FortiAuthenticator
FortiAuthenticator provides access management and single sign on.
scollins
Staff
Staff
Article Id 275170
Description

This article describes how to configure FortiAuthenticator as a TACACS+ server for FortiAnalyzer/FortiManager user authorization.

FortiAuthenticator can perform central authentication as TACACS+ Server and Authorize the admin profile used on FortiAnalyzer/FortiManager.

Scope Specific users on FortiAuthenticator should be able to authenticate and access the FortiAnalyzer / FortiManager with the appropriate admin profile.
Solution

Generic TACACS+ configuration information can be found for both FortiAnalyzer/FortiManager and FortiAuthenticator products in the Fortinet Document Library.

 

For Example:

 

FortiAnalyzer:

TACACS+ servers

 

FortiManager:

TACACS+ servers

 

FortiAuthenticator:

TACACS+ service

 

Configuring FortiAuthenticator Authorization:

The below is an Authorization Service that when configured can be allowed in an Authorization Rule and will return the appropriate Vendor-Specific Attributes (VSAs) to the FortiAnalyzer/FortiManager during authentication/authorization.

  1. Authorization Service:

 Go to Authentication -> TACACS+ Service -> Authorization, and select Services from the top right menu.

   picture9.png

 

  • service: 'fortigate'.
  • admin_prof: The admin profile on the FortiAnalyzer/FortiManager that users will be given.

Note:

If the 'set ext-auth-adom-override' option has been set to 'enable' under the admin user configuration on the FortiAnalyzer/FortiManager, then the ADOM VSA can also be configured on the FortiAuthenticator if required (example below):

  

picture8.png

 

  1. Authorization Rule:

 Go to Authentication -> TACACS+ Service => Authorization, and select Rules (default) from the top right menu.

fpic3.png

 

 

 Configuring FortiAnalyzer/FortiManager Authentication:

Add TACACS+ server.

config system admin tacacs
    edit "TACACS-SERVER"
        set server <server-ip>
        set key <secret key>
        set authorization enable  <----- Not enabled by default.
    next
end

 

Add TACACS+ wildcard user.

 

config system admin user
    edit "TACACS-USER"
        set profileid "No_Permission_User"
        set adom-access all
        set user_type tacacs-plus
        set tacacs-plus-server "TACACS-SERVER"
        set wildcard enable
        set ext-auth-accprofile-override enable  <----- Not enabled by default.
        set ext-auth-adom-override enable <----- Not enabled by default.
    next
end

 

Troubleshooting Authentication Issues on FortiAnalyzer/FortiManager:

 

diagnose debug application auth 8

diagnose debug enable