Technical Tip: How to configure FortiWeb Remote TACACS+ Adminstrator using FortiAuthenticator as TACACS+ Server

In this case, FortiAuthenticator will be used as a TACACS+ Server.
Windows Server 2016 as LDAP.
FortiAuthentication connection to LDAP Windows Server 2016 was already completed.
A new Active Directory user was created, named: 'webuser'.

Example to configure Remote LDAP Server in FortiAuthenticator:

FortiAuthenticator Configurations. After configuring the Remote LDAP Server In FortiAuthenticator.

1. Connect FortiAuthenticator to FortiWeb.

• Go to Authentication -> TACACS+ Service -> Clients and select 'Create New'.
• Complete with FortiWeb Information: Name, IP, Secret.
• Select 'Save'.

2. Import Remote LDAP user.

• Go to User Management -> Remote Users and select 'Import'.
• Select the Remote LDAP Server configured in FortiAuthenticator.
• Action: Import users / Select 'Import'.
• Select users to Import to FortiAuthenticator and FortiWeb. In this example, the user to test is: 'webuser'.

3.  Create a User Group.

• Go to User Management -> User Group and select 'Create New'.
• Set Group Name.
• Select Type: Remote LDAP.
• Select Option: Set a list of imported remote LDAP users.
• Select the Remote LDAP Server.
• Select 'webuser' from the user list.
• Save.

4. Create Realm.

• Go to Authentication -> User Management -> Realms.
•  Create New.
• Set Real Name.
•  Set User Source / Select Remote LDAP created.
• Save.

5. Create TACACS+ Policy.

•  Go to Authentication -> TACACS+ Service -> Policies and select 'Create New'.

TACACS+ client:

• Set Policy name.
• Select FortiWeb Client configured, move to the right, and select 'Next'.

Identity sources:

• Select Realm created to Active Directory LDAP.
• Select Filter.

• Enable Filter and Select Fortiweb User Group created and select 'Next'.

Authentication factors:

• Keep default values and select 'Next'.

TACACS+ response:

• Keep default values and select 'Update and exit'.

FortiWeb Configurations.

1. To configure the Remote TACACS+ Server.

• Go to User -> Remote Server -> TACACS+ Server and select 'Create New'.
•  Set Name.
• Set TACACS+ IP, in this case TACACS+ IP is Fortiauthenticator IP.
• Set Secret.
• Select Type: Auto.
• Select OK.

2. To configure the Admin Group.

•  Go to User -> User Group -> Admin Group and select 'Create New'.
•  Set Name and select 'OK' to save.

• In the same Window select 'Create New'.
• Select User Type: TACACS+ User.
• Name: Select Remote TACACS+ Server configured at 'Step 1'.
• Select 'OK' to save.

3.  Creating Remote Admin TACACS+ Administrator.

• Go to System -> Admin -> Administrators and select 'Create New -> Administrator'.

• Set Administrator: It is possible to configure ANY name because the Wildcard option will be enabled to use only LDAP users in FortiAuthenticator Group.
•  Select Type: Remote User.
• Select Admin User Group: TACACS_Admin_Group: This is the same TACACS+ Group configured at 'Step 2'.
• Enable 'Wildcard'.
• Select Access Profile: prof_admin.
• Select 'OK' to save.

4. Logging in FortiWeb using LDAP user through FortiAuthenticator as TACACS+ Server.

• LDAP user: webuser.

6. To see logs in the FortiAuthenticator.

•  Open: http://<FAC_IP/debug/
• Select: RADIUS -> Authentication.
• Select: RADIUS -> General.
• Select TACACS+ -> Authentication.

User Test Authentication Negotiation is visible.

To know about FortiWeb TACACS+ Configuration:

user tacacs-user

To know about FortiAuthenticator TACACS+ Configuration:

TACACS+ Service

FortiAuthenticator Debug:

Debug logs