RSSO from clearpass to Fortigate firewall

Author
Bennoide
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/03/11 04:48:35
  • Status: offline
2020/07/14 07:18:19 (permalink)
0

RSSO from clearpass to Fortigate firewall

Hi Everyone,
 
I have a client who has Aruba wireless solution, we have configured ClearPass to send radius accounting to the Fortigate firewall for BYOD wireless users and i do see the radius info on the firewall (user wireless username and IP address). However the users does not match any of the RSSO firewall groups i have created.
 
Herewith the config:
 
    edit "RSSO_Agent_CPPM"
        set timeout 5
        set radius-coa disable
        set h3c-compatibility disable
        set username-case-sensitive disable
        set password-renewal disable
        set password-encoding auto
        set rsso enable
        set rsso-radius-server-port 1813
        set rsso-radius-response enable
        set rsso-validate-request-secret enable
        set rsso-secret ENC 3NiaXtXYFFMccGnSky0v0BS9dbwputkWWIz4yNvMQ/MdOtpZ0hSv8Dpwx5pMs/pBtltGOA5VJL79wtaHU0TvzYHT1PDk9fDqMlHIcgstlVnoJGvkle+HKA6Pnuv5upMT6i3U/KEDMGPlBiYqp0BypUOIiB6tZsfQ/33ZDCTtw5YnkbKB8kQnKvcETyEwoXkM1CmRWQ==
        set rsso-endpoint-attribute User-Name
        unset rsso-endpoint-block-attribute
        set sso-attribute Filter-Id
        set sso-attribute-key ''
        set sso-attribute-value-override enable
        set rsso-context-timeout 28800
        set rsso-log-period 0
        set rsso-log-flags protocol-error profile-missing accounting-stop-missed accounting-event endpoint-block radiusd-other
        set rsso-flush-ip-session disable
        set rsso-ep-one-ip-only disable
    next
end
config user group
    edit "RSSO-SG-FG-AdvancedAuthenticated" <---
        set group-type rsso
        set authtimeout 0
        set sso-attribute-value "SG-FG-ADVANCEDAUTHENTICATED"
    next
    edit "RSSO-SG-FG-ExcoAuthenticated" <---
        set group-type rsso
        set authtimeout 0
        set sso-attribute-value "SG-FG-EXCOAUTHENTICATED"
    next
end
#1

1 Reply Related Threads

    owla
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/07/06 21:57:16
    • Status: offline
    Re: RSSO from clearpass to Fortigate firewall 2020/07/14 16:29:03 (permalink)
    0
    Did you check "Firewall User Monitor" ?  You should see for users  under "Method" - "Radius Single-Sign-On" and important to see under "User Group" the names of your Radius groups.    We had an issue , we didn't see just "User Group" names. We downgraded firmware (to 6.2.2)  and RSSO was fine, after upgraded back (to 6.2.3) we still had successfully detected RSSO User groups.  Now we are using 6.2.4 - RSSO works fine.
    post edited by owla - 2020/07/14 16:31:23
    #2
    Jump to:
    © 2020 APG vNext Commercial Version 5.5