Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Immu
New Contributor III

No login possible via TACACS+-User, when primary WAN-Interface down

Hi community,

 

I have a problem regarding authentication via TACACS+ on FGT units (FGT40F).
I have two WAN interfaces, but their're no members of a SD-WAN.

 

If the primary interface goes down, the login via TACACS+ is not possible anymore.
Also I configured the same lines on the secondary one.

Here is the entire TACACS configuration:

 

config user tacacs+
edit "RAGTAC1"
set server <ip of primary server>
set secondary-server <ip of secondary server>
set key ENC vnm4VKB0FI5aNL1cBxRAngfqZtn75GS2aLWuFn7Va7KhhK0avUJGMG/JHVRyy+AGFKKvJ7xbAuDmM4+V6m4iTv76iUGgMssbNKpcBq+BLcluknE61I5r6emPmIwu6J04hP+qWiglAlc/QlA==
set secondary-key ENC xBDZhp1GT9MnrQpkBHe342XbjGcb/YLoMHuXP5PmK7ALnDEvUmYcsEGy+4BJmJZdDKRX56sJWXzIbVmYEPwekPgXWlECqGWkPnMnoVyanbFrsoZG1xE0w==
set authen-type ascii
set authorization enable
set interface-select-method specify
set interface "wan"
next
edit "RAGTAC2"
set server <ip of primary server>
set secondary-server <ip of secondary server>
set key ENC fI8pEqi9l7ZEFnu5LuDUJsu1X/12pwa/sfLY2K/8hyYlraBk84po0whOXpFciKMR4YgOu3ePZV13Hcqm4ucxg6igzVps4paD18oPPXY+DxeBTEIjQV5e1v8/W4lJY2KTidd0axrN/J9ZNvQVORv2/9Yk/kxPBu1W98HlL/mukaUqhO77w==
set secondary-key ENC +47ZgpbYULOSAv//hfJLObdE5E5ISQvyc/X+btcHwcgSI2iobU1CssZo9+zI5ennVLr04PrGeX4+wjxFh/olZlEHrxMgJj1/2I+PcvONK+K5gxRr6CCBoJiEUfkK7ReCUMuCEoJWX1PRZPiyPf4OuO2b79UOGqXgPd+lKjg==
set authen-type ascii
set authorization enable
set interface-select-method specify
set interface "a"
next
end

config user group
edit "TACACS_GROUP"
set member "RAGTAC1" "RAGTAC2"
next
end

config system admin
edit "RAG_TAC"
set remote-auth enable
#multiple trusted hosts
set accprofile "super_admin"
set vdom "root"
set wildcard enable
set remote-group "TACACS_GROUP"

 

But there is still the same problem, when the primary goes down.

 

It seems to be that the FGT takes only the first configured section "RAGTAC1".
Section two (RAGTAC2) gets ignored. Even when the primary interface wan is down and the only one, which is left, is secondary.

 

My last idea would be to use a ClI script, which gets triggered, when the interface status change.
If the primary interface goes down, the line "set interface wan" will changed to "set interface a" and reverse (RAGTAC2 wouldn't be necessary anymore).

 

But there must be a better solution for this?!
Any ideas?

1 Solution
Immu
New Contributor III

Aaahhhhh, acutally that is solved for a long time ago... just forgot the post?!

 

I was dumb and made it more complicated as it was/is.

The setting that the FGT choose the source-interface automatically is entirely sufficient and works fine.

When the primary path fails, the login via TACACS+ still works.

But I have to say that I did changes in routing (maybe that was a part of the initial problem too).

 

set source-ip ''
set interface-select-method auto

View solution in original post

5 REPLIES 5
srajeswaran
Staff
Staff

Fortigate used secondary server, only when the connection to primary server is timedout. Could you please confirm if the connection/reach ability to <ip of primary server> will fail when wan is down?

 

Or when wan is down, the route via "a" becomes active and fortigate will try to reach the LDAP via "a"?

 

Also, did you test the connection actually works via "a" ( by removing the primary server configuration), just to make sure the LDAP server is not expecting the connection from "wan" IP only.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

Immu
New Contributor III

Hi,

 

the primary and secondary server are still reachable, when wan is down.

So the connection works over interface a too.

Shilpa1
Staff
Staff

Dear Customer,

Seems that the issue might be related to the way TACACS+ is configured on your FortiGate. When you specify the "interface-select-method" as "specify" in the TACACS+ configuration, you must also specify the interfaces on which to apply TACACS+. In your current configuration, you have specified "wan" for "RAGTAC1" and "a" for "RAGTAC2".

When the primary WAN interface goes down, the FortiGate is no longer able to apply TACACS+ authentication as it is still trying to use the "wan" interface, which is down. To resolve this, you can modify the TACACS+ configuration by adding both interfaces to each TACACS+ entry



config user tacacs+
edit
"RAGTAC1"
set interface "wan" "a"

next

edit "RAGTAC2"
set interface "wan" "a"
next
end

This configuration will allow the FortiGate to use both WAN interfaces for TACACS+ authentication, regardless of which interface is up or down.

Immu
New Contributor III

Hi,

 

i had the same idea. But I can only configure one interface there:

hostname # config user tacacs+

hostname (tacacs+) # edit "RAGTAC1"

hostname (RAGTAC1) # set interface-select-method specify
<Enter>

hostname (RAGTAC1) # set interface-select-method specify

hostname (RAGTAC1) # set interface wan
<Enter>

hostname (RAGTAC1) # set interface "wan" "a"
command parse error before 'a'

hostname (RAGTAC1) # set interface "wan" "a"

command parse error before 'a'
Command fail. Return code -61

hostname (RAGTAC1) # set interface wan a
command parse error before 'a'

hostname (RAGTAC1) # set interface wan a

command parse error before 'a'
Command fail. Return code -61

 

That's the reason, why I have configured "RAGTAC1" AND "RAGTAC2".

Or have you ever configured it that way?

 

Sorry for the late reply :)

Immu
New Contributor III

Aaahhhhh, acutally that is solved for a long time ago... just forgot the post?!

 

I was dumb and made it more complicated as it was/is.

The setting that the FGT choose the source-interface automatically is entirely sufficient and works fine.

When the primary path fails, the login via TACACS+ still works.

But I have to say that I did changes in routing (maybe that was a part of the initial problem too).

 

set source-ip ''
set interface-select-method auto

Labels
Top Kudoed Authors