Visitor III

Solved

Help with vdom and tacacs...

Forum|Forum|3 years ago
August 14, 2022
3 replies
4416 views

Hello,

we use Clearpass tacacs with FortiGate 6.4.9 with no problem, now I want to configure a user to see only one vdom in FortiGate I try to use "set radius-vdom-override enable" but no luck,

config system admin edit "t1_admin" set remote-auth enable set accprofile "noaccess" set vdom "root" "vdom.01" "vdom.02" set wildcard enable set remote-group "TACACS1" set accprofile-override enable set radius-vdom-override enable next end

my questions:

can I use "set radius-vdom-override tacacs" with Tacacs or not?
or need to configure another user with set wildcard enable if possible ?

Thank you

FortiGate

Best answer by pminarik

"radius-vdom-override" has "radius" in its name because historically TACACS+-based login has not supported dynamic VDOM assignment.

This has however just changed in firmware 7.2.1, where the new feature logged under ID 803326 has implemented this.

ref: https://docs.fortinet.com/document/fortigate/7.2.1/fortios-release-notes/743723/new-features-or-enhancements

Vendor-Specific Attributes (VSAs) can be used with TACACS authentication and authorization in wildcard system administrator access to FortiGates from browsers and SSH. The new VSAs allows the FortiGate to perform group matching, and overwrite VDOM settings under system admin.

The expected attribute name is simply "vdom" .

Keep in mind that this will not work in any other version.

abelio

SuperUser

Hi Mohammad,

Check whether your radius server is returning a VDOM attribute (if not, nothing will happen)

Check also if your radius dictionary file includes these 2 attributes.
(12356 is Fortinet RADIUS Vendor ID)

VENDORATTR 12356 Fortinet-Vdom-Name 3 string

VENDORATTR 12356 Fortinet-Access-Profile 6 string

Finally you have to associate the user with its desired vdom in your radius server user file.

i.e. using your definitions:

adminroot             Password = "<pass>",
                               User-Service-Type = Login-User,
                               Fortinet-Vdom-Name = root,
                               Fortinet-Access-Profile = read_only,

adminvdom01      Password = "<pass>",
                               User-Service-Type = Login-User,
                                Fortinet-Vdom-Name = vdom.01,
                               Fortinet-Access-Profile = read_only,

adminvdom02            Password = "<pass>",
                                     User-Service-Type = Login-User,
                                     Fortinet-Vdom-Name = vdom.02,
                                     Fortinet-Access-Profile = read_only,

MohammadAuthor

Visitor III

Hello Abelio,

I use tacacs+, not a radius, do you know the attributes for vdom in TACACS+ Services Dictionaries?

I try put vdom like the photo:

but no luck.

thank you

Markus_M

Staff & Editor

Hi Mohammad,

based on this:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Access-using-TACACS-authentication-with-admin/ta-p/196361

I would guess the values are simply what the FortiGate config has to offer.

vdom = vdom-name, e.g. root. Rest as per article.

Best regards,

Markus

pminarikAnswer

Staff

"radius-vdom-override" has "radius" in its name because historically TACACS+-based login has not supported dynamic VDOM assignment.

This has however just changed in firmware 7.2.1, where the new feature logged under ID 803326 has implemented this.

ref: https://docs.fortinet.com/document/fortigate/7.2.1/fortios-release-notes/743723/new-features-or-enhancements

Vendor-Specific Attributes (VSAs) can be used with TACACS authentication and authorization in wildcard system administrator access to FortiGates from browsers and SSH. The new VSAs allows the FortiGate to perform group matching, and overwrite VDOM settings under system admin.

The expected attribute name is simply "vdom" .

Keep in mind that this will not work in any other version.

MohammadAuthor

Visitor III

Hello pminarik,

Thank you too much for your help and the information.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded