Description
This article describes the steps to configure FortiManager to allow remote users defined in a TACACS+ server to log in as administrators on the FortiManager.
This configuration will ease the Administrator work by not creating locally all administrator users allowed to log on to the FortiManager.
This configuration will ease the Administrator work by not creating locally all administrator users allowed to log on to the FortiManager.
TACACS+ uses the AAA architecture. It uses uses TCP (port49), and encrypts the full payload of each packet.
Scope
FortiManager.
Solution
This setup is done using the CLI in FortiManager following these steps:
- Define the TACACS+ server:
config system admin tacacs
edit "tacacs-server"
set authorization enable
set key <key define on the tacacs server <----- FortiManager will encrypt this key
set server "x.x.x.x" <----- IP address of the TACACS+ server.
next
end
Define the access for all Admin users defined on TACACS+ servers (wildcard enabled):
config system admin user
edit "remote-admins"
set profileid "Super_User
set adom "<ADOM>" <----- Select an ADOM or use 'all_adoms' option.
set policy-package "all_policy_packages"
set user_type tacacs-plus <----- Password verified by the TACACS+ server, not the FortiManager.
set tacacs-plus-server "tacacs-server" <----- Enter the TACACS+ server name.
config meta-data
edit "Contact Email"
next
edit "Contact Phone"
next
end
set wildcard enable
end
end
Troubleshooting part.
Run and check the debug output:
diag debug appl auth 255
diag debug enable
Run a packet sniffer in FortiManager CLI to perform verification of configuration and troubleshooting:
FM # dia sniffer packet port1 'tcp and port 49' 3
interfaces=[port1]
filters=[tcp and port 49]
25.269768 port1 -- 172.31.17.17.57231 -> 172.31.19.1.49: syn 2298123345
25.270497 port1 -- 172.31.19.1.49 -> 172.31.17.17.57231: syn 3830224974 ack 2298123346
25.270528 port1 -- 172.31.17.17.57231 -> 172.31.19.1.49: ack 383022497525.270652 port1 -- 172.31.17.17.57231 -> 172.31.19.1.49: psh 2298123346 ack 3830224975 <----- Encrypted request to authentication - user name sent.
25.271419 port1 -- 172.31.19.1.49 -> 172.31.17.17.57231: ack 2298123382
25.352934 port1 -- 172.31.19.1.49 -> 172.31.17.17.57231: psh 3830224975 ack 2298123382 <----- Encrypted reply for authentication - user accepted.
25.352981 port1 -- 172.31.17.17.57231 -> 172.31.19.1.49: ack 3830224993
25.353046 port1 -- 172.31.19.1.49 -> 172.31.17.17.57231: fin 3830224993 ack 2298123382
25.353252 port1 -- 172.31.17.17.57231 -> 172.31.19.1.49: fin 2298123382 ack 3830224994
25.353390 port1 -- 172.31.17.17.57232 -> 172.31.19.1.49: syn 2309553841
25.354093 port1 -- 172.31.19.1.49 -> 172.31.17.17.57231: ack 2298123383
25.354114 port1 -- 172.31.19.1.49 -> 172.31.17.17.57232: syn 3204758055 ack 2309553842
25.354126 port1 -- 172.31.17.17.57232 -> 172.31.19.1.49: ack 3204758056
25.354246 port1 -- 172.31.17.17.57232 -> 172.31.19.1.49: psh 2309553842 ack 3204758056 <----- Encrypted request to authentication - password name sent
25.357630 port1 -- 172.31.19.1.49 -> 172.31.17.17.57232: ack 2309553916
25.377588 port1 -- 172.31.19.1.49 -> 172.31.17.17.57232: psh 3204758056 ack 2309553916 <----- Encrypted request to authentication - password accepted.
TACACS+ packets can also be checked by sniffing the traffic using graphical tools:
Related articles:
Technical Note : Using LDAP for Admin Access and Authorization - "wildcard" admin accounts
