Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jcamacho1
Staff
Staff

Created on ‎11-04-2016 05:06 PM Edited on ‎11-05-2024 02:36 AM By Moderator

Article Id 193067

Technical Tip: FortiGate TACACS+ Accounting messages

Description

 

This article describes the implementation of TACACS+ Accounting starting from FortiOS 7.0.2.

 

Scope

 

FortiOS 7.0.2+.


Solution


This feature allows users to send FortiGate system log entries to an external TACACS+ accounting server. Up to three external TACACS+ servers can be configured, each with a different filter for log events. These filters include TACACS+ accounting for login events, config change events, and CLI commands audit.

 

To configure the TACACS+ Accounting settings:

 

config log tacacs+accounting setting

    set status enable

    set server "10.0.0.100"

    set server-key ************

end

 

Starting with FortiOS 7.2.4, a source IP and interface can be configured:

 

config log tacacs+accounting setting

    set status enable

    set server "10.0.0.100"

    set server-key ************

    set interface-select-method specify

    set interface port1

end

 

To configure the filter for the TACACS+ Accounting:

 

config log tacacs+accounting filter

    set login-audit enable

    set config-change-audit enable

    set cli-cmd-audit enable

end

 

Note: Additional TACACS+ Accounting servers and filters can be configured with 'tacacs+accounting2' and 'tacacs+accounting3'.

Cli-cmd-audit enable - example here: Technical Tip: Enable audit log via CLI.

 

To troubleshoot the TACACS+ Accounting settings:

 

diag debug enable
diag debug app syslogd -1 <- This helps to display the errors if any.

 

diag test app syslogd 4 <- Statistics on TACACS+ Logging.

 

FortiOS before v7.0.2 is capable of working with TACACS+ Authentication and Authorization, but not with Accounting. TACACS+ Accounting messages can lead to the following error message (diag debug application fnbamd):

 

2016-10-28 11:26:01 message_loop: checking timeouts

2016-10-28 11:26:09 fnbamd_fsm.c[2194] handle_req-Rcvd 8 req
2016-10-28 11:26:09 fnbamd_acct.c[301] fnbamd_acct_start_STOP-tac_plus accounting not supported
2016-10-28 11:26:09 fnbamd_fsm.c[1251] create_acct_session-Nothing to do for acct type 8
2016-10-28 11:26:09 fnbamd_fsm.c[2206] handle_req-Error creating acct session 8
 
Depending on the type of TACACS+ application the server can close the connection due to this 'rejection' from FortiGates.
 

For FortiOS prior to v7.0.2, it is recommended to disable accounting messages between the FortiGate units and TACACS+ servers.

 

Related document:

Support TACACS+ accounting 7.0.2

Labels:
3355
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.