Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

TACACS Authentication and Fortigate Appliances

I have been trying to get TACACS authentication setup for my Fortigate webfilters and analyzers however I am missing the attributes to set the match conditions for the users who log in with the AD credentials to assign them the correct user profile type. I was wondering if anyone has a complete guide on how to do this. Thanks for your help.

26 REPLIES

TACACS Authentication and Fortigate Appliances

Hello, in this link you have the fortinet configuration

http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&externalId=FD33320

If you 're using ACS as your TACACS server then you must configure the following shell profile

Please rate if this helps

New Member

TACACS Authentication and Fortigate Appliances

I am using ACS as my TACACS server and this post was helpful however I still missing a pieces.I still need the custom attributes to set for each user type like super_admin for example. 

It's also not clear to me how or why you have to create user group with no users and noaccess. Thanks for the input.

TACACS Authentication and Fortigate Appliances

The link mentions the admin profile called "noaccess" just as an example. You could just use the admin profile called "super_admin"  instead.

Also in the example the user "admin" does belong to the user group "test_group" and this user group is linked to the tacacs server called "tac_plus" .

Please rate if this helps

New Member

TACACS Authentication and Fortigate Appliances

How do you find out if that the user "admin" belongs to the group "test_group"?

Also, once you configure the Shell Profile, do you need to create a separate Authorization Profile to use that Shell Profile?

New Member

Re: TACACS Authentication and Fortigate Appliances

I am experiencing issues with this also.  I have my attributes set up same as above example but I get full admin access no matter what I put in the admin_prof value.  When I look in the ACS TACACS logs I see no evidence of any authorization packets being sent to the Fortinet and no value pairs in the authentication reply either.  Any suggestions at all???  We are using V4 M3.

New Member

TACACS Authentication and Fortigate Appliances

I finally got it to work.

On the Fortinet side, you need to make sure you have an Admin user created (ie, "test") that is setup for Remote login, Wildcard, and a profile of NOACCESS.

On the ACS side, you need to create 2 different Shell Profiles (RW and RO). They should have the following attributes (note, I am referencing the group name from Eduardo's link):

RW

service=fortigate

memberof=test_group

admin_prof=super_admin

RO

service=fortigate

memberof=test_group

admin_prof=read_only

Make sure you have both the super_admin and read_only Admin Profiles on your Fortigate.

Let me know if that helps.

New Member

TACACS Authentication and Fortigate Appliances

I believe I have it set up as you explained.  I can see in ACS logs that the autho parms are now being sent.

---------------------------

{Type=Authorization; Author-Reply-Status=PassRepl; AVPair=memberof=TacAdmin; AVPair=admin_prof=super_user; AVPair=service=fortigate; }

---------------------------

However, they are not overriding the noaccess setting in the wildcard admin.  I also notice that i can not check the wildcard box in the gui if i try to create a user there.  It is greyed out.  Does the user need to be named "wildcard"? and... does it have to be built in the CLI?

New Member

TACACS Authentication and Fortigate Appliances

No the user does not need to be named Wildcard. Do you have another user already that has wildcard enabled? I think you can only have Wildcard enabled on 1 user. If you don't have any enabled and it's still greyed out, then try to configure it via the CLI.

config system admin

edit user

set wildcard enable

Post a screenshot of your Admin users.

New Member

TACACS Authentication and Fortigate Appliances

config system admin

    edit "cbadmin"

        set remote-auth enable

        set accprofile "super_admin"

        set vdom "root"

        set remote-group "RadAdmin"

        set password ENC AK1sRSaM12nMCQq1q3pKtYvepgsbJEDF0AuEWsxFw4eXSE=

    next

    edit "wildcard"

        set remote-auth enable

        set accprofile "noaccess"

        set vdom "root"

        set wildcard enable

        set remote-group "TacAdmin"

        set accprofile-override enable

    next

    edit "admin"

        set accprofile "super_admin"

        set vdom "root"

        set password ENC AK167u4bh2JDbsjRKqG7q4zjkbL6cQOUCN7gKwqFDBMf9A=

    next

    edit "jdickler23"

        set remote-auth enable

        set accprofile "prof_admin"

        set vdom "root"

        set remote-group "TacAdmin"

        set password ENC AK17gik2+xKWlkgiSK8IUpLpE+0zI5veH5vplRvI+B0RMc=

    next

    edit "jdicklertest"

        set accprofile "super_admin"

        set vdom "root"

        set password ENC AK1twU3/13H7u/D1vdjMXvOJqP3UmEtWwdG4JQDfofgnuM=

    next

    edit "pkgeev01"

        set accprofile "super_admin"

        set vdom "root"

            set password ENC AK1kOd5dSxmKm8A47m0D05OITNrozFsiaCGk4lyOv3ugaQ=

    next

end

New Member

TACACS Authentication and Fortigate Appliances

we got it to work..... mixed up super_admin with the more popular super_user.  once corrected it all works fine.  thx for your input it was very reassuring.

New Member

Mine is working too, but it

Mine is working with multiple VDOMs. Also, I make local admin as a last resort login, so user have to login with their AD credential, unless ACS has problem or unreachable, then users can login with admin.

New Member

TACACS Authentication and Fortigate Appliances

Hi All,

I am attempting to set up authentication from Fortigate V5 towards ACS v4.2.

I am trying to setup the attributes for noaccess and have run into an issue of:

config system accprofile

   edit "noaccess"

      unset menu-file

   next

end

I cannot do the command unset menu-file. The only options I have with unset are:

admingrp                Access permission.

authgrp                 Access permission.

comments                Comments.

endpoint-control-grp    Access permission.

fwgrp                   Access permission.

loggrp                  Access permission.

mntgrp                  Access permission.

netgrp                  Access permission.

routegrp                Access permission.

scope                   Global or single VDOM access restriction.

sysgrp                  Access permission.

updategrp               Access permission.

utmgrp                  Access permission.

vpngrp                  Access permission.

wanoptgrp               Access permission.

wifi                    Wireless controller.

Any help would be appreciated.

Thanks.

Jack.

New Member

TACACS Authentication and Fortigate Appliances

Try the following (also, it's easier to create this in the GUI as there is only 1 button to set everything to unset):

edit "noaccess"

        set admingrp none

        set authgrp none

        set endpoint-control-grp none

        set fwgrp none

        set loggrp none

        unset menu-file

        set mntgrp none

        set netgrp none

        unset roles

        set routegrp none

        set scope vdom

        set sysgrp none

        set updategrp none

        set utmgrp none

        set vpngrp none

        set wanoptgrp none

        set wifi none

    next

end

New Member

TACACS Authentication and Fortigate Appliances

Thanks for the prompt response.

I am now encountering problems setting the av pairs.

Below is my configuration:

Any assistance would be appreciated.

Thanks.

Jack.

New Member

TACACS Authentication and Fortigate Appliances

What exactly is the problem? The AV configuration looks correct (make sure you have the Netsec group created in FortiNet).

Did following the link in the very first post? http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&externalId=FD33320

You need to make sure you have a group and user created with all the same settings as shown in the link. Compare your configuration output against theirs. One thing to make sure of is to have the "set accprofile-ovride enable" on the user.

New Member

TACACS Authentication and Fortigate Appliances

Hi,

Thanks for your help upto now.

The issue I am having is I get an error message in the Fortigate logs saying invlaid password.

I have checked this username and password with other equipment we have and it works well.

Please find below the configuration of the Fortigate I currently have in place. The ACS configuration is in the above thread.

config system accprofile

    edit "prof_admin"

        set admingrp read-write

        set authgrp read-write

        set endpoint-control-grp read-write

        set fwgrp read-write

        set loggrp read-write

        set mntgrp read-write

        set netgrp read-write

        set routegrp read-write

        set sysgrp read-write

        set updategrp read-write

        set utmgrp read-write

        set vpngrp read-write

        set wanoptgrp read-write

        set wifi read-write

    next

    edit "MGT"

        set admingrp read-write

        set authgrp read-write

        set endpoint-control-grp read-write

        set fwgrp read-write

        set loggrp read-write

        set mntgrp read-write

        set netgrp read-write

        set routegrp read-write

        set sysgrp read-write

        set updategrp read-write

        set utmgrp read-write

        set vpngrp read-write

        set wanoptgrp read-write

        set wifi read-write

    next

    edit "NOACCESS"

    next

end

config system admin

    edit "admin"

        set trusthost3

        set accprofile "super_admin"

        set vdom "root"

            config dashboard-tabs

                edit 1

                    set name "Status"

                next

                edit 2

                    set columns 1

                    set name "Top Sources"

                next

                edit 3

                    set columns 1

                    set name "Top Destinations"

                next

                edit 4

                    set columns 1

                    set name "Top Applications"

                next

                edit 5

                    set columns 1

                    set name "Traffic History"

                next

                edit 6

                    set columns 1

                    set name "Threat History"

                next

            end

            config dashboard

                edit 1

                    set tab-id 1

                    set column 1

                next

                edit 2

                    set widget-type licinfo

                    set tab-id 1

                    set column 1

                next

                edit 3

                    set widget-type jsconsole

                    set tab-id 1

                    set column 1

                next

                edit 4

                    set widget-type sysres

                    set tab-id 1

                    set column 2

                next

                edit 5

                    set widget-type gui-features

                    set tab-id 1

                    set column 2

                next

                edit 6

                    set widget-type alert

                    set tab-id 1

                    set column 2

                    set top-n 10

                next

                edit 21

                    set widget-type sessions

                    set tab-id 2

                    set column 1

                    set top-n 50

                    set sort-by msg-counts

                next

                edit 31

                    set widget-type sessions

                    set tab-id 3

                    set column 1

                    set top-n 25

                    set sort-by msg-counts

                    set report-by destination

                next

                edit 41

                    set widget-type sessions

                    set tab-id 4

                    set column 1

                    set top-n 25

                    set sort-by msg-counts

                    set report-by application

                next

                edit 51

                    set widget-type sessions-bandwidth

                    set tab-id 5

                    set column 1

                next

            end

            config login-time

                edit "admin"

                    set last-failed-login 2013-09-03 04:08:27

                    set last-login 2013-09-05 04:36:27

                next

            end

        set password ENC AK1O4Q8273vSAUyUkC4t4GOkSb40llfIAUEnr4uqWDgBX8=

end

edit "jackw"

        set remote-auth enable

        set trusthost1

        set accprofile "NOACCESS"

        set vdom "MGT"

            config login-time

                edit "jackw"

                    set last-failed-login 2013-09-04 08:10:41

                next

                edit "jackw@888holdings.com"

                    set last-failed-login 2013-09-04 07:53:30

                next

            end

        set wildcard enable

        set remote-group "Netsec"

        set accprofile-override enable

    next

end

config user tacacs+

    edit "tacacs+"

        set authorization enable

        set key ENC jTbeQPV44emKUByXuHAQdY3CoxYY3/9MoFsuW4YAiC88JiSJmd3yrFv7VMyrGVUJK6Fv3DzcL9VMetGJ60I332W5cLP53jpYSHJnkJB0B5aKffK7mdC+PBU/HcmyogEWACOO9my9fxG85AFqKdRj6VUirtmluw4WR0GTkdtCbXK4zE8JHC+iYx5ALicUK/G/tWbc/g==

        set server "192.118.67.39"

    next

end

config user group

    edit "Netsec"

        set member "tacacs+"

            config match

                edit 1

                    set server-name "tacacs+"

                    set group-name "Netsec"

                next

            end

    next

end

config user local

    edit "jackw"

        set type tacacs+

        set email-to ""

        set tacacs+-server "tacacs+"

    next

end

Thanks again.

Jack.

New Member

TACACS Authentication and Fortigate Appliances

Here is a couple of things that I noticed:

1. The NOACCESS accprofile should have some output similiar to (set admingrp none, set authgrp none....)

2. I have my user group-type set to firewall

config user group

     edit "Netsec"

        set group-type firewall

        set authtimeout 0

        set http-digest-realm ''

        set sslvpn-portal ''

            set member "tacacs+"

    next

end

3. The tacacs+ configuration should have a source-ip, otherwise, the ACS server can't match it to it's AAA client

Other things to note, be sure to add the Fortinet as a AAA client and make sure the key matches. Check the logs on both the ACS server and the Fortinet side. The Fortinet side should not determine that the password is incorrect, it should be the ACS server's job. Everything else looks right so make those changes and check the ACS log.

New Member

Hi chheangva, As you said I

Hi chheangva,

 

As you said I created two shell profiles in ACS , one for RO and other for RW.

On the Fortinet side,  I created an Admin user  (ie, "test") that is setup for Remote login, Wildcard, and a profile of NOACCESS.

but they are not overriding the noaccess setting. Please help

New Member

The configuration isn't

The configuration isn't correct, in the field "Custom attributes" you have to set the following values:

memberof=<tacacs+-group>

admin_prof=<Req. profile>

ACS 4 Config

For further details read the KB from Fortinet.

 

 

New Member

Hi Erik,In the custom

Hi Erik,

In the custom attributes all required values mentioned. But always users getting no_access profile.

New Member

Then you dont have the

Then you dont have the override function set in the admin user configuration.

Please attach your user configuration (on fortigate) for review.

New Member

Hi,See my conf-backup of

Hi,

See my conf-backup of Fortigate.

New Member

Config seems to be okay,

Config seems to be okay, check your config on the TACACS+ Server, maybe is there something wrong.

You can debug the logon on Fortigate with "diag debug app fnbadm -1".

Try to use the newer Version of FortiOS, Version 4 isn't anymore supported since April 2014.

New Member

I have been able to do this

I have been able to do this for my fortigates, but I haven't been able to find the correct attributes and values for FortiManager and FortiAnalyzer.  Anybody know them? 

New Member

service=fortigatememberof=

service=fortigate
memberof=<tacacs-serverbzw gruppe>
admin_prof=<access profil>
adom=<adom>

 

I got it with analyzing the communication between Manager and ACS server.

Sniffing the packets and then import it in wireshark for analyzing.

The attributes for the manager and the analyzer are the same.

Cisco Employee

TACACS Authentication and Fortigate Appliances

Hi

Please go through this link, this will be helpful regarding TCSACS Authentication and Fortigate configuration:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/acsuserguide.html

10704
Views
5
Helpful
26
Replies
CreatePlease login to create content