Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Creating ClearPass connector

ClearPass connector for FortiManager centralizes the updates from ClearPass for all FortiGate devices, and leverages the efficient FSSO protocol to apply dynamic policy updates to FortiGate.

Requirements:

  • FortiManager version 5.6 ADOM or later.

    The method described in this topic for creating fabric connectors requires version 6.0 ADOM or later.

  • FortiGate is managed by FortiManager.
  • The managed FortiGate unit is configured to work with ClearPass.
  • Expose JSON API allowing ClearPass to call it.
To configure Cisco ISE server:
  1. Log on to the ClearPass Policy Manager.

  2. Create Roles. Go to Configuration > Identity > Roles > Add. Specify the name as mytest1. FortiManager will get this group as an Active Directory group. The Description field is optional.

  3. Create local users. Go to Configuration > Identity > Local Users > Add. Configure the following:

    • User ID - specify the user ID as test1.
    • Name - specify the name as testUser1.
    • Password - specify the password as qa1234.
    • Enable - select the check box.
    • Role - specify the role as mytest1 (created in step 1).
  4. Add Ubuntu Simulator. Go to Configuration > Network > Devices > Add. Configure the following settings:

    • Name - specify the name as Ubuntu_test.
    • IP or Subnet Address - specify as 10.3.113.61.
    • RADIUS Shared Secret - specify as qa1234.
    • Vendor name - specify as Unix.
  5. Configure FortiManager to get packet from ClearPass.
  6. Create Endpoint Context Server Action for FortiManager. Go to Administration > Dictionaries > Context Server Actions > Add. Create a Login action.
  7. Configure the following settings in the Action tab:

    • Server Type - select Generic HTTP.
    • Server Name - specify 10.3.113.57. The is the IP address of FortiManager.
    • Action Name - specify as Frank-FMG-login.
    • Description - inform FortiManager that the user logged on.
    • HTTP Method- select POST.
    • Authentication Method - select Basic.
    • URL - specify /jsonrpc/connector/user/login
  8. Configure the following settings in the Header tab:

    • Header Name - specify as Content-Type.
    • Header Value - specify as application/json.
    • Content-Type - select JSON.
    • Content - specify the following:

  9. {
               "adom": "root",
               "connector": "test", <----------------this will be the connector name created on FMG
               "user": "%{Authentication:Username}",
               "role": "%{Tips:Role}",
               "ip-addr": "%{ip}"
            }
  10. Create Endpoint Context Server Action for FortiManager. Go to Administration > Dictionaries > Context Server Actions > Add. Create a Logout action.

  11. Configure the following settings in the Action tab:

    • Server Type - select Generic HTTP.
    • Server Name - specify 10.3.113.57. The is the IP address of FortiManager.
    • Action Name - specify as Frank-FMG-logout.
    • Description - inform FortiManager that user logged out.
    • HTTP Method- select POST.
    • Authentication Method - select Basic.
    • URL - specify /jsonrpc/connector/user/logout
  12. Configure the following settings in the Header tab:
    • Header Name - specify as Content-Type.
    • Header Value - specify as application/json.
    • Content-Type - select JSON.
    • Content - specify the following:
      {
      				"adom": "root",
      				"connector": "test", <--this will be the connector name created on FMG
      				"user": "%{Authentication:Username}",
      				"role": "%{Tips:Role}",
      				"ip-addr": "%{ip}"
      						}
  13. Add FortiManager as the Endpoint Context Server. Go to Administration > External Servers > Endpoint Context Servers > Add. Configure the following settings:
    • Server Type - select Generic HTTP.
    • Server Name - specify 10.3.113.57. This the FortiManager IP.
    • Authentication Method - select Basic.
    • Username - specify admin. This is the administrator on FortiManager.
  14. Check Actions is added to the server. Go to Administration > External Servers > Endpoint Context Servers > 10.3.113.57 > Actions. You can now find Frank-FMG-login and Frank-FMG-Logout.

  15. Create profile. Go to Configuration > Enforcement > Profiles > Add.
  16. Configure the following settings in the Profile tab:

    • Template - select Session Notification Management.
    • Name - specify FortiManager Login and Logout.
    • Description - specify FortiManager - Initial SSO integration testing.
    • Type - select Post_Authentication.
  17. Configure the following settings in the Attributes tab.

  18. Type

    Name

    Value

    Session-Notify Server Type Generic HTTP
    Session-Notify Login Action Frank-FMG-login
    Session-Notify Logout Action Frank-FMG-logout
    Session-Notify Server IP 10.3.113.57 (FortiManager IP)
  19. Create a Policy. Go to Configuration > Enforcement > Policies > Add.
  20. Configure the following settings in the Enforcement tab.

    • Name - specify FortiManager testing.
    • Enforcement Type - select RADIUS.
    • Default profile - Allow Access Profile.
  21. Configure the following settings in the Rules tab:

    • Type - select Date.
    • Name - select Date-Time.
    • Operation - select EXISTS.
    • Profile Names: [Post Authentication][FortiManager-Login and Logout]
  22. Create API Client. Log on from ClearPass Guest.

  23. Go to Administration > API Services > API Clients > Create API Client. Configure the following:

    • Client ID - specify as test.
    • Description - FortiManager logs on from this client.
    • Operator Profile - Select Super Administrator.
    • Grand Type - select Username and password credentials (grant type=password).
    • Public Client - select the check box.
    • Refresh Tokens - select the check box.

 

To configure FortiManager:
  1. Log on to FortiManager.
  2. Launch the command line and execute the following:
    config system admin user
    edit  admin
    set rpc-permit read-write
    end
  3. Create FortiManager GUI connector. Go to Fabric View > Create New. Select aruba ClearPass. Click Next.

  4. Configure the following settings:

    • Name - specify the name as test. This name must be same as used in ClearPass Endpoint Context Server Actions > Frank-FMG-login/Frank-FMG-logout > Content >"Connector":" test".
    • Status - toggle to ON.
    • Server - specify the IP as 10.3.113.102. This is the ClearPass IP.
    • Client - specify as test. This is the name of the API Client created.
    • User - specify as admin. This is the ClearPass login name.
    • Password - specify as Qa1234. This is the ClearPass password.
  5. Get role and user from ClearPass. Go to Policy & Objects > Object Configurations > Fabric Connectors >SSO/Identity. Select the connector and click Import, or edit it then click Apply & Refresh. FortiManager then gets the roles and users from ClearPass. Green shows the user has logged on.

  6. Install adgrp from ClearPass to FortiGate. Policy & Objects > Object Configurations > User & Devices > User Groups. Create user group with type as FSSO/SSO Connectors, and select members as ClearPass adgrp. Use the user group in a policy and install it to FortiGate.

Creating ClearPass connector

ClearPass connector for FortiManager centralizes the updates from ClearPass for all FortiGate devices, and leverages the efficient FSSO protocol to apply dynamic policy updates to FortiGate.

Requirements:

  • FortiManager version 5.6 ADOM or later.

    The method described in this topic for creating fabric connectors requires version 6.0 ADOM or later.

  • FortiGate is managed by FortiManager.
  • The managed FortiGate unit is configured to work with ClearPass.
  • Expose JSON API allowing ClearPass to call it.
To configure Cisco ISE server:
  1. Log on to the ClearPass Policy Manager.

  2. Create Roles. Go to Configuration > Identity > Roles > Add. Specify the name as mytest1. FortiManager will get this group as an Active Directory group. The Description field is optional.

  3. Create local users. Go to Configuration > Identity > Local Users > Add. Configure the following:

    • User ID - specify the user ID as test1.
    • Name - specify the name as testUser1.
    • Password - specify the password as qa1234.
    • Enable - select the check box.
    • Role - specify the role as mytest1 (created in step 1).
  4. Add Ubuntu Simulator. Go to Configuration > Network > Devices > Add. Configure the following settings:

    • Name - specify the name as Ubuntu_test.
    • IP or Subnet Address - specify as 10.3.113.61.
    • RADIUS Shared Secret - specify as qa1234.
    • Vendor name - specify as Unix.
  5. Configure FortiManager to get packet from ClearPass.
  6. Create Endpoint Context Server Action for FortiManager. Go to Administration > Dictionaries > Context Server Actions > Add. Create a Login action.
  7. Configure the following settings in the Action tab:

    • Server Type - select Generic HTTP.
    • Server Name - specify 10.3.113.57. The is the IP address of FortiManager.
    • Action Name - specify as Frank-FMG-login.
    • Description - inform FortiManager that the user logged on.
    • HTTP Method- select POST.
    • Authentication Method - select Basic.
    • URL - specify /jsonrpc/connector/user/login
  8. Configure the following settings in the Header tab:

    • Header Name - specify as Content-Type.
    • Header Value - specify as application/json.
    • Content-Type - select JSON.
    • Content - specify the following:

  9. {
               "adom": "root",
               "connector": "test", <----------------this will be the connector name created on FMG
               "user": "%{Authentication:Username}",
               "role": "%{Tips:Role}",
               "ip-addr": "%{ip}"
            }
  10. Create Endpoint Context Server Action for FortiManager. Go to Administration > Dictionaries > Context Server Actions > Add. Create a Logout action.

  11. Configure the following settings in the Action tab:

    • Server Type - select Generic HTTP.
    • Server Name - specify 10.3.113.57. The is the IP address of FortiManager.
    • Action Name - specify as Frank-FMG-logout.
    • Description - inform FortiManager that user logged out.
    • HTTP Method- select POST.
    • Authentication Method - select Basic.
    • URL - specify /jsonrpc/connector/user/logout
  12. Configure the following settings in the Header tab:
    • Header Name - specify as Content-Type.
    • Header Value - specify as application/json.
    • Content-Type - select JSON.
    • Content - specify the following:
      {
      				"adom": "root",
      				"connector": "test", <--this will be the connector name created on FMG
      				"user": "%{Authentication:Username}",
      				"role": "%{Tips:Role}",
      				"ip-addr": "%{ip}"
      						}
  13. Add FortiManager as the Endpoint Context Server. Go to Administration > External Servers > Endpoint Context Servers > Add. Configure the following settings:
    • Server Type - select Generic HTTP.
    • Server Name - specify 10.3.113.57. This the FortiManager IP.
    • Authentication Method - select Basic.
    • Username - specify admin. This is the administrator on FortiManager.
  14. Check Actions is added to the server. Go to Administration > External Servers > Endpoint Context Servers > 10.3.113.57 > Actions. You can now find Frank-FMG-login and Frank-FMG-Logout.

  15. Create profile. Go to Configuration > Enforcement > Profiles > Add.
  16. Configure the following settings in the Profile tab:

    • Template - select Session Notification Management.
    • Name - specify FortiManager Login and Logout.
    • Description - specify FortiManager - Initial SSO integration testing.
    • Type - select Post_Authentication.
  17. Configure the following settings in the Attributes tab.

  18. Type

    Name

    Value

    Session-Notify Server Type Generic HTTP
    Session-Notify Login Action Frank-FMG-login
    Session-Notify Logout Action Frank-FMG-logout
    Session-Notify Server IP 10.3.113.57 (FortiManager IP)
  19. Create a Policy. Go to Configuration > Enforcement > Policies > Add.
  20. Configure the following settings in the Enforcement tab.

    • Name - specify FortiManager testing.
    • Enforcement Type - select RADIUS.
    • Default profile - Allow Access Profile.
  21. Configure the following settings in the Rules tab:

    • Type - select Date.
    • Name - select Date-Time.
    • Operation - select EXISTS.
    • Profile Names: [Post Authentication][FortiManager-Login and Logout]
  22. Create API Client. Log on from ClearPass Guest.

  23. Go to Administration > API Services > API Clients > Create API Client. Configure the following:

    • Client ID - specify as test.
    • Description - FortiManager logs on from this client.
    • Operator Profile - Select Super Administrator.
    • Grand Type - select Username and password credentials (grant type=password).
    • Public Client - select the check box.
    • Refresh Tokens - select the check box.

 

To configure FortiManager:
  1. Log on to FortiManager.
  2. Launch the command line and execute the following:
    config system admin user
    edit  admin
    set rpc-permit read-write
    end
  3. Create FortiManager GUI connector. Go to Fabric View > Create New. Select aruba ClearPass. Click Next.

  4. Configure the following settings:

    • Name - specify the name as test. This name must be same as used in ClearPass Endpoint Context Server Actions > Frank-FMG-login/Frank-FMG-logout > Content >"Connector":" test".
    • Status - toggle to ON.
    • Server - specify the IP as 10.3.113.102. This is the ClearPass IP.
    • Client - specify as test. This is the name of the API Client created.
    • User - specify as admin. This is the ClearPass login name.
    • Password - specify as Qa1234. This is the ClearPass password.
  5. Get role and user from ClearPass. Go to Policy & Objects > Object Configurations > Fabric Connectors >SSO/Identity. Select the connector and click Import, or edit it then click Apply & Refresh. FortiManager then gets the roles and users from ClearPass. Green shows the user has logged on.

  6. Install adgrp from ClearPass to FortiGate. Policy & Objects > Object Configurations > User & Devices > User Groups. Create user group with type as FSSO/SSO Connectors, and select members as ClearPass adgrp. Use the user group in a policy and install it to FortiGate.