Skip to main content
Eric_N
Eric_N
New Member
October 2, 2017
Question

Tacacs configuration - Authentication OK but no access to vdom

  • October 2, 2017
  • 1 reply
  • 18020 views

Hello,

 

I'm actually having an issue when configuration Tacacs+. Authentication is working correctly but I don't have access to vdoms. I'm running on FortiOS v5.4.5,build1138 (GA).

 

Configuration : 

config vdom
edit elbc-mgmt
config user tacacs+
    edit "TACACS-ISE"
        set server "x.x.x.x"
        set key ENC zqwEyuAFNC55u3Ve4ryjqLYTZTF91Wva825q4IkLKYKoIGUZ3l11QyuAOukWRP8Ejn11hODEqj/+yox3kD20pt0JWuhMSC7U/EVRSiwb9o6Dwx9SRlGhoXSPmHtQ15iN+8kGdn6FLsqzxpOAsXqJY79sqR6DsoPVsjxBx19ceUpJjary0oApEngL80aZeFIdluwA==
        set authorization enable
    next
end
config user group
    edit "TACACS_Group"
        set member "TACACS-ISE"
    next
end
 
config global
config system admin
    edit "TACACS_User"
        set remote-auth enable
        set accprofile "noaccess"
        set comments ''
        set vdom "elbc-mgmt"
        set schedule ''
        set two-factor disable
        set email-to ''
        set sms-server fortiguard
        set sms-phone ''
        set guest-auth disable
        set wildcard enable
        set remote-group "TACACS_Group"
        set accprofile-override enable
        set radius-vdom-override disable
    next

config system accprofile
    edit "noaccess"
    next
    edit "Read_Write"
        set mntgrp read-write
        set admingrp read-write
        set updategrp read-write
        set authgrp read-write
        set sysgrp read-write
        set netgrp read-write
        set loggrp read-write
        set routegrp read-write
        set fwgrp read-write
        set vpngrp read-write
        set utmgrp read-write
        set wanoptgrp read-write
        set endpoint-control-grp read-write
        set wifi read-write
    next
    edit "Read_Only"
        set mntgrp read
        set admingrp read
        set updategrp read
        set authgrp read
        set sysgrp read
        set netgrp read
        set loggrp read
        set routegrp read
        set fwgrp read
        set vpngrp read
        set utmgrp read
        set wanoptgrp read
        set endpoint-control-grp read
        set wifi read
    next
end

 

Below admin status command :

 

FortiGate $ get system admin status username: user login local: ssh login device: base-mgmt:10.101.10.4:22 login remote: 10.101.10.15:64576 login vdom: elbc-mgmt login access profile: Read_Write login started: 2017-10-02 13:57:02 current time: 2017-10-02 13:57:15

 

Does anyone encounter this issue? User need to have access to all vdoms but it seems in my case he only have access to 1 vdom.

 

Thank you for your help

Eric

1 reply

emnoc
emnoc
New Member
October 2, 2017

Do you have a remote-wildcard user or what type of user ? You might need to add the user in ALLvdoms?

 

 

e.g

 

config sys admin

edit wildcard

        set accprofile "profileALL"         set vdom root AWS GCP AZURE CUST1 CUSTo CUSTB CUSTC         set remote-group "tac_plus_group"     next end

 

tac_plus_group is our  tac_plusd   tacacs-servers

 

Ken

 

Eric_N
Eric_NAuthor
New Member
October 2, 2017

It should be a wildcard. 

 

On ISE server, depending on access level it's sending, it will send "admin_prof" value which are "Read_Write" and "Read_Only".

Configuration is based on https://blog.willsplace.co.uk/quick-dirty-fortigate-tacacs-config/ 

 

I have tried to add multiple vdom

config system admin edit "TACACS_User" set remote-auth enable set accprofile "noaccess" set vdom "elbc-mgmt vdom1 vdom2 vdom3" set wildcard enable set remote-group "TACACS_Group" set accprofile-override enable next end

But when accessing to device, even though it seems user doesn't have admin access (sending value "Read_Only") user seems to have write access(manager to change configuration in vdom elbc-mgmt). 

In configuration there is a radius-vdom-override but it doesn't seem there's the same thing for Tacacs+.

 

Eric

emnoc
emnoc
New Member
October 2, 2017

Will if you have "set accprofile-override enable" that will override the locally set  accessprofile. Are you sure that's not what happening?

 

Going by what you listed in the FGT.config,

 

1: your users are wildcard

2:  accprofile are override if present in the tacacs authorization

3: the users have access to ONLY "elbc-mgmt vdom1 vdom2 vdom3"

 

Is that speculation correct as far as what you want?

 

If that's what you want, I would look at the tacacs-server profiles.

Terms & ConditionsAccessibility statement