Skip to main content
jcamacho1
Staff
jcamacho1
Staff
November 5, 2016

Technical Tip: FortiGate TACACS+ Accounting messages

  • November 5, 2016
  • 0 replies
  • 5051 views

Description

 

This article describes the implementation of TACACS+ Accounting starting from FortiOS 7.0.2.

 

Scope

 

FortiGate v7.0.2+.


Solution


This feature allows users to send FortiGate system log entries to an external TACACS+ accounting server. Up to three external TACACS+ servers can be configured, each with a different filter for log events. These filters include TACACS+ accounting for login events, config change events, and CLI commands audit.

 

To configure the TACACS+ Accounting settings:

 

config log tacacs+accounting setting

    set status enable

    set server "10.0.0.100"

    set server-key ************

end

 

Starting with v7.2.4, a source IP and interface can be configured:

 

config log tacacs+accounting setting

    set status enable

    set server "10.0.0.100"

    set server-key ************

    set interface-select-method specify

    set interface port1

end

 

To configure the filter for the TACACS+ Accounting:

 

config log tacacs+accounting filter

    set login-audit enable

    set config-change-audit enable

    set cli-cmd-audit enable

end

 

Note:

Additional TACACS+ Accounting servers and filters can be configured with 'tacacs+accounting2' and 'tacacs+accounting3'.

Cli-cmd-audit enable - example here: Technical Tip: Enable audit log via CLI. Before enabling the 'cli-cmd-audit' parameter is necessary to enable the following under "system global":

 

config system global
    set cli-audit-log enable

end

 

To troubleshoot the TACACS+ Accounting settings:

 

diagnose debug enable
diagnose debug app syslogd -1 <----- This helps to display the errors, if any.

diagnose test app syslogd 4 <----- Statistics on TACACS+ Logging.

 

FortiOS before v7.0.2 is capable of working with TACACS+ Authentication and Authorization, but not with Accounting. TACACS+ Accounting messages can lead to the following error message (diag debug application fnbamd):

 

2016-10-28 11:26:01 message_loop: checking timeouts

2016-10-28 11:26:09 fnbamd_fsm.c[2194] handle_req-Rcvd 8 req
2016-10-28 11:26:09 fnbamd_acct.c[301] fnbamd_acct_start_STOP-tac_plus accounting not supported
2016-10-28 11:26:09 fnbamd_fsm.c[1251] create_acct_session-Nothing to do for acct type 8
2016-10-28 11:26:09 fnbamd_fsm.c[2206] handle_req-Error creating acct session 8
 
Depending on the type of TACACS+ application, the server can close the connection due to this 'rejection' from FortiGates.
 

Before v7.0.2, it is recommended to disable accounting messages between the FortiGate units and TACACS+ servers.

 

Related document:

Support TACACS+ accounting 7.0.2

Terms & ConditionsAccessibility statement