Solution |
FortiAuthenticator (FAC) can act as a TACACS+ server to authenticate and authorize admin accounts. We need to configure these steps on FAC:
- Create a TACACS+ service and add Attribute Value Pairs (AVP) if authorization is required.
- Create a Rule, to assign the created service to.
- Create a TACACS+ client on FAC. The Tacacs+ service should be enabled on the appropriate network interface.
- Create a TACACS+ policy to authenticate user.
- Assign TACACS+ service to an end user or group.
On Fortigate side, these steps should be done:
- Create TACACS+ server.
- Create a user group object and bind the already created server.
- Create an admin user: set up for remote login, wildcard, and access-profile override option.
Start with FortiAuthenticator:
- Create a TACACS+ service and add AVP for authorization:
- Go to the FortiAuthenticator GUI -> Authentication -> TACACS+ Service -> Authorization -> Services tab and in the right top corner, select Create New:
- Give a unique and service name. 'Service' name for FortiGate appliances must be the 'fortigate' value for authorization: this service will provide two values of attributes β 'memberof', 'admin_prof'.
- Create a Rule to assign the created service to.
- Go to the FortiAuthenticator GUI -> Authentication -> TACACS+ Service -> Authorization -> Rules tab and in the right top corner, select Create New:
- Name the rule and assign the service created before, then select Save:
- Go to the FortiAuthenticator GUI -> Authentication -> TACACS+ Service -> Clients, and select Create New to create a TACACS+ Client:
- TACACS+ service must be enabled on the required interface:
- Create a TACACS+ policy to authenticate the user. Go to the FortiAuthenticator GUI -> Authentication -> TACACS+ Service -> Policies, and select Create New.
- It requires a policy name and a TACACS+ client to match to this policy. After configuring it, select Next:
- Select which user database source it should be from. In the example, the local user was already selected from the 'admins' group (user groups can be filtered later):
- Select authentication factors (password only, otp only, etc). After, select the Next button, and the 'Update and Exit' button again.
- Now, assign the TACACS+ service to the filtered local user group 'admins'. Go to the Admin GUI -> Authentication -> User Management -> User Groups -> Select the group (in the screenshot, 'admins' was selected as an example) -> TACACS+ authorization rule -> Select service from the dropdown menu:
Now, configure a FortiGate device:
See this article to configure FortiGate as a TACACS+ client, and a third party TACACS+ server. Troubleshooting steps are included.
- Create a TACACS+ server on the FortiGate via the CLI:
config user tacacs+
edit "FAC_Tac" <- Can be renamed.
set server "172.20.20.20" <- Subject to adjustment. set key fortinet set authorization enable <- If authorization is required.
next
end
- Add a user group object, and make a member of the TACACS+ server. In the example below, the group name was specified as 'tacacs', which it will get from the authorization request:
config user group
edit "tacacs_admin"
set member "FAC_Tac"
config match
edit 1
set server-name "FAC_Tac" set group-name "tacacs"
next
end
next
endβ
- Create an admin group with remote authentication, access profile override, and wildcard group enabled:
config system admin
edit "tacacs_admin"
set remote-auth enable
set accprofile "prof_admin"
set vdom "root"
set wildcard enable
set remote-group "tacacs_admin"
set accprofile-override enable
next
end
Testing:
- To show the difference, in the following example, the access-profile override function is disabled, and the testing admin account will be profiled as prof_admin for the root VDOM only:
config system admin
edit tacacs_admin
get
name : tacacs_admin remote-auth : enable ... ... accprofile : prof_admin vdom : "root" guest-auth : disable wildcard : enable remote-group : tacacs_admin accprofile-override : disable vdom-override : disable
GUI Console:
- Once access profile override is enabled, the remote admin account will be profiled as the 'super_admin':
config system admin
edit "tacacs_admin"
set remote-auth enable set accprofile "prof_admin" set vdom "root" set wildcard enable set remote-group "tacacs_admin" set accprofile-override enable
next
end
GUI console:
diagnose test authserver tacacs+ FAC_Tac local.user fortinet authenticate user 'local.user' on server 'FAC_Tac' succeeded Admin profile: super_admin Group membership(s) - tacacs
|