Overview
- SSL-VPN with Multifactor Authentication that verifies that Legitimate user has connected to the network with Second Factor of Verification
- The Health Check of the End-Client makes sure that Only Compliant user are allowed onto the network
The Setup Involves below components
- Fortinet Firewall as SSL-VPN Concentrator
- ClearPass Policy Manager and ClearPass OnGuard
- LDAP/AD
- Ping Federate
- PingID MFA
Workflow
- The Client Initiates the SSL VPN Session against the Fortinet Firewall
- The Fortinet Firewall forwards the request across ClearPass through Radius
- ClearPass Forwards the Request to Ping-Federate through Radius
- Ping Federate Checks the Credentials with OpenLDAP/AD and fetches the Attribute
- If the Credentials entered are correct the Ping Federate invokes the PingID cloud to send and Push notification to Client
- The PingID Cloud sends the Push notification to MFA Authenticator Device like A smartphone with PingID app .
Once the Push notification is approved or rejected the Ping ID would send the response across the Ping-Federate
- The Ping Federate sends the Accept or Reject Based on the Response from LDAP and MFA.
- ClearPass sends the Radius Accept to the Firewall if Ping Federate Sends an Accept Moving the user to Quarantine or Unknown Policy
- ClearPass Onguard on the Client Machine performs the health check and sends the health info to the ClearPass Server
- Based on the Health , appropriate Health token is sent to the Fortinet firewall and the User moves to Healthy or Quarantine Policy .
Benefits
- MFA assures that only Valid and Verified user gets into the Network through SSL-VPN
- Posture Check on Clients against ClearPass makes sure only Healthy Clients are allowed into the network
- The Differential Policies on the Firewall can be applied with Integration of ClearPass and Fortinet as per Context like Posture, Type of device and LDAP groups
- The Authentication against ClearPass, makes sure that the user gets similar access Wherever the user is (On-Prem or working Remotely)
- Visibility on the user connecting to the Network