FortiAuthenticator
FortiAuthenticator provides access management and single sign on.
Sx11
Staff
Staff
Article Id 226461

Description

 

This article describes how to use FortiAuthenticator as TACACS+ server for Juniper remote user authorization.

FortiAuthenticator can perform central authentication as TACACS+ Server by authorizing remote users to different user templates configured on Juniper Switches. 

These templates determine authorization.

 

Scope

 

Specific remote users on FortiAuthenticator should be able to authenticate and access the switch by matching the different user templates configured in Juniper Switch.

 

The full configuration on Juniper Switch side is not covered in this article. For more information, consult Juniper support and check the following guide:

https://www.juniper.net/documentation/us/en/software/junos/user-access/topics/topic-map/user-access-...

 

Solution

 

Configuration Example.

 

On Juniper Switch, a user template called 'SU' has been configured. This template determines authorization.

FortiAuthenticator as a TACACS+ server must be configured in order to map authenticated users to the appropriate user template in the Juniper Switch. In this example, the user template configured on the Juniper switch is 'SU'.

 

User template config in Juniper device:

 

> set system login user SU class super-user

 

Specific remote users on FortiAuthenticator should be able to authenticate and access the switch by matching the 'SU' user template (super-user privileges).

 

Important considerations:

 

  • By default, Junos OS assigns TACACS+-authenticated users to the user template account 'remote' (when this is enabled)

 

  • If the TACACS+-authenticated user does not map to any user template, and the 'remote' template is not configured, then authentication fails.

 

  • The TACACS+ server(FortiAuthenticator) can assign an authenticated user to different user templates to grant different administrative permissions to that user. The user retains the same login name in the CLI but inherits the login class, access privileges, and effective user ID from the assigned user template.

 

FortiAuthenticator Configuration:

 

1) Create TACACS+ Service

 

a) Go to TACACS+ Service - > Authorization and select services on the Top Right.

Create a new service with:

  • Name: <Whatever name>
  • Service: junos-exec
  • Default permission for attributes: Allow

 

b) Select the newly created service and select 'Add Attribute'

Add the following:

  • Attribute: local-user-name
  • Value: SU   <--- This is the user template configured in the Juniper Switch with Super-user privileges.
  • Restriction: Mandatory.

Sx11_0-1665585269291.png

 

2) Create a TACACS+ Authorization rule.

 

a) Go to TACACS+ Service - > Authorization and select Rules on the Top Right.

  • Select Default permission for both non-shell and shell commands as allow.
  • In the non-shell services allow the 'JuniperSwitch' service created previously

Sx11_1-1665585389787.png

 

3) Add the authorization Rule either to the Remote User or to the User group

 

a) Adding the TACACS+ Authorization rule to a Remote user in User Management Section:

 

Sx11_4-1665585599668.png

 

b) Adding the TACACS+ Authorization rule to a User Group in User Management Section:

 

Sx11_5-1665585653324.png

 

In the end, users will also need a TACACS+ policy specified as below:

https://docs.fortinet.com/document/fortiauthenticator/6.2.0/administration-guide/863858/creating-pol...

 

Other documentation related to TACACS+ and FortiAuthenticator:

https://docs.fortinet.com/document/fortiauthenticator/6.2.0/administration-guide/791531/tacacs-servi...

https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-FortiAuthenticator-Tacacs-trouble...

Contributors