Hi community,
I have a problem regarding authentication via TACACS+ on FGT units (FGT40F).
I have two WAN interfaces, but their're no members of a SD-WAN.
If the primary interface goes down, the login via TACACS+ is not possible anymore.
Also I configured the same lines on the secondary one.
Here is the entire TACACS configuration:
config user tacacs+
edit "RAGTAC1"
set server <ip of primary server>
set secondary-server <ip of secondary server>
set key ENC vnm4VKB0FI5aNL1cBxRAngfqZtn75GS2aLWuFn7Va7KhhK0avUJGMG/JHVRyy+AGFKKvJ7xbAuDmM4+V6m4iTv76iUGgMssbNKpcBq+BLcluknE61I5r6emPmIwu6J04hP+qWiglAlc/QlA==
set secondary-key ENC xBDZhp1GT9MnrQpkBHe342XbjGcb/YLoMHuXP5PmK7ALnDEvUmYcsEGy+4BJmJZdDKRX56sJWXzIbVmYEPwekPgXWlECqGWkPnMnoVyanbFrsoZG1xE0w==
set authen-type ascii
set authorization enable
set interface-select-method specify
set interface "wan"
next
edit "RAGTAC2"
set server <ip of primary server>
set secondary-server <ip of secondary server>
set key ENC fI8pEqi9l7ZEFnu5LuDUJsu1X/12pwa/sfLY2K/8hyYlraBk84po0whOXpFciKMR4YgOu3ePZV13Hcqm4ucxg6igzVps4paD18oPPXY+DxeBTEIjQV5e1v8/W4lJY2KTidd0axrN/J9ZNvQVORv2/9Yk/kxPBu1W98HlL/mukaUqhO77w==
set secondary-key ENC +47ZgpbYULOSAv//hfJLObdE5E5ISQvyc/X+btcHwcgSI2iobU1CssZo9+zI5ennVLr04PrGeX4+wjxFh/olZlEHrxMgJj1/2I+PcvONK+K5gxRr6CCBoJiEUfkK7ReCUMuCEoJWX1PRZPiyPf4OuO2b79UOGqXgPd+lKjg==
set authen-type ascii
set authorization enable
set interface-select-method specify
set interface "a"
next
end
config user group
edit "TACACS_GROUP"
set member "RAGTAC1" "RAGTAC2"
next
end
config system admin
edit "RAG_TAC"
set remote-auth enable
#multiple trusted hosts
set accprofile "super_admin"
set vdom "root"
set wildcard enable
set remote-group "TACACS_GROUP"
But there is still the same problem, when the primary goes down.
It seems to be that the FGT takes only the first configured section "RAGTAC1".
Section two (RAGTAC2) gets ignored. Even when the primary interface wan is down and the only one, which is left, is secondary.
My last idea would be to use a ClI script, which gets triggered, when the interface status change.
If the primary interface goes down, the line "set interface wan" will changed to "set interface a" and reverse (RAGTAC2 wouldn't be necessary anymore).
But there must be a better solution for this?!
Any ideas?
Solved! Go to Solution.
Aaahhhhh, acutally that is solved for a long time ago... just forgot the post?!
I was dumb and made it more complicated as it was/is.
The setting that the FGT choose the source-interface automatically is entirely sufficient and works fine.
When the primary path fails, the login via TACACS+ still works.
But I have to say that I did changes in routing (maybe that was a part of the initial problem too).
set source-ip ''
set interface-select-method auto
Fortigate used secondary server, only when the connection to primary server is timedout. Could you please confirm if the connection/reach ability to <ip of primary server> will fail when wan is down?
Or when wan is down, the route via "a" becomes active and fortigate will try to reach the LDAP via "a"?
Also, did you test the connection actually works via "a" ( by removing the primary server configuration), just to make sure the LDAP server is not expecting the connection from "wan" IP only.
Hi,
the primary and secondary server are still reachable, when wan is down.
So the connection works over interface a too.
Dear Customer,
Seems that the issue might be related to the way TACACS+ is configured on your FortiGate. When you specify the "interface-select-method" as "specify" in the TACACS+ configuration, you must also specify the interfaces on which to apply TACACS+. In your current configuration, you have specified "wan" for "RAGTAC1" and "a" for "RAGTAC2".
When the primary WAN interface goes down, the FortiGate is no longer able to apply TACACS+ authentication as it is still trying to use the "wan" interface, which is down. To resolve this, you can modify the TACACS+ configuration by adding both interfaces to each TACACS+ entry
config user tacacs+
edit "RAGTAC1"
set interface "wan" "a"
next
edit "RAGTAC2"
set interface "wan" "a"
next
end
This configuration will allow the FortiGate to use both WAN interfaces for TACACS+ authentication, regardless of which interface is up or down.
Created on 05-10-2023 07:53 AM Edited on 05-10-2023 07:53 AM
Hi,
i had the same idea. But I can only configure one interface there:
hostname # config user tacacs+
hostname (tacacs+) # edit "RAGTAC1"
hostname (RAGTAC1) # set interface-select-method specify
<Enter>
hostname (RAGTAC1) # set interface-select-method specify
hostname (RAGTAC1) # set interface wan
<Enter>
hostname (RAGTAC1) # set interface "wan" "a"
command parse error before 'a'
hostname (RAGTAC1) # set interface "wan" "a"
command parse error before 'a'
Command fail. Return code -61
hostname (RAGTAC1) # set interface wan a
command parse error before 'a'
hostname (RAGTAC1) # set interface wan a
command parse error before 'a'
Command fail. Return code -61
That's the reason, why I have configured "RAGTAC1" AND "RAGTAC2".
Or have you ever configured it that way?
Sorry for the late reply :)
Aaahhhhh, acutally that is solved for a long time ago... just forgot the post?!
I was dumb and made it more complicated as it was/is.
The setting that the FGT choose the source-interface automatically is entirely sufficient and works fine.
When the primary path fails, the login via TACACS+ still works.
But I have to say that I did changes in routing (maybe that was a part of the initial problem too).
set source-ip ''
set interface-select-method auto
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.