Technical Tip: FortiAuthenticator TACACS+ service troubleshooting

1. Network issue: revise if the TACACS+ protocol is enabled for communicating between the TACACS+ server and the user.
   
   
2. Assure the FortiAuthenticator's TACACS+ service is enabled on a desired interface. Otherwise, FortiAuthenticator will ignore received packets:

FortiAuthenticator GUI -> Network -> Interfaces.

Packet capture from a FortiAuthenticator when the service is disabled:

execute tcpdump -i any port 49
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
16:36:07.851943 port1 In IP 172.20.20.1.23668 > 172.20.20.20.tacacs: Flags [S], seq 963520346, win 29200, options [mss 1460,sackOK,TS val 2326280319 ecr 0,nop,wscale 13], length 0
16:36:10.824962 port1 In IP 172.20.20.1.23670 > 172.20.20.20.tacacs: Flags [S], seq 810752880, win 29200, options [mss 1460,sackOK,TS val 2326283292 ecr 0,nop,wscale 13], length 0
16:36:12.299999 port1 In IP 172.20.20.1.23672 > 172.20.20.20.tacacs: Flags [S], seq 4280533060, win 29200, options [mss 1460,sackOK,TS val 2326284767 ecr 0,nop,wscale 13], length 0

3. Make sure if a TACACS+ authentication policy is configured properly in a GUI -> Authentication -> Tacacs+ Service -> Policies.

   In a debug snippet below, there is no configured tacacs+ authentication policy. Parsed debugs could be accessed in the Radius debug of FortiAuthenticator  (Tacacs+ debugs shows less data):
   
   

   -------

   2024-08-27T15:41:36.714422+02:00 fac03 radiusd[8579]: (62) Auth-Type FACAUTH {
   2024-08-27T15:41:36.714449+02:00 fac03 radiusd[8579]: (62) facauth: Added FreeRADIUS-Response-Delay:=0 in reply value pairs.
   2024-08-27T15:41:36.714480+02:00 fac03 radiusd[8579]: (62) facauth: ===>TACACS+ 172.20.20.1
   2024-08-27T15:41:36.714542+02:00 fac03 radiusd[8579]: (62) facauth: Comparing client IP 172.20.20.1 with authclient FGT (172.20.20.1, 1 IPs)
   2024-08-27T15:41:36.714577+02:00 fac03 radiusd[8579]: (62) facauth: ------> matched!
   2024-08-27T15:41:36.714601+02:00 fac03 radiusd[8579]: (62) facauth: Comparing client IP 172.20.20.1 with authclient qwerty (172.20.20.1, 1 IPs)
   2024-08-27T15:41:36.714625+02:00 fac03 radiusd[8579]: (62) facauth: Found authclient from preloaded authclients list for 172.20.20.1: FGT (172.20.20.1)
   2024-08-27T15:41:36.714644+02:00 fac03 radiusd[8579]: (62) facauth: authclient_id:2 auth_type:'password'
   2024-08-27T15:41:36.716920+02:00 fac03 radiusd[8579]: (62) facauth: WARNING: No authpolicy for authclient 2 with authtype password
   2024-08-27T15:41:36.716952+02:00 fac03 radiusd[8579]: (62) facauth: ERROR: ERROR: unable to find matching authpolicy for TACACS+ client with IP 172.20.20.1
   2024-08-27T15:41:36.717008+02:00 fac03 radiusd[8579]: (62) facauth: Failed to load client config
   2024-08-27T15:41:36.717023+02:00 fac03 radiusd[8579]: (62) facauth: user: local.user not found, update user and ip lockout with ip: (null)

   -------
   
   

   FortiAuthenticator's TACACS+ Authentication debugs for the same attempt:
   
   

   -------
   2024-08-27T15:41:36.721159+02:00 fac03 tac_plus[1945]: 1d/3f225799: 172.20.20.1 pap login for 'local.user~172.20.20.1' (realm: radiusRealm) (realm: radiusRealm) failed
   2024-08-27T15:41:36.721175+02:00 fac03 tac_plus[1945]: 172.20.20.1 pap login for 'local.user~172.20.20.1' (realm: radiusRealm) (realm: radiusRealm) failed
   ...
   2024-08-27T15:41:36.722996+02:00 fac03 tac_plus[1945]: 1e/86ee4a13: 172.20.20.1 mschap login for 'local.user' (realm: radiusRealm) (realm: radiusRealm) failed (no such user)
   2024-08-27T15:41:36.723012+02:00 fac03 tac_plus[1945]: 172.20.20.1 mschap login for 'local.user' (realm: radiusRealm) (realm: radiusRealm) failed (no such user)
   2024-08-27T15:41:36.724095+02:00 fac03 tac_plus[1945]: 1f/ad74bdfc: 172.20.20.1 authen: hdr->seq_no: 1
   2024-08-27T15:41:36.724489+02:00 fac03 tac_plus[1945]: 1f/ad74bdfc: 172.20.20.1 chap login for 'local.user' (realm: radiusRealm) (realm: radiusRealm) failed (no such user)
   2024-08-27T15:41:36.724507+02:00 fac03 tac_plus[1945]: 172.20.20.1 chap login for 'local.user' (realm: radiusRealm) (realm: radiusRealm) failed (no such user)

   8-27T15:41:36.717023+02:00 fac03 radiusd[8579]: (62) facauth: user: local.user not found, update user and ip lockout with ip: (null)

   ------

    

    

4. TACACS+ service is not assigned either to the user itself or to the user group. In the debug snippet below, both have not got it. It means, that even user is being authenticated, service will not be provided to a TACACS+ client:
   
   

   2024-08-28T17:36:02.639533+02:00 fac03 radiusd[8579]: (68) facauth: Auth code: 20001
   2024-08-28T17:36:02.639544+02:00 fac03 radiusd[8579]: (68) facauth: Authentication OK
   2024-08-28T17:36:02.639554+02:00 fac03 radiusd[8579]: (68) facauth: Setting 'Post-Auth-Type := FACAUTH'
   2024-08-28T17:36:02.639617+02:00 fac03 radiusd[8579]: (68) facauth: INFO: User local.user is of type 1, user_id 2, user_pf_id 2
   2024-08-28T17:36:02.639999+02:00 fac03 radiusd[8579]: (68) facauth: TACACS+ user 'local.user' has no configured authorization rule at User level.
   2024-08-28T17:36:02.640369+02:00 fac03 radiusd[8579]: (68) facauth: TACACS+ user 'local.user' has no configured authorization rule at Group level.
   2024-08-28T17:36:02.640447+02:00 fac03 radiusd[8579]: (68) facauth: Name: local.user, fqdn: , SAM:
   2024-08-28T17:36:02.640646+02:00 fac03 radiusd[8579]: (68) facauth: Updated auth log 'local.user': Local user authentication with no token successful
   2024-08-28T17:36:02.640677+02:00 fac03 radiusd[8579]: (68) facauth: facauth: print reply attributes of request id 21:

    

    

5. The TACACS+ service name should match the service argument name of the authorization request packet. Referring to RFC-8907, 'service attribute value' is mandatory, and it is used to authorize a user account for that specific service on the TACACS+ user.

    

    

In the authorization request below FortiGate was used as a user, and there is an argument 'service=fortigate' in the decrypted authorization packet alongside other attributes.

To show a failed authorization attempt, TACACS+ 'Service name' on FortiAuthenticator was intentionally changed to 'fortigate123456':

FortiAuthenticator TACACS+ debugs. FortiGate sent an AVP service attribute value as 'fortigate', however, FortiAuthenticator does not have such a service name configured. 

Note: FortiGate uses the same value for both GUI Admin access, and CLI console:

2024-08-28T17:57:13.472268+02:00 fac03 tac_plus[31438]: 1/64a4fd5e: 172.20.20.1 cfg_get: checking user/group fgt_spadmin, tag (NULL)
2024-08-28T17:57:13.472287+02:00 fac03 tac_plus[31438]: 1/64a4fd5e: 172.20.20.1 local.user~172.20.20.1@172.20.20.1: not found: svcname=fortigate@FGT protocol=
2024-08-28T17:57:13.472303+02:00 fac03 tac_plus[31438]: 1/64a4fd5e: 172.20.20.1 local.user~172.20.20.1@172.20.20.1: not found: svcname=fortigate protocol=
2024-08-28T17:57:13.472320+02:00 fac03 tac_plus[31438]: 1/64a4fd5e: 172.20.20.1 local.user~172.20.20.1@172.20.20.1: svcname=fortigate protocol= denied

Related Articles:

Technical Tip: Access using TACACS+ authentication... - Fortinet Community

Technical Tip: Configure Fortiauthenticator as TAC... - Fortinet Community
Troubleshooting Tip: Diagnosing TACACS+