FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
Nur
Staff
Staff
Article Id 206348
Description This article describes how to configure TACACS+ service for authentication and authorization rule when using FortiAuthenticator as a TACACS+ server, and Fortigate as TACACS+ client.
Scope

FortiAuthenticator 6.2.x and above.
Fortigate 6.4.X, 7.0.X, 7.2.X, 7.4.X.

Solution

FortiAuthenticator (FAC) can act as a TACACS+ server to authenticate and authorize admin accounts. We need to configure these steps on FAC:

  1. Create a TACACS+ service and add Attribute Value Pairs (AVP) if authorization is required.
  2. Create a Rule, to assign the created service to.
  3. Create a TACACS+ client on FAC. The Tacacs+ service should be enabled on the appropriate network interface.
  4. Create a TACACS+ policy to authenticate user.
  5. Assign TACACS+ service to an end user or group.

On Fortigate side, these steps should be done:

  1. Create TACACS+ server.
  2. Create a user group object and bind the already created server.
  3. Create an admin user: set up for remote login, wildcard, and access-profile override option.

Start with FortiAuthenticator:

 

  1. Create a TACACS+ service and add AVP for authorization:

 

  • Go to the FortiAuthenticator GUI -> Authentication -> TACACS+ Service -> Authorization -> Services tab and in the right top corner, select Create New:

Service-Create.png

 

  • Give a unique and service name. 'Service' name for FortiGate appliances must be the 'fortigate' value for authorization: this service will provide two values of attributes – 'memberof', 'admin_prof'.

create_service-with AVP.png

 

 

  1. Create a Rule to assign the created service to.

 

  • Go to the FortiAuthenticator GUI -> Authentication -> TACACS+ Service -> Authorization -> Rules tab and in the right top corner, select Create New:

Auth-Rules.png

 

  • Name the rule and assign the service created before, then select Save:

AssignService.png

 

 

  1. Go to the FortiAuthenticator GUI -> Authentication -> TACACS+ Service -> Clients, and select Create New to create a TACACS+ Client: 

 

TACACS_Client.png

 

  •  TACACS+ service must be enabled on the required interface:

2024-08-28 17_12_29-FortiAuthenticator β€” Mozilla Firefox.png

 

 

  1. Create a TACACS+ policy to authenticate the user. Go to the FortiAuthenticator GUI -> Authentication -> TACACS+ Service -> Policies, and select Create New.

 

  • It requires a policy name and a TACACS+ client to match to this policy. After configuring it, select Next:

akanibek_0-1724858043138.png

 

  • Select which user database source it should be from. In the example, the local user was already selected from the 'admins' group (user groups can be filtered later):

akanibek_2-1724858078354.png

 

  • Select authentication factors (password only, otp only, etc). After, select the Next button, and the 'Update and Exit' button again.

akanibek_3-1724858106065.png

 

 

  1. Now, assign the TACACS+ service to the filtered local user group 'admins'. Go to the Admin GUI -> Authentication -> User Management -> User Groups -> Select the group (in the screenshot, 'admins' was selected as an example) -> TACACS+ authorization rule -> Select service from the dropdown menu:

 

akanibek_4-1724858134871.png

 

Now, configure a FortiGate device:

 

See this article to configure FortiGate as a TACACS+ client, and a third party TACACS+ server. Troubleshooting steps are included.

 

  1. Create a TACACS+ server on the FortiGate via the CLI:

config user tacacs+

edit "FAC_Tac" <- Can be renamed.

set server "172.20.20.20" <- Subject to adjustment.
set key fortinet
set authorization enable <- If authorization is required.

next

end

 

 

 

  1. Add a user group object, and make a member of the TACACS+ server. In the example below, the group name was specified as 'tacacs', which it will get from the authorization request:

 

config user group

edit "tacacs_admin"

set member "FAC_Tac"

config match

edit 1

set server-name "FAC_Tac"
set group-name "tacacs"

next

end

next

end​

 

 

 

  1. Create an admin group with remote authentication, access profile override, and wildcard group enabled:

config system admin

edit "tacacs_admin"

set remote-auth enable

set accprofile "prof_admin"

set vdom "root"

set wildcard enable

set remote-group "tacacs_admin"

set accprofile-override enable

next

end

 

Testing:

  • To show the difference, in the following example, the access-profile override function is disabled, and the testing admin account will be profiled as prof_admin for the root VDOM only:

 

config system admin

edit tacacs_admin

get

name : tacacs_admin
remote-auth : enable
...
...
accprofile : prof_admin
vdom : "root"
guest-auth : disable
wildcard : enable
remote-group : tacacs_admin
accprofile-override : disable
vdom-override : disable 

 

 GUI Console:

 

akanibek_5-1724858392539.png

 

  • Once access profile override is enabled, the remote admin account will be profiled as the 'super_admin':

config system admin

edit "tacacs_admin"

set remote-auth enable
set accprofile "prof_admin"
set vdom "root"
set wildcard enable
set remote-group "tacacs_admin"
set accprofile-override enable

next

end

 

GUI console:

 

akanibek_6-1724858471112.png

 

 

diagnose test authserver tacacs+ FAC_Tac local.user fortinet
authenticate user 'local.user' on server 'FAC_Tac' succeeded
Admin profile: super_admin
Group membership(s) - tacacs