Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
noc
New Contributor

Tacacs.net ACCprofile bypass

Good day,

 

I'm setting up a Tacacs.net server to authenticate all our FGTs and it's working fine.

But, when a diferent (TacacsUserGroup) tries to log in a FGT which doesn't have configured it's (TacacsAdmin_profile), it logs in as a super_admin instead of denying access.

 

Tacacs.net config for that group:

 

<Service>
<Set>service=fortigate</Set>
<Set>memberof=FGT_access</Set>
<Set>admin_prof=csu</Set>
</Service>

 

debug fnmbad

 

[705] parse_author_reply-Authorization arg0: memberof=FGT_access
[705] parse_author_reply-Authorization arg1: admin_prof=csu // This profile doesn't exist in the FGT.
[709] parse_author_reply-Authorization result=2
[788] auth_tac_plus_result-Passed group matching
[1059] find_matched_usr_grps-Group 'tacacs_access' passed group matching
[1060] find_matched_usr_grps-Add matched group 'tacacs_access'(2)
[217] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 637653419, len=2000
[747] destroy_auth_session-delete session 637653419
[1041] tac_plus_destroy-tacacs_server

 

Seems only matches the group on FGT but doesn't care for admin_profile matching..

"set accprofile-override enable" it's set.

Any clue?

 

Regards.

 

Adanoc
1 Solution
Debbie_FTNT
Staff
Staff

Hey noc,

in the underlying wildcard admin entry on FortiGate, you should still have an admin profile set, even if the accprofile-override is enabled.
If a TACACS admin trying to log in does NOT have a valid admin profile attribute supplied by TACACS, FortiGate defaults to whatever profile is specified in the wildcard admin entry.

I would suggest setting the default admin entry to a read-only profile or one without any permissions at all.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

1 REPLY 1
Debbie_FTNT
Staff
Staff

Hey noc,

in the underlying wildcard admin entry on FortiGate, you should still have an admin profile set, even if the accprofile-override is enabled.
If a TACACS admin trying to log in does NOT have a valid admin profile attribute supplied by TACACS, FortiGate defaults to whatever profile is specified in the wildcard admin entry.

I would suggest setting the default admin entry to a read-only profile or one without any permissions at all.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++