SSL-VPN with Fortinet Firewall with Ping ID MFA and ClearPass OnGuard Health Check

Overview

  1. SSL-VPN with Multifactor Authentication that verifies that Legitimate user has connected to the network with Second Factor of Verification
  2. The Health Check of the End-Client makes sure that Only Compliant user are allowed onto the network

The Setup Involves below components

  1. Fortinet Firewall as SSL-VPN Concentrator
  2. ClearPass Policy Manager and ClearPass OnGuard
  3. LDAP/AD
  4. Ping Federate
  5. PingID MFA

Workflow


  1. The Client Initiates the SSL VPN Session against the Fortinet Firewall
  2. The Fortinet Firewall forwards the request across ClearPass through Radius
  3. ClearPass Forwards the Request to Ping-Federate through Radius
  4. Ping Federate Checks the Credentials with OpenLDAP/AD and fetches the Attribute
  5. If the Credentials entered are correct the Ping Federate invokes the PingID cloud to send and Push notification to Client
  6. The PingID Cloud sends the Push notification to MFA Authenticator Device like A smartphone with PingID app .

Once the Push notification is approved or rejected the Ping ID would send the response across the Ping-Federate

  1. The Ping Federate sends the Accept or Reject Based on the Response from LDAP and MFA.
  2. ClearPass sends the Radius Accept to the Firewall if Ping Federate Sends an Accept Moving the user to Quarantine or Unknown Policy
  3. ClearPass Onguard on the Client Machine performs the health check and sends the health info to the ClearPass Server
  4. Based on the Health , appropriate Health token is sent to the Fortinet firewall and the User moves to Healthy or Quarantine Policy .

Benefits

  • MFA assures that only Valid and Verified user gets into the Network through SSL-VPN
  • Posture Check on Clients against ClearPass makes sure only Healthy Clients are allowed into the network
  • The Differential Policies on the Firewall can be applied with Integration of ClearPass and Fortinet as per Context like Posture, Type of device and LDAP groups
  • The Authentication against ClearPass, makes sure that the user gets similar access Wherever the user is (On-Prem or working Remotely)
  • Visibility on the user connecting to the Network

Leave a Comment

Your email address will not be published. Required fields are marked *

Related Posts

Wireless Survey

Table of contents: The document covers what is a wireless survey, why wireless survey, the

Get smarter about how networks can offer amazing experiences for your customers and your business.

Contact Us

Airowire Networks PVT LTD
530 Lawrence Expressway
Sunnyvale, California 94085

Services
Social Media Links

Airowire Networks LLC
530 Lawrence Expressway
Sunnyvale, California 94085

Get smarter about how networks can offer amazing experiences for your customers and your business.

Contact Us

Global Offices

Singapore

7 Temasek Boulevard,  
#12-07, Suntec Tower
One  – 038987

Bengaluru

L-29, 3rd Floor, 2nd A Main,
HSR Layout Sector 6,
Bengaluru – 560102

Hyderabad

Ikeva Workspace
8-2-624/A/1, Level 1, am@10,
MB Towers, Road No. 10,
Banjara Hills – 500034

Mumbai

A12 Marol Mayur CHSL,
Military Road Marol,
Andheri East – 400059

Airowire Networks 2021. © All Rights Reserved Made with 💛 by The Web People