Description
ClearPass Policy Manager (CCPM) is a network access system that can send information about authenticated users to third party systems, such as a FortiGate or FortiManager.
In this example, communications are established between CCPM and FortiManager, and then the FortiManager forwards information to a managed FortiGate.
On the FortiGate, the user information can be used in firewall policies and added to FSSO dynamic addresses.
This article describes this feature.
Scope
For version 6.2.2.
Solution
Establish communications between FortiManager and CPPM to synchronize CPPM user groups.
See Creating a ClearPass connector in the FortiManager Administration Guide.
ClearPass Policy Manager (CCPM) is a network access system that can send information about authenticated users to third party systems, such as a FortiGate or FortiManager.
In this example, communications are established between CCPM and FortiManager, and then the FortiManager forwards information to a managed FortiGate.
On the FortiGate, the user information can be used in firewall policies and added to FSSO dynamic addresses.
This article describes this feature.
Scope
For version 6.2.2.
Solution
Establish communications between FortiManager and CPPM to synchronize CPPM user groups.
See Creating a ClearPass connector in the FortiManager Administration Guide.
FortiManager forwards the group information to managed FortiGates.
Add CPPM FSSO user groups to a local user group To add CPPM user groups to a local user group in the GUI.
1) On the FortiGate, go to User & Device -> User Groups.
2) Select 'Create New'.
3) Enter a name for the group and set type to Fortinet Single Sign-On (FSSO).
4) Select the Members field, and add one or more FSSO groups. FSSO groups can come from multiple sources; CPPM FSSO groups are prefixed with cp_ and are listed under the FortiManager heading.
5) Select 'OK'.
To add CPPM user groups to a local user group in the CLI.
To add the local FSSO user group to a firewall policy in the GUI.
1) Go to Policy & Objects -> IPv4 Policy.
2) Create a new policy, or edit an existing one
3) Select in the Source field and add the fsso-group user group.
Add CPPM FSSO user groups to a local user group To add CPPM user groups to a local user group in the GUI.
1) On the FortiGate, go to User & Device -> User Groups.
2) Select 'Create New'.
3) Enter a name for the group and set type to Fortinet Single Sign-On (FSSO).
4) Select the Members field, and add one or more FSSO groups. FSSO groups can come from multiple sources; CPPM FSSO groups are prefixed with cp_ and are listed under the FortiManager heading.
5) Select 'OK'.
To add CPPM user groups to a local user group in the CLI.
# config user groupUse the local FSSO user group in a firewall policy.
edit fsso-group
set group-type fsso-service
set member "cp_test_[Employee]"
"cp_test_FSSOROLE"
next
end
To add the local FSSO user group to a firewall policy in the GUI.
1) Go to Policy & Objects -> IPv4 Policy.
2) Create a new policy, or edit an existing one
3) Select in the Source field and add the fsso-group user group.
CPPM user groups can also be added directly to the policy.
4) Select 'OK'.
To add the local FSSO user group to a firewall policy in the CLI.
To verify that a user was added to the FSSO list on the FortiGate:.
1) Login to the client and authenticate with CPPM. After successful authentication, the user is added to the FSSO list on the FortiGate.
2) On the FortiGate, go to Monitor -> Firewall User Monitor to verify that the user was added.
4) Select 'OK'.
To add the local FSSO user group to a firewall policy in the CLI.
# config firewall policyVerification.
edit 1
set name "pol1"
set uuid 2b88ed8a-c906-51e9-fb25-8cb12172acd8
set srcintf "port2"
set dstintf "port3"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set groups "fsso-group"
set nat enable
next
end
To verify that a user was added to the FSSO list on the FortiGate:.
1) Login to the client and authenticate with CPPM. After successful authentication, the user is added to the FSSO list on the FortiGate.
2) On the FortiGate, go to Monitor -> Firewall User Monitor to verify that the user was added.
The user group cp_test_FSSOROLE is listed separately because the user is a member of that group on the CPPM.
To verify that traffic can pass the firewall.
1) Login to the client and browse to an external website.
2) On the FortiGate, go to FortiView -> Sources.
3) Select the user and select the Destinations tab to verify that traffic is being passed by the firewall.
To verify that traffic can pass the firewall.
1) Login to the client and browse to an external website.
2) On the FortiGate, go to FortiView -> Sources.
3) Select the user and select the Destinations tab to verify that traffic is being passed by the firewall.
