Description
This article describes how to configure FortiGate for admin access via TACACS+ server.
On FortiGate, it is possible to check certain attributes that one configures on the TACACS+ server and based on those allow access to FortiGate.
Scope
Any supported version of FortiGate with a TACACS+ server.
Solution
FortiGate configuration:
Follow these steps
- Configure TACACS+ server on the FortiGate.
config user tacacs+
edit "tacacs_server"
set server "10.5.25.22"
set key ENC xxxx
set authorization enable
next
end
Make sure authorization is enabled if the intention is to use admin profiles and group matching.
- Configure a user group and add the server as a member. To match a certain group, configure it here as well:
config user group
edit "tacacs_access"
set member "tacacs_server"
config match
edit 1
set server-name "tacacs_server"
set group-name "FGT_access"
next
end
next
end
The group name is set to 'FGT_access'. A TACACS server should return this attribute for successful authentication.
- Create an admin profile with minimum access.
config system accprofile
edit "noaccess"
next
end
- Configure the admin to be used for TACACS.
config system admin
edit "tacacs_admin"
set remote-auth enable
set accprofile "noaccess"
set vdom "root"
set wildcard enable
set remote-group "tacacs_access"
set accprofile-override enable
next
end
- With ‘set remote group’ configured, the string defined under ‘config user group’ needs to match for successful authentication.
- Currently, accprofile is set to noaccess, which allows no access to FortiGate.
- Accessprofile-override is enabled in order to change the profile based on what the TACACS server will be sending to FortiGate.
TACACS+ configuration:
With TACACS+, it is important to configure the service as FortiGate with the following two attributes:
- memberof
- admin_prof
fortinet1: This user will have full access to FortiGate.
group = admin_access
{
default service = permit
service = fortigate {
memberof = FGT_access <----- Group matching string as configured on FortiGate.
admin_prof =super_admin <----- Admin profile to allow access to FortiGate.
}
}
user = fortinet1
{
login = cleartext "fortinet"
chap = cleartext "fortinet"
member = admin_access <----- Assign the user to the group configured.
Troubleshooting and testing user: fortinet1 on FortiGate
Use the authserver command with the following syntax:
diagnose test authserver tacacs+ <tacacs_server_name (as in config user tacacs)> <username> <password>
diagnose test authserver tacacs+ tacacs_server fortinet1 fortinet
authenticate user 'fortinet1' on server 'tacacs_server' succeeded
Admin profile: super_admin
Group membership(s) - FGT_access
TACACS returns the correct values.
When user fortinet1 logs into FortiGate, the user will gain full access to the FortiGate.
diagnose debug application fnbamd -1
diag de en
[1225] fsm_tac_plus_update_result-Continue pending for req 1863599839
[835] tac_plus_result-Author receiving reply
[705] parse_author_reply-Authorization arg0: service=FortiGate
[705] parse_author_reply-Authorization arg1: memberof=FGT_access
[705] parse_author_reply-Authorization arg2: admin_prof=super_admin
[709] parse_author_reply-Authorization result=2
[788] auth_tac_plus_result-Passed group matching
[1059] find_matched_usr_grps-Group 'tacacs_access' passed group matching
[1060] find_matched_usr_grps-Add matched group 'tacacs_access'(3)
[217] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 1863599839, len=2056
fortinet2: This user will have no access to FortiGate.
group = no_admin_access
{
default service = permit
service = fortigate {
memberof = FGT_access <----- Group matching string as configured on FortiGate.
admin_prof = noaccess <----- Admin profile to limit access to FortiGate.
}
}
user = fortinet2
{
login = cleartext "fortinet"
chap = cleartext "fortinet"
member = no_admin_access <----- Assign the user to the group configured.
}
Troubleshooting and testing user: fortinet2 on FortiGate:
diagnose test authserver tacacs+ tacacs_server fortinet2 fortinet
authenticate user 'fortinet2' on server 'tacacs_server' succeeded
Admin profile: noaccess
Group membership(s) - FGT_access
diagnose debug application fnbamd -1
diag de en
[1225] fsm_tac_plus_update_result-Continue pending for req 1863599846
[835] tac_plus_result-Author receiving reply
[705] parse_author_reply-Authorization arg0: service=FortiGate
[705] parse_author_reply-Authorization arg1: memberof=FGT_access
[705] parse_author_reply-Authorization arg2: admin_prof=noaccess
[709] parse_author_reply-Authorization result=2
[788] auth_tac_plus_result-Passed group matching
[1059] find_matched_usr_grps-Group 'tacacs_access' passed group matching
[1060] find_matched_usr_grps-Add matched group 'tacacs _access'(3)
[217] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 1863599846, len=2056
When logging into the GUI, the following (expected) message is shown. A logout will be required to fix this.
'This account is using a restricted access profile with limited permissions. Additional permission must be granted by the device administrator.'
Creating a read-only user for all VDOMs on a device
When creating a read-only user for all VDOMs on a FortiGate, the user may get stuck in the root VDOM, as it is the management VDOM (and is therefore also the TACACS+ server connection). Add the following setting to the wildcard user configuration to enable the user to see all VDOMs:
set scope global
Related articles:
Technical Tip: How to configure TACACS+ authentication and authorization in FortiGate.
