I'm using Aruba ClearPass to send accounting records to a FortiGate by sending the Roles of the authenticated user - this all works. However, this information contains multiple entries:
FG800C-264 $ diag rsso query ip 172.27.0.12 Receive IPC query for vd 0:root. Using vd server 0:root [size="1"]DB 0 find [ep='John' pg='Allowed-Device, School-Operations-Role, School-Programs-Role, [User Authenticated]' ip='172.27.0.12'] match[/size] Endpoint: John [size="1"] RSSO Key: [style="background-color: #ffff00;"]Allowed-Device, School-Operations-Role, School-Programs-Role, [User Authenticated][/style][/size] IP Addresses: IP: 172.27.0.12, Time left (hh:mm:ss): 07:59:59 ** [size="1"]DB 0 find all [ep='John' pg='n/a' ip=''] match[/size] [size="1"]vd=0 Query reply ip[172.27.0.12] ep[] prof[][/size] Querying IP '172.27.0.12'
I need to create a User Group RSSO that will match on the RADIUS Attribute Value if it contains "School-Programs-Role". I don't care about the other information. If I just specify School-Programs-Role, it doesn't match - seems to be an exact match only. Is there a way to do this?
Thanks!
-Robin-
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
According to TAC, this is not possible. There's no mechanism in the OS currently (5.2.8) to parse the contents of the received data - such as a regex expression.
-Robin-
correct, there is no partial string or regex match possible, but full string comparison only.
If your chosen AVP do contain more than expected value, due to its variability nature, then it might be better to choose or create different AVP and do match on/against that artificial one, which will always contain what you have set exactly into it.
Check RADIUS server accounting policies if it can inherit or add certain AVP per authenticated user group or so. That will help you to divide users better and more automatically.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1707 | |
1093 | |
752 | |
446 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.