Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mohammad
New Contributor

Help with vdom and tacacs...

Hello,

 

we use Clearpass tacacs with FortiGate 6.4.9 with no problem, now I want to configure a user to see only one vdom in FortiGate  I try to use "set radius-vdom-override enable" but no luck,

 

 

 

config system admin
edit "t1_admin"
set remote-auth enable
set accprofile "noaccess"
set vdom "root" "vdom.01" "vdom.02"
set wildcard enable
set remote-group "TACACS1"
set accprofile-override enable
set radius-vdom-override enable
next
end

 

 

 

my questions:

  1. can I use "set radius-vdom-override tacacs" with Tacacs or not?
  2.  or need to configure another user with set wildcard enable if possible ?

 Thank you

 

1 Solution
pminarik
Staff
Staff

"radius-vdom-override" has "radius" in its name because historically TACACS+-based login has not supported dynamic VDOM assignment.

 

This has however just changed in firmware 7.2.1, where the new feature logged under ID 803326 has implemented this.

 

ref: https://docs.fortinet.com/document/fortigate/7.2.1/fortios-release-notes/743723/new-features-or-enha...

Vendor-Specific Attributes (VSAs) can be used with TACACS authentication and authorization in wildcard system administrator access to FortiGates from browsers and SSH. The new VSAs allows the FortiGate to perform group matching, and overwrite VDOM settings under system admin.

 

The expected attribute name is simply "vdom" .

 

Keep in mind that this will not work in any other version.

[ corrections always welcome ]

View solution in original post

5 REPLIES 5
abelio
SuperUser
SuperUser

Hi Mohammad,

Check whether your radius server is returning a VDOM attribute (if not, nothing will happen)

 

Check also if your radius dictionary file includes these 2 attributes. 
(12356 is Fortinet RADIUS Vendor ID)

 

VENDORATTR 12356 Fortinet-Vdom-Name 3 string
VENDORATTR 12356 Fortinet-Access-Profile 6 string
 
Finally you have to associate the user with its desired vdom in your radius server user file.
 
i.e. using your definitions:             
 

adminroot             Password = "<pass>",
                               User-Service-Type = Login-User,
                               Fortinet-Vdom-Name = root,
                               Fortinet-Access-Profile = read_only,

 

adminvdom01      Password = "<pass>",
                               User-Service-Type = Login-User,
                                Fortinet-Vdom-Name = vdom.01,
                               Fortinet-Access-Profile = read_only,

 

adminvdom02            Password = "<pass>",
                                     User-Service-Type = Login-User,
                                     Fortinet-Vdom-Name = vdom.02,
                                     Fortinet-Access-Profile = read_only,

 

regards




/ Abel

regards / Abel
Mohammad
New Contributor

Hello Abelio,

I use tacacs+, not a radius, do you know the attributes for vdom in TACACS+ Services Dictionaries?

 

I try put vdom like the photo:

 

TACACS_FG.JPG

 

 

but no luck.

 

thank you

Markus_M

Hi Mohammad,

 

based on this:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Access-using-TACACS-authentication-with-ad...

I would guess the values are simply what the FortiGate config has to offer.

vdom = vdom-name, e.g. root. Rest as per article.

 

Best regards,

 

Markus

pminarik
Staff
Staff

"radius-vdom-override" has "radius" in its name because historically TACACS+-based login has not supported dynamic VDOM assignment.

 

This has however just changed in firmware 7.2.1, where the new feature logged under ID 803326 has implemented this.

 

ref: https://docs.fortinet.com/document/fortigate/7.2.1/fortios-release-notes/743723/new-features-or-enha...

Vendor-Specific Attributes (VSAs) can be used with TACACS authentication and authorization in wildcard system administrator access to FortiGates from browsers and SSH. The new VSAs allows the FortiGate to perform group matching, and overwrite VDOM settings under system admin.

 

The expected attribute name is simply "vdom" .

 

Keep in mind that this will not work in any other version.

[ corrections always welcome ]
Mohammad

Hello pminarik,

Thank you too much for your help and the information.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors