Skip to main content
FortiArt
Staff
FortiArt
Staff
January 10, 2026

Technical Tip: Integrating FortiGate with Aruba ClearPass to support multiple user roles

  • January 10, 2026
  • 0 replies
  • 2655 views
Description This article describes how to integrate FortiGate with Aruba ClearPass to support multiple user roles.
Scope FortiGate.
Solution

The FortiGate can integrate with ClearPass through RSSO. To apply RSSO policies across different profiles, there is a simple method that makes the process straightforward. On the ClearPass side, the administrator needs to add the FortiGate as a NAS client and use the same pre-shared key that is configured for 802.1X communication between the Wi-Fi controller and ClearPass.

 

In addition, the Aruba ClearPass as a Radius proxy must be configured to send RADIUS accounting Start/Stop messages to the FortiGate as a RADIUS client. Such messages include the user roles configured using specific attributes such as filter-ID rules. For more info, refer to the following external links:

ClearPass Integration with FortiGate 

ClearPass Adding a Network Device 

 

On FortiGate, configure the following:

  1. Configure the RADIUS server (The NAS IP is the IP address that is configured as the NAS Client in ClearPass for the FortiGate) by navigating to User & Authentication -> RADIUS Servers -> New RADIUS Server.

    100.PNG


Configure the following parameters in CLI:

 

config user radius

    edit ClearPass

        set rsso enable

        set rsso-endpoint-attribute User-Name

    next

end

 

  1. Configure an RSSO method in the FortiGate (Security Fabric -> Fabric Connectors -> RADIUS Single Sign-on Agent:(


101.PNG

 

  1. Enable the RADIUS Accounting feature in the relevant interface (Network -> Interface -> Select Interface -> Select the 'RADIUS Accounting' checkbox under Administrative Access:(


102.PNG
At this point, RSSO users are listed under: Monitor -> Firewall User Monitor; however, it is possible to see all the users appear without User-Groups.

  1. Configure one or more user groups (User & Authentication -> User Groups -> Select New User Group:(


103.PNG
The RADIUS Attribute Value must exactly match the filter-id defined in ClearPass for the corresponding user role (with brackets and everything when necessary), otherwise the configuration will not work. At this stage, users must also be assigned to a User-Group in FortiGate user monitor.

  1. When the user belongs to multiple roles, for example:

('[User Authenticated] and [Device Authenticated]' or '[User Authenticated] and [IT]').

 

The RADIUS Attribute Value must be concatenated when the user meets both roles. To check the ClearPass attribute that is sent to the FortiGate, use the following command:

 

diagnose test application radiusd 3

 

  1. Lastly, set up firewall policies in order from the most restrictive to the least restrictive. For example:

  1. From LAN to Internet for ([User Authenticated] and [IT]) -> No Restrictions.
  2. From LAN to Internet for ([User Authenticated] and [Device Authenticated]) -> Diverse UTM Profiles.
  3. From LAN to Internet for ([User Authenticated]) -> i.e., Guest Users - Limited Connectivity.
  4. From LAN to Internet for No Authentication -> Block Traffic.
Terms & ConditionsAccessibility statement