Overview

  1. SSL-VPN with Multifactor Authentication that verifies that Legitimate user has connected to the network with Second Factor of Verification
  2. The Health Check of the End-Client makes sure that Only Compliant user are allowed onto the network

The Setup Involves below components

  1. Fortinet Firewall as SSL-VPN Concentrator
  2. ClearPass Policy Manager and ClearPass OnGuard
  3. LDAP/AD
  4. Ping Federate
  5. PingID MFA

 

Workflow

  1. The Client Initiates the SSL VPN Session against the Fortinet Firewall
  2. The Fortinet Firewall forwards the request across ClearPass through Radius
  3. ClearPass Forwards the Request to Ping-Federate through Radius
  4. Ping Federate Checks the Credentials with OpenLDAP/AD and fetches the Attribute
  5. If the Credentials entered are correct the Ping Federate invokes the PingID cloud to send and Push notification to Client
  6. The PingID Cloud sends the Push notification to MFA Authenticator Device like A smartphone with PingID app .

Once the Push notification is approved or rejected the Ping ID would send the response across the Ping-Federate

  1. The Ping Federate sends the Accept or Reject Based on the Response from LDAP and MFA.
  2. ClearPass sends the Radius Accept to the Firewall if Ping Federate Sends an Accept Moving the user to Quarantine or Unknown Policy
  3. ClearPass Onguard on the Client Machine performs the health check and sends the health info to the ClearPass Server
  4. Based on the Health , appropriate Health token is sent to the Fortinet firewall and the User moves to Healthy or Quarantine Policy .

Benefits

  • MFA assures that only Valid and Verified user gets into the Network through SSL-VPN
  • Posture Check on Clients against ClearPass makes sure only Healthy Clients are allowed into the network
  • The Differential Policies on the Firewall can be applied with Integration of ClearPass and Fortinet as per Context like Posture, Type of device and LDAP groups
  • The Authentication against ClearPass, makes sure that the user gets similar access Wherever the user is (On-Prem or working Remotely)
  • Visibility on the user connecting to the Network