This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (Other)
- Does Extreme still have technological partnership ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Does Extreme still have technological partnership with Fortinet?
Does Extreme still have technological partnership with Fortinet?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-16-2018 08:36 AM
Hello, everybody,
I have a client which has FG-600 and X430 access switches with Netsight&NAC.
What benefits could I get from Forti&Extreme integration in this case? If it's still possible...
Thanks.
I have a client which has FG-600 and X430 access switches with Netsight&NAC.
What benefits could I get from Forti&Extreme integration in this case? If it's still possible...
Thanks.
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-16-2018 08:44 AM
Hi Ilya,
the FortiGate solutions are actually 2 integrations.
The first integration is the single sign-on which uses RADIUS accounting. The integration uses the ExtremeControl notification engine and listens for end system updates. When an end system that has a username and IP address transitions to an accept state, we send a RADIUS accounting start message to the FortiGate to start the session. When the end system transitions to the disconnected state, we send a RADIUS accounting stop message to end the session. We have the option to send the RADIUS accounting interim message to keep the session alive.
The Fortinet filtering rules are accomplished by adding a RADIUS attribute called profile. The value of profile is the ExtremeControl profile name. This creates a mapping in the FortiGate where the ExtremeControl profile name is associated to a user group. Filtering rules can now be created where rules are applied to specific user groups.
The 2nd integration is the distributed IPS. This solution is generic and works with multiple firewalls. It’s an event driven solution that relies on matching a regular expression with the event message. When a regular expression match is found, we parse out the threat IP, threat MAC, or threat name and take action. Currently the action is adding the threat to an end system group and applying different network access for the device.
Hope that helps and makes sense.
the FortiGate solutions are actually 2 integrations.
The first integration is the single sign-on which uses RADIUS accounting. The integration uses the ExtremeControl notification engine and listens for end system updates. When an end system that has a username and IP address transitions to an accept state, we send a RADIUS accounting start message to the FortiGate to start the session. When the end system transitions to the disconnected state, we send a RADIUS accounting stop message to end the session. We have the option to send the RADIUS accounting interim message to keep the session alive.
The Fortinet filtering rules are accomplished by adding a RADIUS attribute called profile. The value of profile is the ExtremeControl profile name. This creates a mapping in the FortiGate where the ExtremeControl profile name is associated to a user group. Filtering rules can now be created where rules are applied to specific user groups.
The 2nd integration is the distributed IPS. This solution is generic and works with multiple firewalls. It’s an event driven solution that relies on matching a regular expression with the event message. When a regular expression match is found, we parse out the threat IP, threat MAC, or threat name and take action. Currently the action is adding the threat to an end system group and applying different network access for the device.
Hope that helps and makes sense.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-16-2018 08:44 AM
Ilya,
yes, as far as I know you can configure the NAC portal to perform user authentication against an AD (LDAP). Once the user authenticated, you should see the username and IP address within the NAC end-system list and the user should be in ACCEPT state - is that the case?
If so, then the Connect Fortigate integration will forward that data to the Fortigate. No matter where the username is coming from (AD, 1X, portal, etc.). Give it a try and let me know how it goes.
Kurt
yes, as far as I know you can configure the NAC portal to perform user authentication against an AD (LDAP). Once the user authenticated, you should see the username and IP address within the NAC end-system list and the user should be in ACCEPT state - is that the case?
If so, then the Connect Fortigate integration will forward that data to the Fortigate. No matter where the username is coming from (AD, 1X, portal, etc.). Give it a try and let me know how it goes.
Kurt
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-16-2018 08:44 AM
Kurt,
I would like to authorize Active Directory users through customized NAC portal. I know it is possible.
Could AD usernames be sent to Fortigate from NAC?
Thank you!
I would like to authorize Active Directory users through customized NAC portal. I know it is possible.
Could AD usernames be sent to Fortigate from NAC?
Thank you!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-16-2018 08:44 AM
Hi Ilya,
the current integration is meant to use Extreme Control to authenticate the users and then send this data to the Fortigate - not the other way around.
With XMC v8.1 we will introduce a new API that allows us to create new end-systems via a REST interface. This could be used to implement what you are asking for but this feature is not yet planned.
Do you know how Fortigate could send authentication data to XMC? Or does Fortigate provide a scripting engine that can be triggered whenever a new user is authenticated?
the current integration is meant to use Extreme Control to authenticate the users and then send this data to the Fortigate - not the other way around.
With XMC v8.1 we will introduce a new API that allows us to create new end-systems via a REST interface. This could be used to implement what you are asking for but this feature is not yet planned.
Do you know how Fortigate could send authentication data to XMC? Or does Fortigate provide a scripting engine that can be triggered whenever a new user is authenticated?
