Description

This article describes how to use FortiAuthenticator as a TACACS+ server for Cisco and clear pass remote user authorization.

FortiAuthenticator can perform central authentication as a TACACS+ Server and authorize which commands are allowed or not on Cisco Switches. 

Scope

Specific remote users on FortiAuthenticator should be able to authenticate and access the switch by matching the different authorization rules.

The full configuration on the Cisco Switch side is not covered in this article. For more information, consult Cisco support.

Solution

FortiAuthenticator Configuration example for Cisco Switch:

1. Create TACACS+ Service
   1. Go to TACACS+ Service -> Authorization and select Services on the Top Right.
      
      

      Create a new service with:

      • Name: <Whatever name>.
      • Service: <service name>.
      • Default permission for attributes: Allow.
      
      
   2. Select the newly created service and select 'Add Attribute'.

Add the following:

• Attribute: priv-lvl (Cisco attribute).
• Value: 15   <- This is configured in the Cisco Switch with admin privileges.
• Restriction: Mandatory.
  
  

2. Create New TACACS+ Shell Command.

   1. Go to TACACS+ Service -> Authorization and select Shell Commands on the Top Right.
   2. Create a New entry for the shell command.
      
      

   

    

    

   

    

3. Create a TACACS+ Authorization rule.

   1. Go to TACACS+ Service - > Authorization and select Rules on the Top Right.

      • Select Default permission for both non-shell and shell commands as allow.
      • The non-shell services allow the 'Cisco_Service_avp(shell)' service created previously.

       

   2. In the shell services, allow the 'Cisco_Service_avp' service created previously.

       

   3. In the shell commands, allow the deny command created earlier.

Authorization rule for Clear Pass.

1. Go to TACACS+ Service -> Authorization and select Services on the Top Right.

Configure service: login with the attribute as shown in the image:

2. TACACS+ Service - > Authorization and select Services on the Top Right, add the service configured for ClearPass in the allowed

         service with privilege level 15.

2. 4. Add the authorization Rule either to the Remote User or to the User group.

      1. Adding the TACACS+ Authorization rule to a Remote user in the User Management Section:
         
         

      

       

           b. Logs for successful authorization from TACACS Authorization debugs:
      
      

      

       

      

Note: If all the configuration above is done and authentication logs are still not seen showing in the debug, make sure the 'TACACS+ Auth (TCP/49)' service is enabled on the listening port. 

Apart from these configuration steps, additional configuration needs to be implemented on Cisco-Switches. Based on the Cisco-IOS version, these configurations can change and are imported to be cross-checked with Cisco's Official product support guidance.

Below is a sample for a configuration applied in a WS-C2960 IOS: 15.0.

1. Configure an Entry for TACACS-Server:

tacacs server <Name of Server>
address ipv4 <Server-IP>
key <Secret with Server>

2. Under aaa configuration, make sure to have pointed authentication and authorization toward TACACS-Server and local as a fallback.

aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local