Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiManager 6.2.1 Administration Guide
    6.2.1
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.7
    5.2.6
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.12
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.8
    4.3.7
    4.3.6
    4.3.5
    4.3.4
    4.3.3
    4.3.2
    4.3.1
    4.3.0
    4.2.9
    4.2.8
    4.2.7
    4.2.6
    4.2.5
    4.2.4
    4.2.3
    4.2.2
    4.2.1
    4.2.0
    4.1.0
    4.0.3
    4.0.2
    4.0.1
    4.0.0

    Creating ClearPass connector

    Creating ClearPass connector

    ClearPass connector for FortiManager centralizes the updates from ClearPass for all FortiGate devices, and leverages the efficient FSSO protocol to apply dynamic policy updates to FortiGate.

    Requirements:

    • FortiManager version 5.6 ADOM or later.

      The method described in this topic for creating fabric connectors requires version 6.0 ADOM or later.

    • FortiGate is managed by FortiManager.
    • The managed FortiGate unit is configured to work with ClearPass.
    • Expose JSON API allowing ClearPass to call it.
    To configure ClearPass:
    1. Log on to the ClearPass Policy Manager.

    2. Create Roles. Go to Configuration > Identity > Roles > Add. Specify the name as mytest1. FortiManager will get this group as an Active Directory group. The Description field is optional.

    3. Create local users. Go to Configuration > Identity > Local Users > Add. Configure the following:

      • User ID - specify the user ID as test1.
      • Name - specify the name as testUser1.
      • Password - specify the password as qa1234.
      • Enable - select the check box.
      • Role - specify the role as mytest1 (created in step 1).
    4. Add Ubuntu Simulator. Go to Configuration > Network > Devices > Add. Configure the following settings:

      • Name - specify the name as Ubuntu_test.
      • IP or Subnet Address - specify as 10.3.113.61.
      • RADIUS Shared Secret - specify as qa1234.
      • Vendor name - specify as Unix.
    5. Configure FortiManager to get packet from ClearPass.
    6. Create Endpoint Context Server Action for FortiManager. Go to Administration > Dictionaries > Context Server Actions > Add. Create a Login action.
    7. Configure the following settings in the Action tab:

      • Server Type - select Generic HTTP.
      • Server Name - specify 10.3.113.57. The is the IP address of FortiManager.
      • Action Name - specify as Frank-FMG-login.
      • Description - inform FortiManager that the user logged on.
      • HTTP Method- select POST.
      • Authentication Method - select Basic.
      • URL - specify /jsonrpc/connector/user/login
    8. Configure the following settings in the Header tab:

      • Header Name - specify as Content-Type.
      • Header Value - specify as application/json.
      • Content-Type - select JSON.
      • Content - specify the following:

      9. {
           "adom": "root",
           "connector": "test", <----------------this will be the connector name created on FMG
           "user": "%{Authentication:Username}",
           "role": "%{Tips:Role}",
           "ip-addr": "%{ip}"
        }
    9. Create Endpoint Context Server Action for FortiManager. Go to Administration > Dictionaries > Context Server Actions > Add. Create a Logout action.

    10. Configure the following settings in the Action tab:

      • Server Type - select Generic HTTP.
      • Server Name - specify 10.3.113.57. The is the IP address of FortiManager.
      • Action Name - specify as Frank-FMG-logout.
      • Description - inform FortiManager that user logged out.
      • HTTP Method- select POST.
      • Authentication Method - select Basic.
      • URL - specify /jsonrpc/connector/user/logout
    11. Configure the following settings in the Header tab:
      • Header Name - specify as Content-Type.
      • Header Value - specify as application/json.
      • Content-Type - select JSON.
      • Content - specify the following: 
        {
				"adom": "root",
				"connector": "test", <--this will be the connector name created on FMG
				"user": "%{Authentication:Username}",
				"role": "%{Tips:Role}",
				"ip-addr": "%{ip}"
						}
    12. Add FortiManager as the Endpoint Context Server. Go to Administration > External Servers > Endpoint Context Servers > Add. Configure the following settings:
      • Server Type - select Generic HTTP.
      • Server Name - specify 10.3.113.57. This the FortiManager IP.
      • Authentication Method - select Basic.
      • Username - specify admin. This is the administrator on FortiManager.
    13. Check Actions is added to the server. Go to Administration > External Servers > Endpoint Context Servers > 10.3.113.57 > Actions. You can now find Frank-FMG-login and Frank-FMG-Logout.

    14. Create profile. Go to Configuration > Enforcement > Profiles > Add.
    15. Configure the following settings in the Profile tab:

      • Template - select Session Notification Management.
      • Name - specify FortiManager Login and Logout.
      • Description - specify FortiManager - Initial SSO integration testing.
      • Type - select Post_Authentication.
    16. Configure the following settings in the Attributes tab.

    17. Type

      Name

      Value

      Session-Notify Server Type Generic HTTP
      Session-Notify Login Action Frank-FMG-login
      Session-Notify Logout Action Frank-FMG-logout
      Session-Notify Server IP 10.3.113.57 (FortiManager IP)
    18. Create a Policy. Go to Configuration > Enforcement > Policies > Add.
    19. Configure the following settings in the Enforcement tab.

      • Name - specify FortiManager testing.
      • Enforcement Type - select RADIUS.
      • Default profile - Allow Access Profile.
    20. Configure the following settings in the Rules tab:

      • Type - select Date.
      • Name - select Date-Time.
      • Operation - select EXISTS.
      • Profile Names: [Post Authentication][FortiManager-Login and Logout]
    21. Create API Client. Log on from ClearPass Guest.

    22. Go to Administration > API Services > API Clients > Create API Client. Configure the following:

      • Client ID - specify as test.
      • Description - FortiManager logs on from this client.
      • Operator Profile - Select Super Administrator.
      • Grand Type - select Username and password credentials (grant type=password).
      • Public Client - select the check box.
      • Refresh Tokens - select the check box.

    To configure FortiManager:
    1. Log on to FortiManager.
    2. Launch the command line and execute the following:
      config system admin user
edit  admin
set rpc-permit read-write
end
    3. Create FortiManager GUI connector. Go to Fabric View > Create New. Select aruba ClearPass. Click Next.

    4. Configure the following settings:

      • Name - specify the name as test. This name must be same as used in ClearPass Endpoint Context Server Actions > Frank-FMG-login/Frank-FMG-logout > Content >"Connector":" test".
      • Status - toggle to ON.
      • Server - specify the IP as 10.3.113.102. This is the ClearPass IP.
      • Client - specify as test. This is the name of the API Client created.
      • User - specify as admin. This is the ClearPass login name.
      • Password - specify as Qa1234. This is the ClearPass password.
    5. Get role and user from ClearPass. Go to Policy & Objects > Object Configurations > Fabric Connectors >SSO/Identity. Select the connector and click Import, or edit it then click Apply & Refresh. FortiManager then gets the roles and users from ClearPass. Green shows the user has logged on.

    6. Install adgrp from ClearPass to FortiGate. Policy & Objects > Object Configurations > User & Devices > User Groups. Create user group with type as FSSO/SSO Connectors, and select members as ClearPass adgrp. Use the user group in a policy and install it to FortiGate.

    Previous
    Next

    Creating ClearPass connector

    Creating ClearPass connector

    ClearPass connector for FortiManager centralizes the updates from ClearPass for all FortiGate devices, and leverages the efficient FSSO protocol to apply dynamic policy updates to FortiGate.

    Requirements:

    • FortiManager version 5.6 ADOM or later.

      The method described in this topic for creating fabric connectors requires version 6.0 ADOM or later.

    • FortiGate is managed by FortiManager.
    • The managed FortiGate unit is configured to work with ClearPass.
    • Expose JSON API allowing ClearPass to call it.
    To configure ClearPass:
    1. Log on to the ClearPass Policy Manager.

    2. Create Roles. Go to Configuration > Identity > Roles > Add. Specify the name as mytest1. FortiManager will get this group as an Active Directory group. The Description field is optional.

    3. Create local users. Go to Configuration > Identity > Local Users > Add. Configure the following:

      • User ID - specify the user ID as test1.
      • Name - specify the name as testUser1.
      • Password - specify the password as qa1234.
      • Enable - select the check box.
      • Role - specify the role as mytest1 (created in step 1).
    4. Add Ubuntu Simulator. Go to Configuration > Network > Devices > Add. Configure the following settings:

      • Name - specify the name as Ubuntu_test.
      • IP or Subnet Address - specify as 10.3.113.61.
      • RADIUS Shared Secret - specify as qa1234.
      • Vendor name - specify as Unix.
    5. Configure FortiManager to get packet from ClearPass.
    6. Create Endpoint Context Server Action for FortiManager. Go to Administration > Dictionaries > Context Server Actions > Add. Create a Login action.
    7. Configure the following settings in the Action tab:

      • Server Type - select Generic HTTP.
      • Server Name - specify 10.3.113.57. The is the IP address of FortiManager.
      • Action Name - specify as Frank-FMG-login.
      • Description - inform FortiManager that the user logged on.
      • HTTP Method- select POST.
      • Authentication Method - select Basic.
      • URL - specify /jsonrpc/connector/user/login
    8. Configure the following settings in the Header tab:

      • Header Name - specify as Content-Type.
      • Header Value - specify as application/json.
      • Content-Type - select JSON.
      • Content - specify the following:

      9. {
           "adom": "root",
           "connector": "test", <----------------this will be the connector name created on FMG
           "user": "%{Authentication:Username}",
           "role": "%{Tips:Role}",
           "ip-addr": "%{ip}"
        }
    9. Create Endpoint Context Server Action for FortiManager. Go to Administration > Dictionaries > Context Server Actions > Add. Create a Logout action.

    10. Configure the following settings in the Action tab:

      • Server Type - select Generic HTTP.
      • Server Name - specify 10.3.113.57. The is the IP address of FortiManager.
      • Action Name - specify as Frank-FMG-logout.
      • Description - inform FortiManager that user logged out.
      • HTTP Method- select POST.
      • Authentication Method - select Basic.
      • URL - specify /jsonrpc/connector/user/logout
    11. Configure the following settings in the Header tab:
      • Header Name - specify as Content-Type.
      • Header Value - specify as application/json.
      • Content-Type - select JSON.
      • Content - specify the following: 
        {
				"adom": "root",
				"connector": "test", <--this will be the connector name created on FMG
				"user": "%{Authentication:Username}",
				"role": "%{Tips:Role}",
				"ip-addr": "%{ip}"
						}
    12. Add FortiManager as the Endpoint Context Server. Go to Administration > External Servers > Endpoint Context Servers > Add. Configure the following settings:
      • Server Type - select Generic HTTP.
      • Server Name - specify 10.3.113.57. This the FortiManager IP.
      • Authentication Method - select Basic.
      • Username - specify admin. This is the administrator on FortiManager.
    13. Check Actions is added to the server. Go to Administration > External Servers > Endpoint Context Servers > 10.3.113.57 > Actions. You can now find Frank-FMG-login and Frank-FMG-Logout.

    14. Create profile. Go to Configuration > Enforcement > Profiles > Add.
    15. Configure the following settings in the Profile tab:

      • Template - select Session Notification Management.
      • Name - specify FortiManager Login and Logout.
      • Description - specify FortiManager - Initial SSO integration testing.
      • Type - select Post_Authentication.
    16. Configure the following settings in the Attributes tab.

    17. Type

      Name

      Value

      Session-Notify Server Type Generic HTTP
      Session-Notify Login Action Frank-FMG-login
      Session-Notify Logout Action Frank-FMG-logout
      Session-Notify Server IP 10.3.113.57 (FortiManager IP)
    18. Create a Policy. Go to Configuration > Enforcement > Policies > Add.
    19. Configure the following settings in the Enforcement tab.

      • Name - specify FortiManager testing.
      • Enforcement Type - select RADIUS.
      • Default profile - Allow Access Profile.
    20. Configure the following settings in the Rules tab:

      • Type - select Date.
      • Name - select Date-Time.
      • Operation - select EXISTS.
      • Profile Names: [Post Authentication][FortiManager-Login and Logout]
    21. Create API Client. Log on from ClearPass Guest.

    22. Go to Administration > API Services > API Clients > Create API Client. Configure the following:

      • Client ID - specify as test.
      • Description - FortiManager logs on from this client.
      • Operator Profile - Select Super Administrator.
      • Grand Type - select Username and password credentials (grant type=password).
      • Public Client - select the check box.
      • Refresh Tokens - select the check box.

    To configure FortiManager:
    1. Log on to FortiManager.
    2. Launch the command line and execute the following:
      config system admin user
edit  admin
set rpc-permit read-write
end
    3. Create FortiManager GUI connector. Go to Fabric View > Create New. Select aruba ClearPass. Click Next.

    4. Configure the following settings:

      • Name - specify the name as test. This name must be same as used in ClearPass Endpoint Context Server Actions > Frank-FMG-login/Frank-FMG-logout > Content >"Connector":" test".
      • Status - toggle to ON.
      • Server - specify the IP as 10.3.113.102. This is the ClearPass IP.
      • Client - specify as test. This is the name of the API Client created.
      • User - specify as admin. This is the ClearPass login name.
      • Password - specify as Qa1234. This is the ClearPass password.
    5. Get role and user from ClearPass. Go to Policy & Objects > Object Configurations > Fabric Connectors >SSO/Identity. Select the connector and click Import, or edit it then click Apply & Refresh. FortiManager then gets the roles and users from ClearPass. Green shows the user has logged on.

    6. Install adgrp from ClearPass to FortiGate. Policy & Objects > Object Configurations > User & Devices > User Groups. Create user group with type as FSSO/SSO Connectors, and select members as ClearPass adgrp. Use the user group in a policy and install it to FortiGate.

    Previous
    Next