TACACS Authentication and Fortigate Appliances - Page 2

dustin.poole · ‎07-04-2013

I have been trying to get TACACS authentication setup for my Fortigate webfilters and analyzers however I am missing the attributes to set the match conditions for the users who log in with the AD credentials to assign them the correct user profile type. I was wondering if anyone has a complete guide on how to do this. Thanks for your help.

Chheang Va · ‎09-04-2013

What exactly is the problem? The AV configuration looks correct (make sure you have the Netsec group created in FortiNet).

Did following the link in the very first post? http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&externalId=FD33320

You need to make sure you have a group and user created with all the same settings as shown in the link. Compare your configuration output against theirs. One thing to make sure of is to have the "set accprofile-ovride enable" on the user.

jackwikinski · ‎09-05-2013

Hi,

Thanks for your help upto now.

The issue I am having is I get an error message in the Fortigate logs saying invlaid password.

I have checked this username and password with other equipment we have and it works well.

Please find below the configuration of the Fortigate I currently have in place. The ACS configuration is in the above thread.

config system accprofile

edit "prof_admin"

set admingrp read-write

set authgrp read-write

set endpoint-control-grp read-write

set fwgrp read-write

set loggrp read-write

set mntgrp read-write

set netgrp read-write

set routegrp read-write

set sysgrp read-write

set updategrp read-write

set utmgrp read-write

set vpngrp read-write

set wanoptgrp read-write

set wifi read-write

set admingrp read-write

set authgrp read-write

set endpoint-control-grp read-write

set fwgrp read-write

set loggrp read-write

set mntgrp read-write

set netgrp read-write

set routegrp read-write

set sysgrp read-write

set updategrp read-write

set utmgrp read-write

set vpngrp read-write

set wanoptgrp read-write

set wifi read-write

config system admin

edit "admin"

set trusthost3

set accprofile "super_admin"

set vdom "root"

config dashboard-tabs

edit 1

set name "Status"

set columns 1

set name "Top Sources"

set columns 1

set name "Top Destinations"

set columns 1

set name "Top Applications"

set columns 1

set name "Traffic History"

set columns 1

set name "Threat History"

config dashboard

edit 1

set tab-id 1

set column 1

set widget-type licinfo

set tab-id 1

set column 1

set widget-type jsconsole

set tab-id 1

set column 1

set widget-type sysres

set tab-id 1

set column 2

set widget-type gui-features

set tab-id 1

set column 2

set widget-type alert

set tab-id 1

set column 2

set top-n 10

set widget-type sessions

set tab-id 2

set column 1

set top-n 50

set sort-by msg-counts

set widget-type sessions

set tab-id 3

set column 1

set top-n 25

set sort-by msg-counts

set report-by destination

set widget-type sessions

set tab-id 4

set column 1

set top-n 25

set sort-by msg-counts

set report-by application

set widget-type sessions-bandwidth

set tab-id 5

set column 1

config login-time

edit "admin"

set last-failed-login 2013-09-03 04:08:27

set last-login 2013-09-05 04:36:27

set password ENC AK1O4Q8273vSAUyUkC4t4GOkSb40llfIAUEnr4uqWDgBX8=

end

edit "jackw"

set remote-auth enable

set trusthost1

set accprofile "NOACCESS"

set vdom "MGT"

config login-time

edit "jackw"

set last-failed-login 2013-09-04 08:10:41

set last-failed-login 2013-09-04 07:53:30

set wildcard enable

set remote-group "Netsec"

set accprofile-override enable

config user tacacs+

edit "tacacs+"

set authorization enable

set key ENC jTbeQPV44emKUByXuHAQdY3CoxYY3/9MoFsuW4YAiC88JiSJmd3yrFv7VMyrGVUJK6Fv3DzcL9VMetGJ60I332W5cLP53jpYSHJnkJB0B5aKffK7mdC+PBU/HcmyogEWACOO9my9fxG85AFqKdRj6VUirtmluw4WR0GTkdtCbXK4zE8JHC+iYx5ALicUK/G/tWbc/g==

set server "192.118.67.39"

config user group

edit "Netsec"

set member "tacacs+"

config match

edit 1

set server-name "tacacs+"

set group-name "Netsec"

config user local

edit "jackw"

set type tacacs+

set email-to ""

set tacacs+-server "tacacs+"

Thanks again.

Jack.

Chheang Va · ‎09-05-2013

Here is a couple of things that I noticed:

1. The NOACCESS accprofile should have some output similiar to (set admingrp none, set authgrp none....)

2. I have my user group-type set to firewall

config user group

edit "Netsec"

set group-type firewall

set authtimeout 0

set http-digest-realm ''

set sslvpn-portal ''

set member "tacacs+"

3. The tacacs+ configuration should have a source-ip, otherwise, the ACS server can't match it to it's AAA client

Other things to note, be sure to add the Fortinet as a AAA client and make sure the key matches. Check the logs on both the ACS server and the Fortinet side. The Fortinet side should not determine that the password is incorrect, it should be the ACS server's job. Everything else looks right so make those changes and check the ACS log.

ABDUL RAHIMAN K.M · ‎04-15-2014

Hi chheangva,

As you said I created two shell profiles in ACS , one for RO and other for RW.

On the Fortinet side, I created an Admin user (ie, "test") that is setup for Remote login, Wildcard, and a profile of NOACCESS.

but they are not overriding the noaccess setting. Please help

Erik Eichhorst · ‎05-26-2014

The configuration isn't correct, in the field "Custom attributes" you have to set the following values:

memberof=<tacacs+-group>

admin_prof=<Req. profile>

For further details read the KB from Fortinet.

ABDUL RAHIMAN K.M · ‎05-26-2014

Hi Erik,

In the custom attributes all required values mentioned. But always users getting no_access profile.

Erik Eichhorst · ‎05-26-2014

Then you dont have the override function set in the admin user configuration.

Please attach your user configuration (on fortigate) for review.

ABDUL RAHIMAN K.M · ‎05-29-2014

Hi,

See my conf-backup of Fortigate.

Erik Eichhorst · ‎06-12-2014

Config seems to be okay, check your config on the TACACS+ Server, maybe is there something wrong.

You can debug the logon on Fortigate with "diag debug app fnbadm -1".

Try to use the newer Version of FortiOS, Version 4 isn't anymore supported since April 2014.

patrick.morin · ‎02-04-2015

I have been able to do this for my fortigates, but I haven't been able to find the correct attributes and values for FortiManager and FortiAnalyzer. Anybody know them?

Erik Eichhorst · ‎02-05-2015

service=fortigate
memberof=<tacacs-serverbzw gruppe>
admin_prof=<access profil>
adom=<adom>

I got it with analyzing the communication between Manager and ACS server.

Sniffing the packets and then import it in wireshark for analyzing.

The attributes for the manager and the analyzer are the same.

Muhammad Munir · ‎09-09-2013

Hi

Please go through this link, this will be helpful regarding TCSACS Authentication and Fortigate configuration:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/acsuserguide.html