You can create multiple Aruba ClearPass connectors in each FortiManager ADOM, and then add them to a user group object, which you can install to FortiGates via a policy package. After the policy package is installed, FortiGate can use the multiple ClearPass connectors in the ADOM to connect to multiple CCPM (Configure ClearPass Policy Manager) servers.
Following is an overview of how to use multiple ClearPass connectors:
- Create multiple ClearPass connectors in an ADOM. See Creating multiple ClearPass connectors in an ADOM.
- Get roles and users from ClearPass. See Getting roles and users from ClearPass.
- Create a user group object that references multiple ClearPass connectors. See Creating user groups .
- Add the user group to a policy package, and install the policy package to FortiGate. See Installing policy packages to FortiGate.
FortiGate uses the ClearPass connectors to connect to multiple CCPM servers.
This example assumes that Aruba ClearPass is already set up.
- Ensure you are in the correct ADOM.
This example uses the root ADOM.
- Create a Clear Pass connector.
- Go to Fabric View > Fabric Connectors.
- Click Create New > ClearPass, and click Next.
- Complete the options, and click OK.
The ClearPass connector is created.
- Create another ClearPass connector.
The multiple fabric connectors for Aruba ClearPass are displayed in the root ADOM.
- Go to Policy & Objects > Object Configurations > Fabric Connectors >SSO/Identity.
- Double-click a ClearPass connector to open it for editing, and click Apply & Refresh.
FortiManager retrieves the roles and users from ClearPass.
- Repeat this procedure for all ClearPass connectors in the ADOM.
- Go to Policy & Objects > Object Configurations > User & Device > User Groups.
- Click Create New.
- In the Group Name box, type a name for the group.
- Beside Type, select FSSO/SSO Connectors, and select the Aruba ClearPass connectors.
- Set the remaining options, and click OK.
- Go to Policy & Objects > Policy Packages.
- Use the new user group in a policy package, and install the policy package to FortiGate.
After the policy package is installed to FortiGate, FortiGate can use multiple CCPM servers. FortiGate distinguishes between multiple connectors by the user names contained in each ClearPass connector.