topic Re: Cisco ISE TACACS+ to Fortigate Read/ Write and Read Only configura in Network Access Control

Cisco ISE TACACS+ to Fortigate Read/ Write and Read Only configuration

RG78874 — Thu, 12 Sep 2024 21:24:00 GMT

Hello,

I am working on some Fortinet's and for anyone that has connected Fortinet's to Cisco ISE using tacacs+ I could really do with some help.

TACACS+ > Active Directory > Separate Read Only group and Read/Write Group

Article that I am using to configure this - https://sharifulhoque.blogspot.com/2019/09/fortigate-using-radius-server-windows_4.html

(Yes it says Radius but it's got Tacacs+ config steps)

Can you see anything in the guide that I would be missing from my configuration.

I've got a successful connection to tacacs+

I have a connection to Active Directory.

I have Read / Write and Read Only AD groups, I'm not sure what else I am missing or if anyone can help.

I'm using version 3.1 and Fortigate version 7.4.x

Fortinet Guide hasn't got much info, but Fortinet side is configured.

Re: Cisco ISE TACACS+ to Fortigate Read/ Write and Read Only configura

ccieexpert — Fri, 13 Sep 2024 02:04:14 GMT

what is the behavior you are seeing ? are you able to login ?

have you run the diagnose command as per the example ?

Please attach the relevant config for fortigate and also screenshots of how it is configured in ISE

Re: Cisco ISE TACACS+ to Fortigate Read/ Write and Read Only configura

RG78874 — Fri, 13 Sep 2024 08:56:05 GMT

Screen shots are not available. I can see Tacacs Live Log errors show

Authentication Details section:

Message text Failed-Attempt: Authentication failed

Failure Reason 13036 Selected Shell profile is DenyAccess

The Shell profile is configured as per article in my post.

Re: Cisco ISE TACACS+ to Fortigate Read/ Write and Read Only configura

MHM Cisco World — Fri, 13 Sep 2024 10:02:23 GMT

https://youtu.be/2WPuc7r_Qe4?si=lREegAb0cWIXCE-Y

Check this

MHM

Re: Cisco ISE TACACS+ to Fortigate Read/ Write and Read Only configura

RG78874 — Fri, 13 Sep 2024 10:25:49 GMT

@MHM Cisco WorldThanks I checked it, but this is Radius setup. I am using Tacacs+

ISE setup for this is different

Re: Cisco ISE TACACS+ to Fortigate Read/ Write and Read Only configura

RG78874 — Fri, 13 Sep 2024 11:47:12 GMT

All fixed, device policy admin set

Re: Cisco ISE TACACS+ to Fortigate Read/ Write and Read Only configura

Jhonleo02 — Mon, 23 Sep 2024 07:52:17 GMT

Ensure the user roles in Cisco ISE are correctly mapped to your AD groups for both read-only and read/write access. Also, verify that TACACS+ policies are properly assigning these roles. Discover more by reviewing detailed role-mapping configurations for any missing steps.

Re: Cisco ISE TACACS+ to Fortigate Read/ Write and Read Only configura

RG78874 — Fri, 13 Sep 2024 13:51:16 GMT

Thanks @Jhonleo02 one problem... I have read/write access and I cannot get cli or ssh to type any commands for example "config system admin" any ideas what i need to allow on ISE for this?

Re: Cisco ISE TACACS+ to Fortigate Read/ Write and Read Only configura

Jhonleo02 — Mon, 23 Sep 2024 07:51:42 GMT

TACACS+ policies might not be assigning the correct privilege level for CLI access. Double-check the command sets and ensure that the read/write group is permitted to execute CLI commands like "config system admin." Additionally, confirm that your user roles in Cisco ISE are properly configured to provide the necessary administrative access.

Re: Cisco ISE TACACS+ to Fortigate Read/ Write and Read Only configura

gordonmckenna6 — Thu, 17 Apr 2025 12:31:47 GMT

Based on your description, it seems you've configured the essential components: successful TACACS+ connection, Active Directory integration, and defined Read/Write and Read-Only AD groups. However, to ensure proper role assignment on the FortiGate, verify that the attribute-value pairs sent by Cisco ISE match FortiGate's expected values. Specifically, check that the TACACS+ service custom attributes in ISE correspond to the appropriate admin profiles on the FortiGate. If these attributes are misconfigured or missing, FortiGate may not assign the correct permissions.

Re: Cisco ISE TACACS+ to Fortigate Read/ Write and Read Only configura

gordonmckenna6 — Tue, 29 Apr 2025 18:24:33 GMT

@RG78874 wrote:
Hello,
I am working on some Fortinet's and for anyone that has connected Fortinet's to Cisco ISE using tacacs+ I could really do with some help.
TACACS+ > Active Directory > Separate Read Only group and Read/Write Group
Article that I am using to configure this - https://sharifulhoque.blogspot.com/2019/09/fortigate-using-radius-server-windows_4.html
(Yes it says Radius but it's got Tacacs+ config steps) writing seo content vancouver
Can you see anything in the guide that I would be missing from my configuration.
I've got a successful connection to tacacs+
I have a connection to Active Directory.
I have Read / Write and Read Only AD groups, I'm not sure what else I am missing or if anyone can help.
I'm using version 3.1 and Fortigate version 7.4.x
Fortinet Guide hasn't got much info, but Fortinet side is configured.

Re: Cisco ISE TACACS+ to Fortigate Read/ Write and Read Only configura

dennymorkal — Sat, 27 Sep 2025 21:30:56 GMT

you’ve got most of it right. The bit people usually miss is the ISE authorization rules and command sets. Make sure your AD groups are actually mapped to the right TACACS+ profiles in ISE, and check the live logs to see which rule is being hit when you log in. Usually it’s just the group match that trips things up.

Re: Cisco ISE TACACS+ to Fortigate Read/ Write and Read Only configura

andrewhannells — Tue, 25 Nov 2025 11:33:37 GMT

Hey, the blog mixes RADIUS/TACACS – the real fix is on ISE:

Create TACACS Device Admin policy set → two authz rules:

Read-Write AD group → Shell Profile with Privilege 15
Read-Only AD group → Shell Profile with Privilege 1

aireviewhq