I need to configure 802.1x PEAP authentication using CLEARPASS as NAC and Fortigate100D as NAD. take in consideration that fortigate 100D works as a WLC for FortiAP431F (Tunnel mode), so user authentication and authorization process will follow the workflow user-->FortiAP-->Fortigate-->radius (Clearpass) . but I want only users belonging to specific group to have access to the network. Users and groups will be stored on CLEARPASS as an authentication source through Active directory.
I was researching and found the following fortinet's link that makes me an idea.
https://kb.fortinet.com/kb/documentLink.do?externalID=FD36464i saw forinet tVSA with attribute fortigate-group-name is included on CPPM dictionary.
It expect that AVP being provided by clearpass (RADIUS server) in Access-Accept (if user pass authentication).with attribute fortigate-group-name
And then FortiGate compare string-by-string what is in group match config and what he got from RADIUS server. If it matches perfectly (100% match) then the user is considered as member of that group in FORTIGATE device, Then it could apply a firewall policy on fortinet based on Source group name.
could the test work with clearpass and fortiAP with those advices? I will test on wednesday on customer site.
I attach two screens of planning for clearpass, in enforcement and profiles
please, your advice or support if it is possible or should i follow another way?
------------------------------
jhon roman
------------------------------