Description
This article describes the support of FortiGate for TACACS+ Accounting starting from v7.0.2.
Solution
This feature allows customers to send FortiGate system log entries to an external TACACS+ accounting server. Up to three external TACACS+ servers can be configured, each with a different filter for log events. These filters include TACACS+ accounting for login events, config change events, and CLI commands audit.
To configure the TACACS+ Accounting settings:
# config log tacacs+accounting setting
set status enable
set server "10.0.0.100"
set server-key ************
end
To configure the filter for the TACACS+ Accounting:
# config log tacacs+accounting filter
set login-audit enable
set config-change-audit enable
set cli-cmd-audit enable
end
Note: Additional TACACS+ Accounting servers and filters can be configured with 'tacacs+accounting2' and 'tacacs+accounting3'.
To troubleshoot the TACACS+ Accounting settings:
# diag debug enable
# diag debug app syslogd -1 -> This helps to display the errors if any.
# diag test app syslogd 4 -> Statistics on TACACS+ Logging.
FortiOS prior to v7.0.2 is capable of working with TACACS+ Authentication and Authorization, but not with Accounting. TACACS+ Accounting messages can lead to the following error message (diag debug application fnbamd):
2016-10-28 11:26:01 message_loop: checking timeouts
2016-10-28 11:26:09 fnbamd_fsm.c[2194] handle_req-Rcvd 8 req
2016-10-28 11:26:09 fnbamd_acct.c[301] fnbamd_acct_start_STOP-tac_plus accounting not supported
2016-10-28 11:26:09 fnbamd_fsm.c[1251] create_acct_session-Nothing to do for acct type 8
2016-10-28 11:26:09 fnbamd_fsm.c[2206] handle_req-Error creating acct session 8
Depending on the type of TACACS+ application the server can close the connection due to this 'rejection' from FortiGates.
For FortiOS prior to v7.0.2, it is recommended to disable accounting messages between the FortiGate units and TACACS+ servers.
