Security

 View Only
last person joined: 2 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Fortimanager CPPM integration

This thread has been viewed 14 times

  • 1.  Fortimanager CPPM integration

    Posted 10 days ago

    Hello,

    I am currently looking at integrating CPPM (6.11.x) and FortiManager (7.2.x) for user/identity based policies.

    I have been looking at previous posts and and following this guide from FortiManager: Creating ClearPass connectors | Administration Guide

    We are planning to use FortiClient for VPN access.

    The issue with roles is FMG only takes the first role and hence causes an issue. Also, COA on CPPM is not notified to FMG.

    I was looking at FSSO: Airheads Community

    Airheads Community remove preview
    Airheads Community
    Hi ,I am trying to figure out this puzzle and, so far, falling short. Hopefully someone like @dannyjump can give me some insight :) Here is want I want to achi
    View this on Airheads Community >

    Has anyone please advise best way?

    Fortinet remove preview
    Creating ClearPass connectors | Administration Guide
    Creating ClearPass connectors ClearPass Policy Manager (CCPM) is a network access system that can send information about authenticated users to third party systems, such as a FortiGate or . ClearPass connector for FortiManager centralizes updates from ClearPass for all FortiGate devices and leverages the efficient FSSO protocol to apply dynamic policy updates to FortiGate.
    View this on Fortinet >



    ------------------------------
    many thanks
    ------------------------------



  • 2.  RE: Fortimanager CPPM integration

    EMPLOYEE
    Posted 10 days ago

    There are a couple of entries for FortiXXXX available at https://arubanetworks.com/clearpassdocs, although the FortiManager integration looks like it was last touched in 2020.  Have you looked at those?



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------

    Original Message


  • 3.  RE: Fortimanager CPPM integration

    Posted 8 days ago

    Many thanks, yes I had checked the 2020 post, but wanted to check if anyone has had success in the integration in the newer version 7.x.



    ------------------------------
    many thanks
    ------------------------------

    Original Message


  • 4.  RE: Fortimanager CPPM integration

    Posted 9 days ago

    The Fortimanager integration guide/documentation is pretty trash on both Aruba side and Fortigate side.

    This might help you out:
    here is the JSON that I use for Fortimanager:

    {
       "adom": "root",
       "user": "%{Radius:IETF:User-Name}",
       "role": "%{Radius:IETF:Class}",
       "ip-addr": "%{Authorization:[Endpoints Repository]:IP Address}",
       "connector": "CPPM - FSSO"
    }

    I send %{Radius:IETF:Class} and %{Radius:Aruba:Aruba-User-Role} in my enforcement profiles.  I have found that Aruba APs in AOS10 will lose the Aruba-User-Role attribute when sending radius accounting updates.  I worked around this by setting the group in the Class attribute.  They also lose the Filter-ID attribute as well (I tried that one as well).

    You can set "role": "%{Radius:IETF:Class}" to whatever works the best for you.  You can also set this to all of the roles that are returned but I have found this to be an issue.  I didn't do a ton of troubleshooting at the time but I think it had something to do with how my roles were named or something (don't remember - it was too long ago at this point).

    I have found the %ip attribute to be unreliable.  I worked around that by sending "ip-addr": "%{Authorization:[Endpoints Repository]:IP Address}". 

    To do this you need to edit the Authentication Sources - [Endpoints Repository] and add this:

    (Add More Filters)
    Filter Name: IP Address
    Filter Query: SELECT ip FROM tips_endpoint_profiles WHERE mac = LOWER('%{Connection:Client-Mac-Address-NoDelim}')

    Name: ip | Alias Name:IP Address | Data type:String | Enabled As:Attribute

    As for the COA - Is this for your Captive portal COA or post-auth enforcement COA?  If it is a Captive Portal COA, you can just disconnect the user and use mac caching.  This will cause a logout message to be sent to Fortimanger and then a login message when the user connects again.  If you are unsure what I am talking about I can give more details on using mac-caching with captive portal.



    Original Message


  • 5.  RE: Fortimanager CPPM integration

    Posted 8 days ago

    Many thanks, that is very helpful.

    Exactly, don't have any helpful information from Fortinet, other than the actual integration guide. The only useful bits I found was in this forum.

    I am trying to use the user-IP mapping from ClearPass in FortiManager for user-based rules. FortiManager is not communicated with AD and hence using the roles from FMG for identity based policies.

    The issue regarding COA was highlighted  where possibly CoA reauth is not caught. For instance, user had Role X and after CoA, you get Role Y, FMG will be unaware since post-auth since notification is on disconnect and re-connect. 

    Thanks.



    ------------------------------
    many thanks
    ------------------------------

    Original Message