FortiAuthenticator Best Practice for TACACS+ Policies

Question

What is best practice for TACACS+ Policies in the FortiAuthenticator regarding whether to have a single policy for all TACACS+ Clients or have separate policies for various groups of TACACS+ Clients?

Would you only separate into multiple policies if you plan to segregate access by group? In other words, if we have routers, firewalls, and switches, then would you create a Router Group, Firewall Group, and Switch Group, and have the corresponding Group "assigned" to separate policies for each of these? Then a super user who needs access to all devices would have to be assigned to all groups?

Toshi_Esumi · Answer

We're still running 6.5.x so not sure about 6.6.x. And, we're only using RADIUS service and not using TACACS+ service. But when I took a look at the TACACS+ service, unlike RADIUS service, it doesn't have a way to use attributes to filter in or out requests to separate those TACACS+ Clients into different group (policies). So only way to specify a particular policy out of multiple is to specify the client IPs in the first step of creating a policy.

Then if you separate those device types by policies, if you have different "identity sources" per device type, like switches' backend authserver is LDAP(Win AD) and routers' backend authserver is SAML(Entra ID), and those users' usernames are in the same format, like "username@realm", you probably have to separate them by the policies.
But most unlikely that's the case for any implementation I can imagine.

In other words, if all users (not clients) are authenticated by a single authentication source. I don't see any particular reason to separate policies.

Toshi

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded