How to configure TACACS+ authentication for managed FortiGate Firewalls from FortiManager

EvanRaci · ‎02-14-2024

Hi ,

I would like to know how I can configure TACACS+ setting for managed FortiGate Firewalls from FortiManager.

Right now I've tried to enabled TACACS+ config directly from FortiGate Firewalls but after one or two days , the TACACS+ config disappear automatically. Look like FortiManager override the settings when we applied the policy to FortiGate Firewalls.

Please suggest any possible solution on this?

FortiManager version7.2.3

FortiGate version 7.2.4

Thank you so much

Toshi_Esumi · ‎02-14-2024

That's probably because you haven't used the TACACS server in a group and then use the group in admin config or policies yet. Or have you?
We use RADIUS for all our customer's FGTs that are on FMG but we never configured it from FMG.
<edit>Or you might need to retrieve the entire config once you configured tacacs at the FGT, so that the device DB has the tacacs config next time it pushes the config. You might need to re-sync others like policy package, etc. after retrieving it though.</edit>

If I were to configure TACACS from FMG, I would configure in a CLI template and put it in a CLI template group with other CLI templates you might need (in the future), then assign it to the device. Then you can install it as a part of device config.

Toshi

Toshi_Esumi · ‎02-14-2024

Our RAIUS config situation probably wouldn't apply to your case. Because we preconfigure almost all of them including RADIUS at the FGT before shipping to the customer location. Then only after the installation is done with cutomer's internet circuits we put it on our FMG to sync with the common policy package etc. At that time, the FMG automatically retrieves the entire config from the FGT including the RADIUS config.

Toshi

vraev · ‎02-18-2024

Hi@EvanRaci ,

In some cases you should be able to Retrieve and Import from FGT but this has many options to go wrong also, so depends how is all setup.

In other case just setup a CLI script as Toshi suggest.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Access-using-TACACS-authentication-with-ad...

Best,

V.R.

Toshi_Esumi · ‎02-18-2024

By the way, the scrips on FMG @vraev is talking about is always CLI, while there are different types of templates exist including CLI template.

The difference is script is just a scrip you can run against either 1) directly the remote device, 2) device DB in FMG, or 3) policy package or ADOM DB. Once you run it, there isn't any trace other than log. So you have to know/remember which devices you applied if you have multiple devices.

On the other hand, CLI templates/template group need to be "assigned" to one or multiple devices before you can "push" the config by "installing" the device config. Then the FMG shows which devices have it applied and in sync in the device table view. So you can be clear which devices have the config all the time.
For this reason, we use CLI templates through all our devices in all ADOMs instead of scripts unless a quick and temporary change is needed.

Toshi

EvanRaci · ‎02-26-2024

Hi all,

Today I tested in my lab and observe the same issue , I've created tacacs+ user then added into User Group , retrieved from FortiManager . After that I applied policy from FortiManager and all the TACACS+ related config disappeared .

To fix this I need to create one Administrator account with type "Match all users in remote-server group". Only then the config become persistent.

Thank you

Toshi_Esumi · ‎02-26-2024

As I said originally if the user group including the tacacs server(s) is not used by either admin user or policies, the FMG might remove unused tacacs config when you push device config or policy package.
You have to use it first.

Toshi

EvanRaci · ‎02-27-2024

Thank you very much Toshi