my enforcement profiles. I have found that Aruba APs in AOS10 will lose the Aruba-User-Role attribute when sending radius accounting updates. I worked around this by setting the group in the Class attribute. They also lose the Filter-ID attribute as well (I tried that one as well).
You can set "role": "%{Radius:IETF:Class}" to whatever works the best for you. You can also set this to all of the roles that are returned but I have found this to be an issue. I didn't do a ton of troubleshooting at the time but I think it had something to do with how my roles were named or something (don't remember - it was too long ago at this point).
I have found the %ip attribute to be unreliable. I worked around that by sending "ip-addr": "%{Authorization:[Endpoints Repository]:IP Address}".
To do this you need to edit the Authentication Sources - [Endpoints Repository] and add this:
(Add More Filters)
Filter Name: IP Address
Filter Query: SELECT ip FROM tips_endpoint_profiles WHERE mac = LOWER('%{Connection:Client-Mac-Address-NoDelim}')
Name: ip | Alias Name:IP Address | Data type:String | Enabled As:Attribute
As for the COA - Is this for your Captive portal COA or post-auth enforcement COA? If it is a Captive Portal COA, you can just disconnect the user and use mac caching. This will cause a logout message to be sent to Fortimanger and then a login message when the user connects again. If you are unsure what I am talking about I can give more details on using mac-caching with captive portal.
Original Message:
Sent: May 13, 2024 09:08 AM
From: FortiCPPM
Subject: Fortimanager CPPM integration
Hello,
I am currently looking at integrating CPPM (6.11.x) and FortiManager (7.2.x) for user/identity based policies.
I have been looking at previous posts and and following this guide from FortiManager: Creating ClearPass connectors | Administration Guide
We are planning to use FortiClient for VPN access.
The issue with roles is FMG only takes the first role and hence causes an issue. Also, COA on CPPM is not notified to FMG.
I was looking at FSSO: Airheads Community
Airheads Community | remove preview |
| Airheads Community | Hi ,I am trying to figure out this puzzle and, so far, falling short. Hopefully someone like @dannyjump can give me some insight :) Here is want I want to achi | View this on Airheads Community > |
|
|
Has anyone please advise best way?
Fortinet | remove preview |
| Creating ClearPass connectors | Administration Guide | Creating ClearPass connectors ClearPass Policy Manager (CCPM) is a network access system that can send information about authenticated users to third party systems, such as a FortiGate or . ClearPass connector for FortiManager centralizes updates from ClearPass for all FortiGate devices and leverages the efficient FSSO protocol to apply dynamic policy updates to FortiGate. | View this on Fortinet > |
|
|
------------------------------
many thanks
------------------------------