ClearPass Integration with Fortinet Firewall for User Level Visibility

ClearPass Integration with Fortinet Firewall for User Level Visibility

ClearPass Integration with Fortinet through Radius Accounting (RSSO) would provide the User Data Flow Analysis from user Perspective instead of IP address or MAC Address

Workflow

1. User connects to the Network, authenticating against ClearPass
2. ClearPass sends the Radius accounting information to the Fortinet Firewall with Radius Proxy
3. Fortinet Firewall Classifies the user based on RSSO attributes sent by Aruba ClearPass
4. User Traffic gets categorized by RSSO based user groups and Internet Policies are applied Accordingly

Configuration

1. Add Fortinet Firewall as Radius Proxy in ClearPass

Navigate to Configuration–>Proxy Targets and Add the Fortinet Firewall with Radius Shared Secret

2. Add Radius Attributes to the Radius Proxy enabled to the Service

In the Example we are mapping the Local user Group to be sent as the Radius Attribute.

The Filter-ID attribute is used to send the Local user Group

3. Add ClearPass as Radius Accounting Fabric Connector in Fortinet Firewall

Navigate to Security FabricàFabric ConnectorsàAdd->Radius Single Sign-On Agent

4. Enable Radius accounting on the Interface where the Radius Logs are received

5. Add the SSO attributes as to map the user based on SSO attribute

# config user radius

(radius) # edit ClearPass

(ClearPass) # set sso-attribute Filter-Id

(ClearPass) # set rsso-endpoint-attribute User-Name

6.Create User group as per SSO attribute

Navigate to User & Device–>User Groups –> Add

In the Example Above Group is created for Filter-ID Senior_Management

7. Create Policies as per User Group

8. Verify the RSSO and Traffic Flow

Airowire-HQ (root) # diagnose firewall auth list

172.16.180.28, Sushanth Mascarenhas
type: rsso, id: 0, duration: 1772, idled: 1772
flag(10): radius
server: root
packets: in 0 out 0, bytes: in 0 out 0
group_id: 19
group_name: Senior_Management

Verify the RSSO from Firewall User Monitor