09-12-2024 02:24 PM
Hello,
I am working on some Fortinet's and for anyone that has connected Fortinet's to Cisco ISE using tacacs+ I could really do with some help.
TACACS+ > Active Directory > Separate Read Only group and Read/Write Group
Article that I am using to configure this - https://sharifulhoque.blogspot.com/2019/09/fortigate-using-radius-server-windows_4.html
(Yes it says Radius but it's got Tacacs+ config steps)
Can you see anything in the guide that I would be missing from my configuration.
I've got a successful connection to tacacs+
I have a connection to Active Directory.
I have Read / Write and Read Only AD groups, I'm not sure what else I am missing or if anyone can help.
I'm using version 3.1 and Fortigate version 7.4.x
Fortinet Guide hasn't got much info, but Fortinet side is configured.
Solved! Go to Solution.
09-13-2024 04:47 AM
All fixed, device policy admin set
09-12-2024 07:04 PM
what is the behavior you are seeing ? are you able to login ?
have you run the diagnose command as per the example ?
Please attach the relevant config for fortigate and also screenshots of how it is configured in ISE
09-13-2024 01:56 AM
Screen shots are not available. I can see Tacacs Live Log errors show
Authentication Details section:
Message text Failed-Attempt: Authentication failed
Failure Reason 13036 Selected Shell profile is DenyAccess
The Shell profile is configured as per article in my post.
09-13-2024 03:02 AM
09-13-2024 03:25 AM
@MHM Cisco WorldThanks I checked it, but this is Radius setup. I am using Tacacs+
ISE setup for this is different
09-13-2024 04:47 AM
All fixed, device policy admin set
09-13-2024 04:47 AM - edited 09-23-2024 12:52 AM
Ensure the user roles in Cisco ISE are correctly mapped to your AD groups for both read-only and read/write access. Also, verify that TACACS+ policies are properly assigning these roles. Discover more by reviewing detailed role-mapping configurations for any missing steps.
09-13-2024 06:51 AM
Thanks @Jhonleo02 one problem... I have read/write access and I cannot get cli or ssh to type any commands for example "config system admin" any ideas what i need to allow on ISE for this?
09-23-2024 12:51 AM
TACACS+ policies might not be assigning the correct privilege level for CLI access. Double-check the command sets and ensure that the read/write group is permitted to execute CLI commands like "config system admin." Additionally, confirm that your user roles in Cisco ISE are properly configured to provide the necessary administrative access.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide