Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
torisa
New Contributor

TACACS+ Accounting

Hi,

 

I've configured Fortigate (FortiOS 5.6.2) with TACACS+ Authentication and it works fine. However I'm not receiving TACACS accounting messages to TACACS server. Is there a specific option to enable tacacs accounting or how this should be done in FortiOS?

 

Thank you for your help!

3 REPLIES 3
xsilver_FTNT
Staff
Staff

Hi,

there is no accounting implemented for TACACS+ in FortiOS. Just authentication and basic authorization.

If you would need some accounting being sent upon successful authentication, then as closest protocol to TACACS+ I'd suggest to use RADIUS. Where you can set accounting subsection in RADIUS server definition on FortiOS.

Best regards,

Tomas

Tomas Stribrny - NASDAQ:FTNT - Fortinet stuff - TAC Staff Engineer

emnoc
Esteemed Contributor III

I'm even skeptical that  RADIUS  supports accounting on FortiOS. What we end up doing was using the global  audit tracking  in FortiOS 5.4.x or higher

 

 

e.g

 

config sys  global

 set cli-audit-log enable

end

 

 

NOTE; various execute and diag cmds will not  generate   audit-log

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
xsilver_FTNT

I'm not skeptical .. I use that:

 

FGT60D-2 (root) # get sys stat Version: FortiGate-60D v5.4.5,build1138,170531 (GA) Virus-DB: 50.00815(2017-08-09 03:16) Extended DB: 32.00462(2016-02-08 17:12) IPS-DB: 12.00198(2017-08-08 02:08) IPS-ETDB: 0.00000(2001-01-01 00:00) Serial-Number: FGT60D4613007280 IPS Malicious URL Database: 1.00771(2017-09-24 06:05) Botnet DB: 4.00021(2017-08-08 10:00) BIOS version: 04000013 System Part-Number: P12397-02 Log hard disk: Not available Hostname: FGT60D-2 Operation Mode: NAT Current virtual domain: root Max number of virtual domains: 10 Virtual domains status: 2 in NAT mode, 0 in TP mode Virtual domain configuration: enable FIPS-CC mode: disable Current HA mode: standalone Branch point: 1138 Release Version Information: GA System time: Fri Dec 15 09:19:37 2017

 

FGT60D-2 (root) # sh user radius config user radius

edit "RAD_FAC49" set server "10.108.17.94"   <== auth done from FGT against some RADIUS set secret ENC QdsF9hX8CISpQgwGw90tYIofIhAtXDfF9==shrinked== set nas-ip 10.108.17.54 set source-ip 10.108.17.54 config accounting-server edit 1 set status enable set server "10.108.17.49"   <== sending Accounting-Requests somewhere else set secret ENC 6Yv1ISd3t/E4zwk7txB1KebyVRJPVG0mF==shrinked== next end next

 

Kind regards,

Tomas

Tomas Stribrny - NASDAQ:FTNT - Fortinet stuff - TAC Staff Engineer

Labels
Top Kudoed Authors