Description
This article describes how to use FortiAuthenticator as a TACACS+ server for DELL EMC switches to perform remote user authorization.
FortiAuthenticator can perform central authentication as a TACACS+ Server and authorize remote users to perform only specific commands configured on DELL EMC Switches through Privilege-levels and Roles.
Scope
FortiAuthenticator, DEL EMC switch
Solution
Specific remote users on FortiAuthenticator can authenticate and run specific commands on the switch by matching the different privilege levels or roles configured in DELL EMC Switch.
The full configuration on DELL EMC Switch side is not covered in this article. For more information, consult DELL support and check the following guides:
Step 1: Configuration on the Dell EMC switch
1) Before performing any further steps, enable aaa authorization on the switch and define the method for authorization:
# aaa authorization config-commands role sysadmin default group tacacs+
This means all configuration commands entered from a non-console session with the sysadmin user role are authorized using the configured TACACS+ servers.
2) Dell EMC supports two vendor-specific options for TACACS+ implementation:
1) 'shell:priv-lvl=x' (Privilege levels)
2) 'shell:role=myrole' (Roles)
The test performed in this article will use a system-defined role 'sysadmin' as specified in step 1.
User-Defined Roles can also be created and used in authorization methods for different purposes (for example, network operators or auditors).
Step 2: FortiAuthenticator Configuration
1) Create the TACACS+ Service
Service name required for Dell authentication/authorization service is "ppp"
a) Go to TACACS+ Service - > Authorization and select services in the top right.
Create a new service with the following configuration details:
- Name: <Provide any name>
- Service: ppp
- Default permission for attributes: Allow
b) Select the newly created service and select 'Add Attribute'
Define role attributes:
- Attribute: shell:roles
- Value: sysadmin (the role configured in the DELL EMC Switch with Super-user privileges)
- Restriction: Mandatory.
Define Privilege Level attributes:
- Attribute: shell:priv-lvl
- Value: 15 (this is the privilege level)
- Restriction: Mandatory.
2) Create a TACACS+ Authorization rule.
Go to TACACS+ Service - > Authorization and select Rules on the Top Right.
- Select Default permission for both non-shell and shell commands as allow.
- In the non-shell services allow the 'DELL_EMC' service created previously
3) Add the authorization Rule either to the Remote User or to the User group
a) Add the TACACS+ Authorization rule to a Remote user in User Management Section:
b) Add the TACACS+ Authorization rule to a User Group in User Management Section:
4) Users will also require a TACACS+ policy specified as below:
5) Debugging:
To investigate TACACS+ debugs related to authorization, see the following links:
https://<FortiAuthenticator_IP>/debug/tac_plus
https://<FortiAuthenticator_IP>/debug/tac_author
Successful authorization will normally show the following debug logs:
Failures are commonly caused by the service not being defined or by the VSA Attribute not being assigned to the user or group in FortiAuthenticator:
Other documentation related to TACACS+ and FortiAuthenticator:
