No login possible via TACACS+-User, when primary WAN-Interface down
I have a problem regarding authentication via TACACS+ on FGT units (FGT40F). I have two WAN interfaces, but their're no members of a SD-WAN.
If the primary interface goes down, the login via TACACS+ is not possible anymore. Also I configured the same lines on the secondary one.
Here is the entire TACACS configuration:
config user tacacs+ edit "RAGTAC1" set server <ip of primary server> set secondary-server <ip of secondary server> set key ENC vnm4VKB0FI5aNL1cBxRAngfqZtn75GS2aLWuFn7Va7KhhK0avUJGMG/JHVRyy+AGFKKvJ7xbAuDmM4+V6m4iTv76iUGgMssbNKpcBq+BLcluknE61I5r6emPmIwu6J04hP+qWiglAlc/QlA== set secondary-key ENC xBDZhp1GT9MnrQpkBHe342XbjGcb/YLoMHuXP5PmK7ALnDEvUmYcsEGy+4BJmJZdDKRX56sJWXzIbVmYEPwekPgXWlECqGWkPnMnoVyanbFrsoZG1xE0w== set authen-type ascii set authorization enable set interface-select-method specify set interface "wan" next edit "RAGTAC2" set server <ip of primary server> set secondary-server <ip of secondary server> set key ENC fI8pEqi9l7ZEFnu5LuDUJsu1X/12pwa/sfLY2K/8hyYlraBk84po0whOXpFciKMR4YgOu3ePZV13Hcqm4ucxg6igzVps4paD18oPPXY+DxeBTEIjQV5e1v8/W4lJY2KTidd0axrN/J9ZNvQVORv2/9Yk/kxPBu1W98HlL/mukaUqhO77w== set secondary-key ENC +47ZgpbYULOSAv//hfJLObdE5E5ISQvyc/X+btcHwcgSI2iobU1CssZo9+zI5ennVLr04PrGeX4+wjxFh/olZlEHrxMgJj1/2I+PcvONK+K5gxRr6CCBoJiEUfkK7ReCUMuCEoJWX1PRZPiyPf4OuO2b79UOGqXgPd+lKjg== set authen-type ascii set authorization enable set interface-select-method specify set interface "a" next end
config user group edit "TACACS_GROUP" set member "RAGTAC1" "RAGTAC2" next end
config system admin edit "RAG_TAC" set remote-auth enable #multiple trusted hosts set accprofile "super_admin" set vdom "root" set wildcard enable set remote-group "TACACS_GROUP"
But there is still the same problem, when the primary goes down.
It seems to be that the FGT takes only the first configured section "RAGTAC1". Section two (RAGTAC2) gets ignored. Even when the primary interface wan is down and the only one, which is left, is secondary.
My last idea would be to use a ClI script, which gets triggered, when the interface status change. If the primary interface goes down, the line "set interface wan" will changed to "set interface a" and reverse (RAGTAC2 wouldn't be necessary anymore).
But there must be a better solution for this?! Any ideas?
Seems that the issue might be related to the way TACACS+ is configured on your FortiGate. When you specify the "interface-select-method" as "specify" in the TACACS+ configuration, you must also specify the interfaces on which to apply TACACS+. In your current configuration, you have specified "wan" for "RAGTAC1" and "a" for "RAGTAC2".
When the primary WAN interface goes down, the FortiGate is no longer able to apply TACACS+ authentication as it is still trying to use the "wan" interface, which is down. To resolve this, you can modify the TACACS+ configuration by adding both interfaces to each TACACS+ entry
config user tacacs+ edit "RAGTAC1" setinterface "wan" "a"
edit "RAGTAC2" set interface "wan" "a" next end
This configuration will allow the FortiGate to use both WAN interfaces for TACACS+ authentication, regardless of which interface is up or down.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.