I am using ACS as my TACACS server and this post was helpful however I still missing a pieces.I still need the custom attributes to set for each user type like super_admin for example. 

It's also not clear to me how or why you have to create user group with no users and noaccess. Thanks for the input.

The link mentions the admin profile called "noaccess" just as an example. You could just use the admin profile called "super_admin"  instead.

Also in the example the user "admin" does belong to the user group "test_group" and this user group is linked to the tacacs server called "tac_plus" .

Please rate if this helps

How do you find out if that the user "admin" belongs to the group "test_group"?

Also, once you configure the Shell Profile, do you need to create a separate Authorization Profile to use that Shell Profile?

I am experiencing issues with this also.  I have my attributes set up same as above example but I get full admin access no matter what I put in the admin_prof value.  When I look in the ACS TACACS logs I see no evidence of any authorization packets being sent to the Fortinet and no value pairs in the authentication reply either.  Any suggestions at all???  We are using V4 M3.

I finally got it to work.

On the Fortinet side, you need to make sure you have an Admin user created (ie, "test") that is setup for Remote login, Wildcard, and a profile of NOACCESS.

On the ACS side, you need to create 2 different Shell Profiles (RW and RO). They should have the following attributes (note, I am referencing the group name from Eduardo's link):

RW

service=fortigate

memberof=test_group

admin_prof=super_admin

RO

service=fortigate

memberof=test_group

admin_prof=read_only

Make sure you have both the super_admin and read_only Admin Profiles on your Fortigate.

Let me know if that helps.

I believe I have it set up as you explained.  I can see in ACS logs that the autho parms are now being sent.

---------------------------

{Type=Authorization; Author-Reply-Status=PassRepl; AVPair=memberof=TacAdmin; AVPair=admin_prof=super_user; AVPair=service=fortigate; }

---------------------------

However, they are not overriding the noaccess setting in the wildcard admin.  I also notice that i can not check the wildcard box in the gui if i try to create a user there.  It is greyed out.  Does the user need to be named "wildcard"? and... does it have to be built in the CLI?

No the user does not need to be named Wildcard. Do you have another user already that has wildcard enabled? I think you can only have Wildcard enabled on 1 user. If you don't have any enabled and it's still greyed out, then try to configure it via the CLI.

config system admin

edit user

set wildcard enable

Post a screenshot of your Admin users.

config system admin

    edit "cbadmin"

        set remote-auth enable

        set accprofile "super_admin"

        set vdom "root"

        set remote-group "RadAdmin"

        set password ENC AK1sRSaM12nMCQq1q3pKtYvepgsbJEDF0AuEWsxFw4eXSE=

    next

    edit "wildcard"

        set remote-auth enable

        set accprofile "noaccess"

        set vdom "root"

        set wildcard enable

        set remote-group "TacAdmin"

        set accprofile-override enable

    next

    edit "admin"

        set accprofile "super_admin"

        set vdom "root"

        set password ENC AK167u4bh2JDbsjRKqG7q4zjkbL6cQOUCN7gKwqFDBMf9A=

    next

    edit "jdickler23"

        set remote-auth enable

        set accprofile "prof_admin"

        set vdom "root"

        set remote-group "TacAdmin"

        set password ENC AK17gik2+xKWlkgiSK8IUpLpE+0zI5veH5vplRvI+B0RMc=

    next

    edit "jdicklertest"

        set accprofile "super_admin"

        set vdom "root"

        set password ENC AK1twU3/13H7u/D1vdjMXvOJqP3UmEtWwdG4JQDfofgnuM=

    next

    edit "pkgeev01"

        set accprofile "super_admin"

        set vdom "root"

            set password ENC AK1kOd5dSxmKm8A47m0D05OITNrozFsiaCGk4lyOv3ugaQ=

    next

end

we got it to work..... mixed up super_admin with the more popular super_user.  once corrected it all works fine.  thx for your input it was very reassuring.

Mine is working with multiple VDOMs. Also, I make local admin as a last resort login, so user have to login with their AD credential, unless ACS has problem or unreachable, then users can login with admin.

Hi All,

I am attempting to set up authentication from Fortigate V5 towards ACS v4.2.

I am trying to setup the attributes for noaccess and have run into an issue of:

config system accprofile

   edit "noaccess"

      unset menu-file

   next

end

I cannot do the command unset menu-file. The only options I have with unset are:

admingrp                Access permission.

authgrp                 Access permission.

comments                Comments.

endpoint-control-grp    Access permission.

fwgrp                   Access permission.

loggrp                  Access permission.

mntgrp                  Access permission.

netgrp                  Access permission.

routegrp                Access permission.

scope                   Global or single VDOM access restriction.

sysgrp                  Access permission.

updategrp               Access permission.

utmgrp                  Access permission.

vpngrp                  Access permission.

wanoptgrp               Access permission.

wifi                    Wireless controller.

Any help would be appreciated.

Thanks.

Jack.

Try the following (also, it's easier to create this in the GUI as there is only 1 button to set everything to unset):

edit "noaccess"

        set admingrp none

        set authgrp none

        set endpoint-control-grp none

        set fwgrp none

        set loggrp none

        unset menu-file

        set mntgrp none

        set netgrp none

        unset roles

        set routegrp none

        set scope vdom

        set sysgrp none

        set updategrp none

        set utmgrp none

        set vpngrp none

        set wanoptgrp none

        set wifi none

    next

end

Thanks for the prompt response.

I am now encountering problems setting the av pairs.

Below is my configuration:

Any assistance would be appreciated.

Thanks.

Jack.