Description
This article describes how to configure FortiGate for admin access via TACACS+ server.
On FortiGate, it is possible to check certain attributes that one configures on the TACACS+ server and based on those allow access to FortiGate.
Scope
FortiGate with a TACACS+ server.
Solution
FortiGate configuration:
Follow these steps
- Configure TACACS+ server on the FortiGate.
config user tacacs+
edit "tacacs_server"
set server "10.5.25.22"
set key ENC xxxx
set authorization enable
next
end
Make sure authorization is enabled if the intention is to use admin profiles and group matching.
- Configure a user group and add the server as a member. To match a certain group, configure it here as well:
config user group
edit "tacacs_access"
set member "tacacs_server"
config match
edit 1
set server-name "tacacs_server"
set group-name "FGT_access"
next
end
next
end
The group name is set to 'FGT_access'. A TACACS server should return this attribute for successful authentication.
- Create an admin profile with minimum access.
config system accprofile
edit "noaccess"
next
end
- Configure the admin to be used for TACACS.
config system admin
edit "tacacs_admin"
set remote-auth enable
set accprofile "noaccess"
set vdom "root"
set wildcard enable
set remote-group "tacacs_access"
set accprofile-override enable
next
end
- With ‘set remote group’ configured, the string defined under ‘config user group’ needs to match for successful authentication.
- Currently, accprofile is set to noaccess, which allows no access to FortiGate.
- Accessprofile-override is enabled in order to change the profile based on what the TACACS server will be sending to FortiGate.
TACACS+ configuration:
With TACACS+, it is important to configure the service as FortiGate with the following two attributes:
- memberof
- admin_prof
fortinet1: This user will have full access to FortiGate.
group = admin_access
{
default service = permit
service = fortigate {
memberof = FGT_access <----- Group matching string as configured on FortiGate.
admin_prof =super_admin <----- Admin profile to allow access to FortiGate.
}
}
user = fortinet1
{
login = cleartext "fortinet"
chap = cleartext "fortinet"
member = admin_access <----- Assign the user to the group configured.
Troubleshooting and testing user: fortinet1 on FortiGate
Use the authserver command with the following syntax:
diagnose test authserver tacacs+ <tacacs_server_name (as in config user tacacs)> <username> <password>
diagnose test authserver tacacs+ tacacs_server fortinet1 fortinet
authenticate user 'fortinet1' on server 'tacacs_server' succeeded
Admin profile: super_admin
Group membership(s) - FGT_access
TACACS returns the correct values.
When user fortinet1 logs into FortiGate, the user will gain full access to the FortiGate.
diagnose debug application fnbamd -1
diag de en
[1225] fsm_tac_plus_update_result-Continue pending for req 1863599839
[835] tac_plus_result-Author receiving reply
[705] parse_author_reply-Authorization arg0: service=FortiGate
[705] parse_author_reply-Authorization arg1: memberof=FGT_access
[705] parse_author_reply-Authorization arg2: admin_prof=super_admin
[709] parse_author_reply-Authorization result=2
[788] auth_tac_plus_result-Passed group matching
[1059] find_matched_usr_grps-Group 'tacacs_access' passed group matching
[1060] find_matched_usr_grps-Add matched group 'tacacs_access'(3)
[217] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 1863599839, len=2056
fortinet2: This user will have no access to FortiGate.
group = no_admin_access
{
default service = permit
service = fortigate {
memberof = FGT_access <----- Group matching string as configured on FortiGate.
admin_prof = noaccess <----- Admin profile to limit access to FortiGate.
}
}
user = fortinet2
{
login = cleartext "fortinet"
chap = cleartext "fortinet"
member = no_admin_access <----- Assign the user to the group configured.
}
Troubleshooting and testing user: fortinet2 on FortiGate:
diagnose test authserver tacacs+ tacacs_server fortinet2 fortinet
authenticate user 'fortinet2' on server 'tacacs_server' succeeded
Admin profile: noaccess
Group membership(s) - FGT_access
diagnose debug application fnbamd -1
diag de en
[1225] fsm_tac_plus_update_result-Continue pending for req 1863599846
[835] tac_plus_result-Author receiving reply
[705] parse_author_reply-Authorization arg0: service=FortiGate
[705] parse_author_reply-Authorization arg1: memberof=FGT_access
[705] parse_author_reply-Authorization arg2: admin_prof=noaccess
[709] parse_author_reply-Authorization result=2
[788] auth_tac_plus_result-Passed group matching
[1059] find_matched_usr_grps-Group 'tacacs_access' passed group matching
[1060] find_matched_usr_grps-Add matched group 'tacacs _access'(3)
[217] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 1863599846, len=2056
When logging into the GUI, the following (expected) message is shown. A logout will be required to fix this.
'This account is using a restricted access profile with limited permissions. Additional permission must be granted by the device administrator.'
Creating a read-only user for all VDOMs on a device
When creating a read-only user for all VDOMs on a FortiGate, the user may get stuck in the root VDOM, as it is the management VDOM (and is therefore also the TACACS+ server connection). Add the following setting to the wildcard user configuration to enable the user to see all VDOMs:
set scope global
Authentication Failure error while logging into FortiGate using TACACS+ Admin:
Verification can be done via CLI using the following command and it will show authentication successful but firewall login will fail using the same credentials:
diagnose test authserver tacacs+ <server name> <user name> <password>
If there is an error regarding 'Authentication Failure' while logging into the device, it needs to be checked on the administrator settings on FortiGate and see if there are 'Trusted Hosts' configured or not. Once the IP address is added for the end-machine getting the error user will be able to log in without any issues.
For more information on admin best practices:
Technical Tip: System administrator best practices
Related articles:
Technical Tip: How to configure TACACS+ authentication and authorization in FortiGate.
