|
In some deployments, it is required to allow remote administrators to log in to FortiSwitch using a TACACS server, where the TACACS server assigns role-based access (for example, read-only or read-write) based on the administrator’s credentials.
Refer to the following configuration:
config user tacacs+
edit "Server-TACACS"
set authorization enable
set key <>
set server "x.x.x.x" -> TACACS server IP address
end
config user group
edit "TACACS"
set member "Server-TACACS"
end
config system admin
edit "*"
set remote-auth enable
set accprofile "Read-Only"
set wildcard enable
set remote-group "TACACS"
set accprofile-override enable <----- The remote authentication server can override the accesss profile.
next
end
Attribute required on TACACS server to assign role based on the credentials:
service = fortigate {
admin_prof = <profile_name>
}
Note: <Profile name> should be configured to the same value as it is on the FortiSwitch. For example, the FortiSwitch Configuration is:
config system accprofile
edit "prof_admin"
set admingrp read-write
set exec-alias-grp read-write
set loggrp read-write
set mntgrp read-write
set netgrp read-write
set pktmongrp read-write
set routegrp read-write
set swcoregrp read-write
set swmonguardgrp read-write
set sysgrp read-write
set utilgrp read-write
next
edit "Read-Only"
set admingrp read
set exec-alias-grp read
set loggrp read
set mntgrp read
set netgrp read
set pktmongrp read
set routegrp read
set swcoregrp read
set swmonguardgrp read
set sysgrp read
set utilgrp read
next
edit "Read-Write"
set admingrp read-write
set exec-alias-grp read-write
set loggrp read-write
set mntgrp read-write
set netgrp read-write
set pktmongrp read-write
set routegrp read-write
set swcoregrp read-write
set swmonguardgrp read-write
set sysgrp read-write
set utilgrp read-write
next
edit "noaccess"
next
end
Related document:
Administrators
|
