Introduction

With the current pandemic situation most of the employees are working from home by using the VPN connections to their enterprise network. Since the employees are connecting over public network and using their personal devices, it poses a great security risk to respective enterprises. To mitigate this issue, we are integrating Fortinet VPN solution with ClearPass OnGuard posture checks.

What is Achieved from the Solution?

  1. VPN Authentication of Legitimate users giving access to the required resources
  2. Validation of the Posture Prior to getting the user into the Network
  3. Faster Convergence of Health Check Compliance with Network access than the traditional Health check with VPN Methodology
  4. Dynamic Authorization of users based on User Groups and other factors

Solution

 

Workflow

  1. User initiates the VPN connection using the Forti VPN Client
  2. Fortinet Firewall sends a Radius authentication request to ClearPass
  3. ClearPass validates the credentials against the Identity store and sends back a Radius Accept message to firewall
  4. After successful VPN auth the user is placed in default firewall policy with limited access to the network (Including ClearPass Access)
  5. OnGuard agent triggers a Web authentication (443) to the ClearPass. Based on the posture policies configured, ClearPass returns healthy or infected using the attribute ClearPass-spt Subtype
  6. Thus, the user will be moved to Infected or healthy firewall policy from default one.

 

The above workflow is quicker than traditional wired or wireless posture checks with COA action because there is no delay involved and end users will not experience any network disconnects since the firewall policies are dynamically applied to end device IP address.

Components

  • ClearPass 6.8.x
  • Forti OS 6.2.0 or Higher
  • Forti VPN Agent
  • OnGuard Agent

Documentation: –

Below article describes the dynamic address objects feature that is used in the above solution and Fortinet side configuration.

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/912201/clearpass-integration-for-dynamic-address-objects