Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
scollins
Staff
Staff

Created on ‎09-21-2023 09:36 AM Edited on ‎09-22-2023 01:18 AM By Moderator

Article Id 275170

Technical Tip: FortiAuthenticator as TACACS+ server for FortiAnalyzer / FortiManager user authorization

Description

This article describes how to configure FortiAuthenticator as a TACACS+ server for FortiAnalyzer/FortiManager user authorization.

FortiAuthenticator can perform central authentication as TACACS+ Server and Authorize the admin profile used on FortiAnalyzer/FortiManager.
Scope Specific users on FortiAuthenticator should be able to authenticate and access the FortiAnalyzer / FortiManager with the appropriate admin profile.
Solution

Generic TACACS+ configuration information can be found for both FortiAnalyzer/FortiManager and FortiAuthenticator products in the Fortinet Document Library.

 

For Example:

 

FortiAnalyzer:

TACACS+ servers

 

FortiManager:

TACACS+ servers

 

FortiAuthenticator:

TACACS+ service

 

Configuring FortiAuthenticator Authorization:

The below is an Authorization Service that when configured can be allowed in an Authorization Rule and will return the appropriate Vendor-Specific Attributes (VSAs) to the FortiAnalyzer/FortiManager during authentication/authorization.

  1. Authorization Service:

 Go to Authentication -> TACACS+ Service -> Authorization, and select Services from the top right menu.

   picture9.png

 

  • service: 'fortigate'.
  • admin_prof: The admin profile on the FortiAnalyzer/FortiManager that users will be given.

Note:

If the 'set ext-auth-adom-override' option has been set to 'enable' under the admin user configuration on the FortiAnalyzer/FortiManager, then the ADOM VSA can also be configured on the FortiAuthenticator if required (example below):

  

picture8.png

 

  1. Authorization Rule:

 Go to Authentication -> TACACS+ Service => Authorization, and select Rules (default) from the top right menu.

fpic3.png

 

 

 Configuring FortiAnalyzer/FortiManager Authentication:

Add TACACS+ server.

config system admin tacacs
    edit "TACACS-SERVER"
        set server <server-ip>
        set key <secret key>
        set authorization enable  <----- Not enabled by default.
    next
end

 

Add TACACS+ wildcard user.

 

config system admin user
    edit "TACACS-USER"
        set profileid "No_Permission_User"
        set adom-access all
        set user_type tacacs-plus
        set tacacs-plus-server "TACACS-SERVER"
        set wildcard enable
        set ext-auth-accprofile-override enable  <----- Not enabled by default.
        set ext-auth-adom-override enable <----- Not enabled by default.
    next
end

 

Troubleshooting Authentication Issues on FortiAnalyzer/FortiManager:

 

diagnose debug application auth 8

diagnose debug enable 
648
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.