Skip to main content
Alpha7
Alpha7
New Member
June 24, 2016
Question

Fortigate authorization and Authentication using Cisco ACS

  • June 24, 2016
  • 1 reply
  • 15875 views

Hi

I am trying to implement Fortigate's authentication back to Cisco ACS server 5.6. I have followed the post below for Fortigate's configuration

http://kb.fortinet.com/kb/documentLink.do?externalID=FD33320

configured the TACACS server with one shell profile only with manual attributes set to test whether that works as below

 

Fortigate 

service       fortinet memberof  Network Security admin_prof  noaccess

 

Also, created identify and authorization policies.

 

we are able to authenticate to the firewall as TACACS user. however, we do only ever get the default noaccess profile set on Fortigate. Some reason, TACACS is not overriding the Fortigate access profile. Fortigate is set to accprofile-override enable

Could  someone help?

 

Thanks

Thush

    1 reply

    emnoc
    emnoc
    New Member
    June 24, 2016

    We did not do that. See screenshot but you only need to specify the service and admin_prof attributes

     

     

    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    June 30, 2016

    Hi Thush,

    if I got it correctly then you are trying to have access profile overridden by value found for particular admin in TACACS+ sever. And you are not getting that profile from TACACS, but profile set in wildcard admin on FortiGate. So Authorization is not working, while user is able to Authenticate.

     

    If that's true, then:

     

    1. admin_prof=noaccess set in TACACS do not make me sense. As usually some sort of no-access profile is default one in FortiGate, and anything better needs to be inherited from and through TACACS Authorization.

     

    2. Authorization, so getting profile from TACACS+, is not working. Pay attention to FortiGate 'config user tacacs' and the profile in there and parameter 'set authorization enable' ! By default is authorization disabled. Also check if your admin wildcard profile on FortiGate has 'set accprofile-override enable'.

     

    If you have followed KB precisely, have FortiGate set and AVP on TACACS+ set as well, then it should work.

     

    If it's still not working, then sniff the TACACS+ traffic (tcp/udp.49). Also check and share config. Or open ticket on Technical Support.

     

    Best regards,

    Tomas

    emnoc
    emnoc
    New Member
    June 30, 2016

    He would be better off using the integral ACS reporting  for protocol AAA+tacact and looking at the authentication and authorization reports to see exact what the  ACS is doing for the given user that login. You can also run the  diag debug debug app authd

     

    The ACS report will show you what profile and policy that was matched. And if the policy doesn't have the  correct profile you will never override the wildcard set accprofile.

     

    One other thing, accessprofile  are case sensitive. No_access and no_access are not the same thing . One of my guys did something like and beat their heads into a brick wall trying to figure it out;)

     

    And the last tip, if the admin_prof set by tacacs does NOT exist in the fortigate the fallback is the defined wildcard accessprofile.

     

     

    Terms & ConditionsAccessibility statement