I created some Python scripts for ClearPass. The scripts can be found on Github. There are several directories:
- config: contains the parameters to authenticate against ClearPass and acquire an access token;
- general_scripts: some general configuration scripts, like a Password Generator script or Date/Time script;
- guests: scripts for adding or deleting guest accounts. I created a script to add guest accounts via a CSV file and print the most important information to a Guest Pass in Word format;
- localusers: scripts for adding or deleting local user accounts;
First of all, I would like to thank Tim Cappalli for the ClearPass Authentication scripts!!
A special thanks to Tim Cappalli for the ClearPass Authentication scripts!!
Today’s customer is having a problem with OnDemand tokens on a FortiGate firewall. The FortiGate firewall uses RADIUS authentication for SSL VPN user authentication. FortiAuthenticator is used as RADIUS server. To strengthen the security levels, FortiAuthenticator is configured to demand two-factor authentication (2FA) for successful authentication. FortiAuthenticator has multiple options to demand 2FA from a user, like hardware FortiTokens, FortiToken Mobile or mail or SMS services.
Problem with the latter two could be timeouts. By default, FortiAuthenticator expects the token code after 60 seconds. This value is customizable.
However, only changing the timeout in FortiAuthenticator isn’t enough, because FortiGate has its own timeout value too. So you need to change this value if you would like to increase the time between entering username/password and token code. The timers are configurable via the CLI in “system global”
two-factor-email-expiry: Email-based two-factor authentication session timeout (30 – 300 seconds (5 minutes), default = 60).
two-factor-fac-expiry: FortiAuthenticator token authentication session timeout (10 – 3600 seconds (1 hour), default = 60).
two-factor-ftk-expiry: FortiToken authentication session timeout (60 – 600 sec (10 minutes), default = 60).
two-factor-ftm-expiry: FortiToken Mobile session timeout (1 – 168 hours (7 days), default = 72).
two-factor-sms-expiry: SMS-based two-factor authentication session timeout (30 – 300 sec, default = 60).
In this particular case, I changed the two-factor-fac-expiry setting to match the setting on FortiAuthenticator.
The script is used to execute a CLI command on one or multiple switches. The script use switches.txt as input file to login to one or multiple switches. When the scripts is executed the script asks for username and password and which command to execute. The status codes of the different sections is displayed and the output from the CLI command is send to file. The file name syntax will be SW<IP>_<sw hostname>_<cli command>.txt
- create switches.txt and add the switch IP address – one IP address per line
- execute the Python script
- the script is test with:
- python 3.6
- Aruba JL258A 2930F-8G-PoE+-2SFP+ Switch
- Software revision WC.16.05.0004
One of the features I would like to see in a FortiGate is the ability to automatically create backups and copy them to offline storage. Of course, this can be accomplished by adding FortiManager to the solution, but why would I need FortiManager if I only have one FortiGate (cluster). Another option would be using scripts, like Python or PowerShell, with scheduled tasks on servers to pull a backup from the FortiGate firewalls.
A very basic option would be the usage of system auto-script in FortiOS 5.4 and higher. Use this command to create CLI command scripts that can be saved and run. This gives you the possibility to auto-script the execute backup full-config commando. A disadvantage of this command is that you only have the option to use (T)FTP. There is no option to use a secure protocol like SFTP.
An example of an auto-script:
The example executes the backup command and sends the backup via TFTP to the TFTP server. The script runs every 24 hours (86400 seconds). It repeats infinite and starts automatically.
The script can also be configured via the GUI (Global >> System >> Advanced >> Configuration Scripts). More information about the feature can be found here.