FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
frottier
Staff
Staff
Description
This article describes the steps to configure FortiManager to allow remote users defined in a TACACS+ server to log in as administrators on the FortiManager.

This configuration will ease the Administrator work by not creating locally all administrator users allowed to logon on the FortiManager.

TACACS+ uses the AAA architecture.  It uses uses TCP (port49),  and encrypts the full payload of each packet.

Solution
This setup is done using the CLI in FortiManager following this steps:

1) Define the TACACS+ server
config system admin tacacs
    edit "tacacs-server"
        set authorization enable
        set key <key define on the tacacs server     ----> FortiManager will encrypt this key
        set server "x.x.x.x"                         ----> IP address of the TACACS+ server
    next
end

2) Define the access for all Admin users defined on TACACS+ servers (wildcard enable)
config system admin user
            edit "remote-admins"
        set profileid "Super_User"
            set adom "<ADOM>"                        ----> Select an ADOM or use "all_adoms" option
            set policy-package "all_policy_packages"
        set user_type tacacs-plus                    ----> Password verified by the TACACS+ server, not the FortiManager
        set tacacs-plus-server "tacacs-server"       ----> Enter the TACACS+ server name
           config meta-data
                edit "Contact Email"
                next
                edit "Contact Phone"
                next
            end
        set wildcard enable
        end
end

Troubleshooting

Run a packet sniffer in FortiManager CLI in order to perform verification of configuration and troubleshooting.

FM # dia sniffer packet port1 'tcp and port 49' 3

interfaces=[port1]
filters=[tcp and port 49]
25.269768 port1 -- 172.31.17.17.57231 -> 172.31.19.1.49: syn 2298123345
25.270497 port1 -- 172.31.19.1.49 -> 172.31.17.17.57231: syn 3830224974 ack 2298123346
25.270528 port1 -- 172.31.17.17.57231 -> 172.31.19.1.49: ack 3830224975
25.270652 port1 -- 172.31.17.17.57231 -> 172.31.19.1.49: psh 2298123346 ack 3830224975
 --------> encrypted request to authentication - user name sent
25.271419 port1 -- 172.31.19.1.49 -> 172.31.17.17.57231: ack 2298123382
25.352934 port1 -- 172.31.19.1.49 -> 172.31.17.17.57231: psh 3830224975 ack 2298123382
--------> encrypted reply for authentication - user accepted
25.352981 port1 -- 172.31.17.17.57231 -> 172.31.19.1.49: ack 3830224993
25.353046 port1 -- 172.31.19.1.49 -> 172.31.17.17.57231: fin 3830224993 ack 2298123382
25.353252 port1 -- 172.31.17.17.57231 -> 172.31.19.1.49: fin 2298123382 ack 3830224994
25.353390 port1 -- 172.31.17.17.57232 -> 172.31.19.1.49: syn 2309553841
25.354093 port1 -- 172.31.19.1.49 -> 172.31.17.17.57231: ack 2298123383
25.354114 port1 -- 172.31.19.1.49 -> 172.31.17.17.57232: syn 3204758055 ack 2309553842
25.354126 port1 -- 172.31.17.17.57232 -> 172.31.19.1.49: ack 3204758056
25.354246 port1 -- 172.31.17.17.57232 -> 172.31.19.1.49: psh 2309553842 ack 3204758056
--------> encrypted request to authentication - password name sent
25.357630 port1 -- 172.31.19.1.49 -> 172.31.17.17.57232: ack 2309553916
25.377588 port1 -- 172.31.19.1.49 -> 172.31.17.17.57232: psh 3204758056 ack 2309553916
 --------> encrypted request to authentication - password accepted

TACACS+ packets can also be checked by sniffing the traffic using graphical tools:

frottier_FD39974_tn_FD39974-1.jpg

Related Articles

Technical Note: Configuring Active Directory groups as remote administrators in FortiManager and For...

Technical Note : Using LDAP for Admin Access and Authorization - "wildcard" admin accounts

Contributors