Hi
I am trying to implement Fortigate's authentication back to Cisco ACS server 5.6. I have followed the post below for Fortigate's configuration
http://kb.fortinet.com/kb/documentLink.do?externalID=FD33320
configured the TACACS server with one shell profile only with manual attributes set to test whether that works as below
Fortigate
service fortinet memberof Network Security admin_prof noaccess
Also, created identify and authorization policies.
we are able to authenticate to the firewall as TACACS user. however, we do only ever get the default noaccess profile set on Fortigate. Some reason, TACACS is not overriding the Fortigate access profile. Fortigate is set to accprofile-override enable
Could someone help?
Thanks
Thush
Hi Thush,
if I got it correctly then you are trying to have access profile overridden by value found for particular admin in TACACS+ sever. And you are not getting that profile from TACACS, but profile set in wildcard admin on FortiGate. So Authorization is not working, while user is able to Authenticate.
If that's true, then:
1. admin_prof=noaccess set in TACACS do not make me sense. As usually some sort of no-access profile is default one in FortiGate, and anything better needs to be inherited from and through TACACS Authorization.
2. Authorization, so getting profile from TACACS+, is not working. Pay attention to FortiGate 'config user tacacs' and the profile in there and parameter 'set authorization enable' ! By default is authorization disabled. Also check if your admin wildcard profile on FortiGate has 'set accprofile-override enable'.
If you have followed KB precisely, have FortiGate set and AVP on TACACS+ set as well, then it should work.
If it's still not working, then sniff the TACACS+ traffic (tcp/udp.49). Also check and share config. Or open ticket on Technical Support.
Best regards,
Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
He would be better off using the integral ACS reporting for protocol AAA+tacact and looking at the authentication and authorization reports to see exact what the ACS is doing for the given user that login. You can also run the diag debug debug app authd
The ACS report will show you what profile and policy that was matched. And if the policy doesn't have the correct profile you will never override the wildcard set accprofile.
One other thing, accessprofile are case sensitive. No_access and no_access are not the same thing . One of my guys did something like and beat their heads into a brick wall trying to figure it out;)
And the last tip, if the admin_prof set by tacacs does NOT exist in the fortigate the fallback is the defined wildcard accessprofile.
PCNSE
NSE
StrongSwan
User | Count |
---|---|
2674 | |
1410 | |
810 | |
702 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.