Fortigate authorization with ISE

ChrisAnk — Mon, 22 Mar 2021 11:28:12 GMT

Hi All,

I am integrating Fortigate firewall with Cisco ISE (version 2.4, patch 13) using TACACS, authentication is getting successful but authorization fails. Below are the attributes given in TACACS Profile. After logging into the firewall user is not able to view all the VDOMs.

Attribute	Requirement	Description	Value
service	Mandatory	Fortinet Service	fortigate
memberof	Mandatory	TACACS+ group	RO_admin_group
admin_prof	Mandatory	ACC Profile	RO_Profile

Do I need to make any changes in the attributes given?

Re: Fortigate authorization with ISE

craiglebutt — Mon, 22 Mar 2021 11:53:51 GMT

Had the same issue with 2.2 only the other week.

Compare this config, alot of it was trial and error, Fortigate said couldn't be done. But I'm guessing it will be around set vdom "root" "WIN-XP-7" "GENERIC-APP"

Depending on you forti firmware.

You will need to put in policys to deny access to other groups as anyone with any level in your tacacs will get full admin.

Let me know if this helps

CLI Commands for Fortigate Tacacs+ Read & ReadWR
Global
Config system accprofile
edit "Tacacs_RO"
set secfabgrp read
set ftviewgrp read
set authgrp read
set sysgrp read
set netgrp read
set loggrp read
set fwgrp read
set vpngrp read
set utmgrp read
set wifi read
next
end

VDOM Root
config user group
edit "Tacacs"
set group-type firewall
set authtimeout 0
set auth-concurrent-override disable
set http-digest-realm ''
set member "sitise01" "sitise02" "sitise03"
config match
edit 1
set server-name "sitise01"
set group-name "TACACS_NETWORK_ADMIN"
next
edit 2
set server-name "sitise02"
set group-name "TACACS_NETWORK_ADMIN"
next
edit 3
set server-name "sitise03"
set group-name "TACACS_NETWORK_ADMIN"
next
end
next
edit "Radius"
set group-type firewall
set authtimeout 0
set auth-concurrent-override disable
set http-digest-realm ''
set member "sitise03"
config match
edit 1
set server-name "sitise03"
set group-name "TACACS_NEWORK_ACCESS_R"
next
end
next
next
edit "TacacsRO"
set group-type firewall
set authtimeout 0
set auth-concurrent-override disable
set http-digest-realm ''
set member "sitise01" "sitise02" "sitise03"
config match
edit 1
set server-name "sitise01"
set group-name "TACACS_NETWORK_ADMIN_R"
next
edit 2
set server-name "sitise02"
set group-name "TACACS_NETWORK_ADMIN_R"
next
edit 3
set server-name "sitise03"
set group-name "TACACS_NETWORK_ADMIN_R"
next
end
next
end
config system admin TACACS
edit "TACACS"
set remote-auth enable
set accprofile "super_admin"
set vdom "root" "WIN-XP-7" "GENERIC-APP"
set wildcard enable
set remote-group "Tacacs"
edit "TACACSRO"
set remote-auth enable
set accprofile "Radius_Admins"
set vdom "root" "WIN-XP-7" "GENERIC-APP"
set wildcard enable
set remote-group "TacacsRO"
next
end
next
config user tacacs+
edit "siteise01"
set server "your IP"
next
edit "siteise03"
set server "your IP"
set authorization enable
next
edit "siteise02"
set server "your IP"
set authorization enable
next
end

Re: Fortigate authorization with ISE

stefano.motti — Tue, 07 Feb 2023 17:44:29 GMT

Tacacs?

topic Re: Fortigate authorization with ISE in Network Access Control

Fortigate authorization with ISE

Re: Fortigate authorization with ISE

Re: Fortigate authorization with ISE

Re: Fortigate authorization with ISE