Does Extreme still have technological partnership with Fortinet?

  • 0
  • 1
  • Question
  • Updated 4 months ago
  • Answered
Hello, everybody,

I have a client which has FG-600 and X430 access switches with Netsight&NAC.

What benefits could I get from Forti&Extreme integration in this case? If it's still possible...

Thanks.
Photo of Ilya Semenov

Ilya Semenov

  • 3,964 Points 3k badge 2x thumb

Posted 4 months ago

  • 0
  • 1
Photo of Kurt Semba

Kurt Semba, Employee

  • 1,226 Points 1k badge 2x thumb

Hi Ilya,

the FortiGate solutions are actually 2 integrations. 

The first integration is the single sign-on which uses RADIUS accounting.  The integration uses the ExtremeControl notification engine and listens for end system updates.  When an end system that has a username and IP address transitions to an accept state, we send a RADIUS accounting start message to the FortiGate to start the session.  When the end system transitions to the disconnected state, we send a RADIUS accounting stop message to end the session.  We have the option to send the RADIUS accounting interim message to keep the session alive. 

The Fortinet filtering rules are accomplished by adding a RADIUS attribute called profile.  The value of profile is the ExtremeControl profile name.  This creates a mapping in the FortiGate where the ExtremeControl profile name is associated to a user group.  Filtering rules can now be created where rules are applied to specific user groups.

The 2nd integration is the distributed IPS.  This solution is generic and works with multiple firewalls.  It’s an event driven solution that relies on matching a regular expression with the event message.  When a regular expression match is found, we parse out the threat IP, threat MAC, or threat name and take action.  Currently the action is adding the threat to an end system group and applying different network access for the device.

Hope that helps and makes sense.
Photo of Ilya Semenov

Ilya Semenov

  • 3,964 Points 3k badge 2x thumb
Hi, Kurt! Thanks for your reply!

At the moment Fortigate authenticate Wi-Fi users with their Active Directory Credentials.

Could I make Fortigate to send authentication data to the Netsight? I want to see usernames in Netsight > Control > Endsystems

Is it possible?
Photo of Kurt Semba

Kurt Semba, Employee

  • 1,226 Points 1k badge 2x thumb
Hi Ilya,

the current integration is meant to use Extreme Control to authenticate the users and then send this data to the Fortigate - not the other way around.

With XMC v8.1 we will introduce a new API that allows us to create new end-systems via a REST interface. This could be used to implement what you are asking for but this feature is not yet planned.

Do you know how Fortigate could send authentication data to XMC? Or does Fortigate provide a scripting engine that can be triggered whenever a new user is authenticated?
Photo of Ilya Semenov

Ilya Semenov

  • 3,964 Points 3k badge 2x thumb
Kurt,

I would like to authorize Active Directory users through customized NAC portal. I know it is possible. 

Could AD usernames be sent to Fortigate from NAC?

Thank you!
Photo of Kurt Semba

Kurt Semba, Employee

  • 1,226 Points 1k badge 2x thumb
Ilya,

yes, as far as I know you can configure the NAC portal to perform user authentication against an AD (LDAP). Once the user authenticated, you should see the username and IP address within the NAC end-system list and the user should be in ACCEPT state - is that the case?

If so, then the Connect Fortigate integration will forward that data to the Fortigate. No matter where the username is coming from (AD, 1X, portal, etc.). Give it a try and let me know how it goes.

Kurt