Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
681
Views
1
Helpful
8
Replies

Cisco ISE TACACS+ to Fortigate Read/ Write and Read Only configuration

Go to solution
RG78874
Level 1
Level 1

‎09-12-2024 02:24 PM

Hello,

I am working on some Fortinet's and for anyone that has connected Fortinet's to Cisco ISE using tacacs+ I could really do with some help.

TACACS+ > Active Directory > Separate Read Only group and Read/Write Group

Article that I am using to configure this - https://sharifulhoque.blogspot.com/2019/09/fortigate-using-radius-server-windows_4.html

(Yes it says Radius but it's got Tacacs+ config steps)

Can you see anything in the guide that I would be missing from my configuration.

I've got a successful connection to tacacs+

I have a connection to Active Directory.

I have Read / Write and Read Only AD groups, I'm not sure what else I am missing or if anyone can help.

I'm using version 3.1 and Fortigate version 7.4.x

Fortinet Guide hasn't got much info, but Fortinet side is configured.

 

1 Accepted Solution

Accepted Solutions

Go to solution
RG78874
Level 1
Level 1
In response to RG78874

‎09-13-2024 04:47 AM

All fixed, device policy admin set

View solution in original post

0 Helpful
8 Replies 8

Go to solution
ccieexpert
Spotlight
Spotlight

‎09-12-2024 07:04 PM

what is the behavior you are seeing ? are you able to login ?

have you run the diagnose command as per the example ?

Please attach the relevant config for fortigate and also screenshots of how it is configured in ISE

0 Helpful

Go to solution
RG78874
Level 1
Level 1
In response to ccieexpert

‎09-13-2024 01:56 AM

Screen shots are not available. I can see Tacacs Live Log errors show

Authentication Details section:

Message text Failed-Attempt: Authentication failed

Failure Reason 13036 Selected Shell profile is DenyAccess

The Shell profile is configured as per article in my post.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎09-13-2024 03:02 AM

https://youtu.be/2WPuc7r_Qe4?si=lREegAb0cWIXCE-Y

Check this 

MHM

How To's Configure ISE 3.1 as Radius Server for Fortigate 7
How To's Configure ISE 3.1 as Radius Server for Fortigate 7
youtu.be/2WPuc7r_Qe4?si=lREegAb0cWIXCE-Y
In this video we'll use ISE 3.1 as radius server for Fortigate 7. Fortinet Vendor Specific Attributes (VSA) https://community.fortinet.com/t5/FortiDDoS/Technical-Tip-Fortinet-s-RADIUS-Dictionary-VSA-vendor-specific/ta-p/193076?externalID=FD30830
0 Helpful

Go to solution
RG78874
Level 1
Level 1
In response to MHM Cisco World

‎09-13-2024 03:25 AM

@MHM Cisco WorldThanks I checked it, but this is Radius setup. I am using Tacacs+

ISE setup for this is different

0 Helpful

Go to solution
RG78874
Level 1
Level 1
In response to RG78874

‎09-13-2024 04:47 AM

All fixed, device policy admin set

0 Helpful

Go to solution
Jhonleo02
Level 1
Level 1

‎09-13-2024 04:47 AM - edited ‎09-23-2024 12:52 AM

Ensure the user roles in Cisco ISE are correctly mapped to your AD groups for both read-only and read/write access. Also, verify that TACACS+ policies are properly assigning these roles. Discover more by reviewing detailed role-mapping configurations for any missing steps.

0 Helpful

Go to solution
RG78874
Level 1
Level 1
In response to Jhonleo02

‎09-13-2024 06:51 AM

Thanks @Jhonleo02 one problem... I have read/write access and I cannot get cli or ssh to type any commands for example "config system admin" any ideas what i need to allow on ISE for this?

0 Helpful

Go to solution
Jhonleo02
Level 1
Level 1
In response to RG78874

‎09-23-2024 12:51 AM

TACACS+ policies might not be assigning the correct privilege level for CLI access. Double-check the command sets and ensure that the read/write group is permitted to execute CLI commands like "config system admin." Additionally, confirm that your user roles in Cisco ISE are properly configured to provide the necessary administrative access.

0 Helpful
Customers Also Viewed These Support Documents