Description
This article describes the steps to configure FortiManager/FortiAnalyzer for TACACS+ authentication and authorization, using access profile override, ADOM override and Specific Configuration on TACACS server side (linux).
The CLI examples are universal for all covered firmware versions.
The GUI screenshots are from v6.0, although the menus look different in the older versions, the settings are the same.
Scope
FortiManager, FortiAnalyzer.
Solution
Terminal Access Controller Access-Control System (TACACS+) is a remote authentication protocol that provides access control for routers, network access servers, and other network computing units via one or more centralized servers.
It allows a client to accept a username and password and send a query to a TACACS authentication server. The server host determines whether to accept or deny the request and sends a response back that allows or denies network access to the user.
TACACS+ offers fully encrypted packet bodies. The default TCP port for a TACACS+ server is 49.
An administrator is required to authenticate using a TACACS+ server, the FortiManager/FortiAnalyzer unit contacts the TACACS+ server for authentication.
If the TACACS+ server can authenticate the administrator, they are successfully authenticated with the FortiManager/FortiAnalyzer unit.
If the TACACS+ server cannot authenticate the administrator, the connection is refused by the FortiManager/FortiAnalyzer unit.
Configuring a TACACS+ server on the FortiManager/FortiAnalyzer unit:
To add a TACACS+ server from GUI:
- Go to: System Settings -> Admin -> Remote Authentication Server.
- Select: 'Create New' -> TACACS+ Server from the toolbar. The New TACACS+ Server pane opens.
Configure the following settings, and then select 'OK' to add the TACACS+ server.
There are several different authentication protocols that TACACS+ can use during the authentication process:
Select the authentication type used by your TACACS+ server in the drop-down list menu :
To add a TACACS+ server from CLI:
To use a TACACS+ server to authenticate administrators, the server must be configured before configuring the administrator accounts that will use it.
FortiManager / FortiAnalyzer side configuration.
config system admin tacacs
edit "TACACS_SERVERS"
set server <primary_server_ip>
set secondary-server <secondary_server_ip>
set key "$$$"
set secondary-key "$$$"
set authen-type auto
set authorization enable
next
end
config system admin profile
edit "no_access"
next
end
config system admin user
edit "wildcard_tac_plus"
set profileid "no_access"
set adom "all_adoms"
set policy-package "all_policy_packages"
set user_type tacacs-plus
set tacacs-plus-server "TACACS_SERVERS"
set wildcard enable
set radius-accprofile-override enable
set radius-adom-override enable
next
end
On the FortiManager/FortiAnalyzer define the different admin profiles (as needed) for the TACACS+ admins. From CLI under 'config system admin profile', or via web GUI under System Settings -> Admin -> Profile.
For example 'RO_profile', 'RW_profile', 'Policy_only_profile',... etc.
To add a TACACS+ wildcard user from GUI.
Notes.
Starting FortiManager 6.0.0 it's now possible to create multiple wildcard administrators.
the ADOM override feature can also be configured (to Allow access profile to be overridden from TACACS) with the following CLI commands on the user:
config system admin user
edit "wildcard_tacacs"
set profileid "Standard_User"
set adom "all_adoms"
set policy-package "all_policy_packages"
set user_type tacacs-plus
set tacacs-plus-server "TACACS_SERVERS"
set wildcard enable
set radius-accprofile-override enable
set radius-adom-override enable
next
end
Note:
As of v5.6.6/v6.0.3 the admin user CLI syntax was changed as follows:
set radius-accprofile-override => set ext-auth-accprofile-override
set radius-adom-override => set ext-auth-adom-override
set radius-group-match => set ext-authgroup-match
Note:
For the authorization override to work, make sure to enable the following setting:
config system admin tacacs
edit <server-name>
set authorization enable
next
end
If this setting is disabled, FortiManager/FortiAnalyzer will not send Authorization requests to the TACACS+ server and the override options will not work.
TACACS+ server-side configuration:
TACACS+ attribute-value (AV) pairs are used to define specific authentication, authorization, and accounting elements in a user profile that is stored on the TACACS+ daemon.
|
Attribute |
Requirement |
Description |
Value |
|
service |
Mandatory |
Fortinet Service |
fortigate |
|
memberof |
Mandatory |
TACACS+ group |
RO_admin_group |
|
admin_prof |
Mandatory |
ACC Profile |
RO_Profile |
|
adom |
Mandatory |
Allowed ADOMs |
all_adoms |
When using set ext-auth-accprofile-override, the 'admin_prof' attribute must be returned from the server and should match the admin profile names defined in FortiManager/FortiAnalyzer.
When using set ext-auth-adom-override, the 'adom' attribute must be returned from the server and should match existing ADOM names defined in FortiManager/FortiAnalyzer.
If more than one ADOM is required, add more than one ADOM attribute. For access to all ADOMs, TACACS should return the value all_adoms.
TACACS+ server on Linux:
- Download and Install the tacacs+ package :
sudo apt-get install tacacs+ - Configure the server in /etc/tacacs+/tac_plus.conf.
- Secret Key: The TACACS+ server and the client (FortiManager/FortiAnalyzer) need to have a matching secret key so the AAA packets can be encrypted.
key = "fortinetkey" - Groups: The group will define the level of access and what commands will be used by the users.
group = noaccess
{
default service = permit
service = fmg {
}
} - Users: The users that will have access to the FortiManager/FortiAnalyzer need to be defined. Each user needs to be associated with a group (a Profile on FortiManager/FortiAnalyzer) and have the password defined.
The following user 'test' can connect with the password 'fortinet' as a member of 'noaccess' group with the 'Super_User' admin profile.
user = test
{
login = cleartext fortinet
member = noaccess
service = fortigate {
memberof = noaccess
admin_prof = Super_User
}
} - tac_plus.conf file: The /etc/tacacs+/tac_plus.conf should now look like this :
key = "fortinet"
group = noaccess
{
default service = permit
service = fmg {
}
}
user = test
{
login = cleartext fortinet
member = noaccess
service = fortigate {
memberof = noaccess
admin_prof = Super_User
}
}
- Secret Key: The TACACS+ server and the client (FortiManager/FortiAnalyzer) need to have a matching secret key so the AAA packets can be encrypted.
Troubleshooting.
Diagnose commands:
The following CLI commands are used for troubleshooting admin login issues on FortiManager/FortiAnalyzer:
diagnose debug application fnbam 255
diagnose debug timestamp enable
diagnose debug enable
Since version 6.4.5.
diagnose debug application auth 8
diagnose debug timestamp enable
diagnose debug en
