Description
Solution
This article describes the steps to configure FortiManager to allow remote users defined in a TACACS+ server to log in as administrators on the FortiManager.
This configuration will ease the Administrator work by not creating locally all administrator users allowed to logon on the FortiManager.
TACACS+ uses the AAA architecture. It uses uses TCP (port49), and encrypts the full payload of each packet.
This configuration will ease the Administrator work by not creating locally all administrator users allowed to logon on the FortiManager.
TACACS+ uses the AAA architecture. It uses uses TCP (port49), and encrypts the full payload of each packet.
Solution
This setup is done using the CLI in FortiManager following this steps:
1) Define the TACACS+ server
2) Define the access for all Admin users defined on TACACS+ servers (wildcard enable)
Troubleshooting
Run a packet sniffer in FortiManager CLI in order to perform verification of configuration and troubleshooting.
TACACS+ packets can also be checked by sniffing the traffic using graphical tools:
1) Define the TACACS+ server
config system admin tacacs
edit "tacacs-server"
set authorization enable
set key <key define on the tacacs server ----> FortiManager will encrypt this key
set server "x.x.x.x" ----> IP address of the TACACS+ server
next
end
2) Define the access for all Admin users defined on TACACS+ servers (wildcard enable)
config system admin user
edit "remote-admins"
set profileid "Super_User"
set adom "<ADOM>" ----> Select an ADOM or use "all_adoms" option
set policy-package "all_policy_packages"
set user_type tacacs-plus ----> Password verified by the TACACS+ server, not the FortiManager
set tacacs-plus-server "tacacs-server" ----> Enter the TACACS+ server name
config meta-data
edit "Contact Email"
next
edit "Contact Phone"
next
end
set wildcard enable
end
end
Troubleshooting
Run a packet sniffer in FortiManager CLI in order to perform verification of configuration and troubleshooting.
FM # dia sniffer packet port1 'tcp and port 49' 3
interfaces=[port1]
filters=[tcp and port 49]
25.269768 port1 -- 172.31.17.17.57231 -> 172.31.19.1.49: syn 2298123345
25.270497 port1 -- 172.31.19.1.49 -> 172.31.17.17.57231: syn 3830224974 ack 2298123346
25.270528 port1 -- 172.31.17.17.57231 -> 172.31.19.1.49: ack 3830224975
25.270652 port1 -- 172.31.17.17.57231 -> 172.31.19.1.49: psh 2298123346 ack 3830224975
--------> encrypted request to authentication - user name sent
25.271419 port1 -- 172.31.19.1.49 -> 172.31.17.17.57231: ack 2298123382
25.352934 port1 -- 172.31.19.1.49 -> 172.31.17.17.57231: psh 3830224975 ack 2298123382
--------> encrypted reply for authentication - user accepted
25.352981 port1 -- 172.31.17.17.57231 -> 172.31.19.1.49: ack 3830224993
25.353046 port1 -- 172.31.19.1.49 -> 172.31.17.17.57231: fin 3830224993 ack 2298123382
25.353252 port1 -- 172.31.17.17.57231 -> 172.31.19.1.49: fin 2298123382 ack 3830224994
25.353390 port1 -- 172.31.17.17.57232 -> 172.31.19.1.49: syn 2309553841
25.354093 port1 -- 172.31.19.1.49 -> 172.31.17.17.57231: ack 2298123383
25.354114 port1 -- 172.31.19.1.49 -> 172.31.17.17.57232: syn 3204758055 ack 2309553842
25.354126 port1 -- 172.31.17.17.57232 -> 172.31.19.1.49: ack 3204758056
25.354246 port1 -- 172.31.17.17.57232 -> 172.31.19.1.49: psh 2309553842 ack 3204758056
--------> encrypted request to authentication - password name sent
25.357630 port1 -- 172.31.19.1.49 -> 172.31.17.17.57232: ack 2309553916
25.377588 port1 -- 172.31.19.1.49 -> 172.31.17.17.57232: psh 3204758056 ack 2309553916
--------> encrypted request to authentication - password accepted
TACACS+ packets can also be checked by sniffing the traffic using graphical tools:
Related Articles
Technical Note : Using LDAP for Admin Access and Authorization - "wildcard" admin accounts
