Tacacs.net ACCprofile bypass

Question

Good day,

I'm setting up a Tacacs.net server to authenticate all our FGTs and it's working fine.

But, when a diferent (TacacsUserGroup) tries to log in a FGT which doesn't have configured it's (TacacsAdmin_profile), it logs in as a super_admin instead of denying access.

Tacacs.net config for that group:

<Service>
<Set>service=fortigate</Set>
<Set>memberof=FGT_access</Set>
<Set>admin_prof=csu</Set>
</Service>

debug fnmbad

[705] parse_author_reply-Authorization arg0: memberof=FGT_access
[705] parse_author_reply-Authorization arg1: admin_prof=csu // This profile doesn't exist in the FGT.
[709] parse_author_reply-Authorization result=2
[788] auth_tac_plus_result-Passed group matching
[1059] find_matched_usr_grps-Group 'tacacs_access' passed group matching
[1060] find_matched_usr_grps-Add matched group 'tacacs_access'(2)
[217] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 637653419, len=2000
[747] destroy_auth_session-delete session 637653419
[1041] tac_plus_destroy-tacacs_server

Seems only matches the group on FGT but doesn't care for admin_profile matching..

"set accprofile-override enable" it's set.

Any clue?

Regards.

Debbie_FTNT · Accepted Answer

Hey noc,

in the underlying wildcard admin entry on FortiGate, you should still have an admin profile set, even if the accprofile-override is enabled.
If a TACACS admin trying to log in does NOT have a valid admin profile attribute supplied by TACACS, FortiGate defaults to whatever profile is specified in the wildcard admin entry.

I would suggest setting the default admin entry to a read-only profile or one without any permissions at all.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded