topic TACACS Authentication and Fortigate Appliances in Network Access Control

TACACS Authentication and Fortigate Appliances

dustin.poole — Mon, 11 Mar 2019 03:37:19 GMT

I have been trying to get TACACS authentication setup for my Fortigate webfilters and analyzers however I am missing the attributes to set the match conditions for the users who log in with the AD credentials to assign them the correct user profile type. I was wondering if anyone has a complete guide on how to do this. Thanks for your help.

TACACS Authentication and Fortigate Appliances

Eduardo Aliaga — Fri, 05 Jul 2013 03:48:22 GMT

Hello, in this link you have the fortinet configuration

http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&externalId=FD33320

If you 're using ACS as your TACACS server then you must configure the following shell profile

Please rate if this helps

TACACS Authentication and Fortigate Appliances

dustin.poole — Fri, 05 Jul 2013 15:39:04 GMT

I am using ACS as my TACACS server and this post was helpful however I still missing a pieces.I still need the custom attributes to set for each user type like super_admin for example.

It's also not clear to me how or why you have to create user group with no users and noaccess. Thanks for the input.

TACACS Authentication and Fortigate Appliances

Eduardo Aliaga — Fri, 05 Jul 2013 17:27:07 GMT

The link mentions the admin profile called "noaccess" just as an example. You could just use the admin profile called "super_admin" instead.

Also in the example the user "admin" does belong to the user group "test_group" and this user group is linked to the tacacs server called "tac_plus" .

Please rate if this helps

TACACS Authentication and Fortigate Appliances

Chheang Va — Tue, 13 Aug 2013 15:26:16 GMT

How do you find out if that the user "admin" belongs to the group "test_group"?

Also, once you configure the Shell Profile, do you need to create a separate Authorization Profile to use that Shell Profile?

Re: TACACS Authentication and Fortigate Appliances

j3dickler — Tue, 13 Aug 2013 18:47:58 GMT

I am experiencing issues with this also. I have my attributes set up same as above example but I get full admin access no matter what I put in the admin_prof value. When I look in the ACS TACACS logs I see no evidence of any authorization packets being sent to the Fortinet and no value pairs in the authentication reply either. Any suggestions at all??? We are using V4 M3.

TACACS Authentication and Fortigate Appliances

Chheang Va — Wed, 14 Aug 2013 19:19:57 GMT

I finally got it to work.

On the Fortinet side, you need to make sure you have an Admin user created (ie, "test") that is setup for Remote login, Wildcard, and a profile of NOACCESS.

On the ACS side, you need to create 2 different Shell Profiles (RW and RO). They should have the following attributes (note, I am referencing the group name from Eduardo's link):

service=fortigate

memberof=test_group

admin_prof=super_admin

service=fortigate

memberof=test_group

admin_prof=read_only

Make sure you have both the super_admin and read_only Admin Profiles on your Fortigate.

Let me know if that helps.

TACACS Authentication and Fortigate Appliances

j3dickler — Thu, 15 Aug 2013 15:50:34 GMT

I believe I have it set up as you explained. I can see in ACS logs that the autho parms are now being sent.

---------------------------

{Type=Authorization; Author-Reply-Status=PassRepl; AVPair=memberof=TacAdmin; AVPair=admin_prof=super_user; AVPair=service=fortigate; }

---------------------------

However, they are not overriding the noaccess setting in the wildcard admin. I also notice that i can not check the wildcard box in the gui if i try to create a user there. It is greyed out. Does the user need to be named "wildcard"? and... does it have to be built in the CLI?

TACACS Authentication and Fortigate Appliances

Chheang Va — Thu, 15 Aug 2013 16:06:16 GMT

No the user does not need to be named Wildcard. Do you have another user already that has wildcard enabled? I think you can only have Wildcard enabled on 1 user. If you don't have any enabled and it's still greyed out, then try to configure it via the CLI.

config system admin

edit user

set wildcard enable

Post a screenshot of your Admin users.

TACACS Authentication and Fortigate Appliances

j3dickler — Thu, 15 Aug 2013 17:04:11 GMT

config system admin

edit "cbadmin"

set remote-auth enable

set accprofile "super_admin"

set vdom "root"

set remote-group "RadAdmin"

set password ENC AK1sRSaM12nMCQq1q3pKtYvepgsbJEDF0AuEWsxFw4eXSE=

edit "wildcard"

set remote-auth enable

set accprofile "noaccess"

set vdom "root"

set wildcard enable

set remote-group "TacAdmin"

set accprofile-override enable

edit "admin"

set accprofile "super_admin"

set vdom "root"

set password ENC AK167u4bh2JDbsjRKqG7q4zjkbL6cQOUCN7gKwqFDBMf9A=

edit "jdickler23"

set remote-auth enable

set accprofile "prof_admin"

set vdom "root"

set remote-group "TacAdmin"

set password ENC AK17gik2+xKWlkgiSK8IUpLpE+0zI5veH5vplRvI+B0RMc=

edit "jdicklertest"

set accprofile "super_admin"

set vdom "root"

set password ENC AK1twU3/13H7u/D1vdjMXvOJqP3UmEtWwdG4JQDfofgnuM=

edit "pkgeev01"

set accprofile "super_admin"

set vdom "root"

set password ENC AK1kOd5dSxmKm8A47m0D05OITNrozFsiaCGk4lyOv3ugaQ=

end

TACACS Authentication and Fortigate Appliances

j3dickler — Thu, 15 Aug 2013 17:52:38 GMT

we got it to work..... mixed up super_admin with the more popular super_user. once corrected it all works fine. thx for your input it was very reassuring.

TACACS Authentication and Fortigate Appliances

jackwikinski — Tue, 03 Sep 2013 21:54:31 GMT

Hi All,

I am attempting to set up authentication from Fortigate V5 towards ACS v4.2.

I am trying to setup the attributes for noaccess and have run into an issue of:

config system accprofile

edit "noaccess"

unset menu-file

end

I cannot do the command unset menu-file. The only options I have with unset are:

admingrp Access permission.

authgrp Access permission.

comments Comments.

endpoint-control-grp Access permission.

fwgrp Access permission.

loggrp Access permission.

mntgrp Access permission.

netgrp Access permission.

routegrp Access permission.

scope Global or single VDOM access restriction.

sysgrp Access permission.

updategrp Access permission.

utmgrp Access permission.

vpngrp Access permission.

wanoptgrp Access permission.

wifi Wireless controller.

Any help would be appreciated.

Thanks.

Jack.

TACACS Authentication and Fortigate Appliances

Chheang Va — Wed, 04 Sep 2013 02:36:58 GMT

Try the following (also, it's easier to create this in the GUI as there is only 1 button to set everything to unset):

edit "noaccess"

set admingrp none

set authgrp none

set endpoint-control-grp none

set fwgrp none

set loggrp none

unset menu-file

set mntgrp none

set netgrp none

unset roles

set routegrp none

set scope vdom

set sysgrp none

set updategrp none

set utmgrp none

set vpngrp none

set wanoptgrp none

set wifi none

end

TACACS Authentication and Fortigate Appliances

jackwikinski — Wed, 04 Sep 2013 07:51:27 GMT

Thanks for the prompt response.

I am now encountering problems setting the av pairs.

Below is my configuration:

Any assistance would be appreciated.

Thanks.

Jack.

TACACS Authentication and Fortigate Appliances

Chheang Va — Wed, 04 Sep 2013 13:40:58 GMT

What exactly is the problem? The AV configuration looks correct (make sure you have the Netsec group created in FortiNet).

Did following the link in the very first post? http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&externalId=FD33320

You need to make sure you have a group and user created with all the same settings as shown in the link. Compare your configuration output against theirs. One thing to make sure of is to have the "set accprofile-ovride enable" on the user.

TACACS Authentication and Fortigate Appliances

jackwikinski — Thu, 05 Sep 2013 11:46:47 GMT

Hi,

Thanks for your help upto now.

The issue I am having is I get an error message in the Fortigate logs saying invlaid password.

I have checked this username and password with other equipment we have and it works well.

Please find below the configuration of the Fortigate I currently have in place. The ACS configuration is in the above thread.

config system accprofile

edit "prof_admin"

set admingrp read-write

set authgrp read-write

set endpoint-control-grp read-write

set fwgrp read-write

set loggrp read-write

set mntgrp read-write

set netgrp read-write

set routegrp read-write

set sysgrp read-write

set updategrp read-write

set utmgrp read-write

set vpngrp read-write

set wanoptgrp read-write

set wifi read-write

edit "MGT"

set admingrp read-write

set authgrp read-write

set endpoint-control-grp read-write

set fwgrp read-write

set loggrp read-write

set mntgrp read-write

set netgrp read-write

set routegrp read-write

set sysgrp read-write

set updategrp read-write

set utmgrp read-write

set vpngrp read-write

set wanoptgrp read-write

set wifi read-write

edit "NOACCESS"

end

config system admin

edit "admin"

set trusthost3

set accprofile "super_admin"

set vdom "root"

config dashboard-tabs

edit 1

set name "Status"

edit 2

set columns 1

set name "Top Sources"

edit 3

set columns 1

set name "Top Destinations"

edit 4

set columns 1

set name "Top Applications"

edit 5

set columns 1

set name "Traffic History"

edit 6

set columns 1

set name "Threat History"

end

config dashboard

edit 1

set tab-id 1

set column 1

edit 2

set widget-type licinfo

set tab-id 1

set column 1

edit 3

set widget-type jsconsole

set tab-id 1

set column 1

edit 4

set widget-type sysres

set tab-id 1

set column 2

edit 5

set widget-type gui-features

set tab-id 1

set column 2

edit 6

set widget-type alert

set tab-id 1

set column 2

set top-n 10

edit 21

set widget-type sessions

set tab-id 2

set column 1

set top-n 50

set sort-by msg-counts

edit 31

set widget-type sessions

set tab-id 3

set column 1

set top-n 25

set sort-by msg-counts

set report-by destination

edit 41

set widget-type sessions

set tab-id 4

set column 1

set top-n 25

set sort-by msg-counts

set report-by application

edit 51

set widget-type sessions-bandwidth

set tab-id 5

set column 1

end

config login-time

edit "admin"

set last-failed-login 2013-09-03 04:08:27

set last-login 2013-09-05 04:36:27

end

set password ENC AK1O4Q8273vSAUyUkC4t4GOkSb40llfIAUEnr4uqWDgBX8=

end

edit "jackw"

set remote-auth enable

set trusthost1

set accprofile "NOACCESS"

set vdom "MGT"

config login-time

edit "jackw"

set last-failed-login 2013-09-04 08:10:41

edit "jackw@888holdings.com"

set last-failed-login 2013-09-04 07:53:30

end

set wildcard enable

set remote-group "Netsec"

set accprofile-override enable

end

config user tacacs+

edit "tacacs+"

set authorization enable

set key ENC jTbeQPV44emKUByXuHAQdY3CoxYY3/9MoFsuW4YAiC88JiSJmd3yrFv7VMyrGVUJK6Fv3DzcL9VMetGJ60I332W5cLP53jpYSHJnkJB0B5aKffK7mdC+PBU/HcmyogEWACOO9my9fxG85AFqKdRj6VUirtmluw4WR0GTkdtCbXK4zE8JHC+iYx5ALicUK/G/tWbc/g==

set server "192.118.67.39"

end

config user group

edit "Netsec"

set member "tacacs+"

config match

edit 1

set server-name "tacacs+"

set group-name "Netsec"

end

config user local

edit "jackw"

set type tacacs+

set email-to ""

set tacacs+-server "tacacs+"

end

Thanks again.

Jack.

TACACS Authentication and Fortigate Appliances

Chheang Va — Thu, 05 Sep 2013 13:47:24 GMT

Here is a couple of things that I noticed:

1. The NOACCESS accprofile should have some output similiar to (set admingrp none, set authgrp none....)

2. I have my user group-type set to firewall

config user group

edit "Netsec"

set group-type firewall

set authtimeout 0

set http-digest-realm ''

set sslvpn-portal ''

set member "tacacs+"

end

3. The tacacs+ configuration should have a source-ip, otherwise, the ACS server can't match it to it's AAA client

Other things to note, be sure to add the Fortinet as a AAA client and make sure the key matches. Check the logs on both the ACS server and the Fortinet side. The Fortinet side should not determine that the password is incorrect, it should be the ACS server's job. Everything else looks right so make those changes and check the ACS log.

TACACS Authentication and Fortigate Appliances

Muhammad Munir — Tue, 10 Sep 2013 06:49:06 GMT

Please go through this link, this will be helpful regarding TCSACS Authentication and Fortigate configuration:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/acsuserguide.html

Hi chheangva, As you said I

ABDUL RAHIMAN K.M — Tue, 15 Apr 2014 12:38:17 GMT

Hi chheangva,

As you said I created two shell profiles in ACS , one for RO and other for RW.

On the Fortinet side, I created an Admin user (ie, "test") that is setup for Remote login, Wildcard, and a profile of NOACCESS.

but they are not overriding the noaccess setting. Please help

The configuration isn't

Erik Eichhorst — Mon, 26 May 2014 13:01:49 GMT

The configuration isn't correct, in the field "Custom attributes" you have to set the following values:

memberof=<tacacs+-group>

admin_prof=<Req. profile>

For further details read the KB from Fortinet.