Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ronald1965
New Contributor

Tacacs authentication on Fortigate D600 firewall

I am trying to get tacacs authentication to work for user ronald (to start with) on our Fortigate 600D firewall.

Tacacs server is a Centos 7 linux machine running tac_plus.

 

Firewall config:

config global config system admin edit "ronald" set remote-auth enable set accprofile "super_admin" set vdom "OOB" set remote-group "fwadmins" set password ENC SH2NlBggP0nKPW8lt6sfJaohuRG4BpAyUSjXp8jp6Fb/+RIZX5LtM5yMm2/S84= next edit "ronald" set remote-auth enable set accprofile "super_admin" set vdom "OOB" set remote-group "fwadmins" set password ENC SH2NlBggP0nKPW8lt6sfJaohuRG4BpAyUSjXp8jp6Fb/+RIZX5LtM5yMm2/S84= end

config vdom edit OOB config user tacacs+ edit "tacserver" set server "10.11.1.11" set key ENC rRpp8EzKAhzRCOb0OaiS+voJjnRaN7g86rhrkLG3H4t6EF6QOrMPDTmR1Sx9yEYen1ScT6xpMBIlfjggc9IYcz2VlS42rFxaPeIA4cuWuvSxm/ HMJN2cA6b1+ZfBRYI+w74d6+wtKiVIKFwHpFCfxBTwtsbigNBtkLw55zqd2dKLWmg3FjWD0UbrQ+0/E/Hg== set authorization enable set source-ip 10.10.1.1 next end

config vdom edit OOB config user group edit "fwadmins" set member "tacserver" config match edit 1 set server-name "tacserver" set group-name "tacacs-servers" next end next end

 

 

tac_plus.conf config on Centos machine:

key = "xxxxxxxxxx" accounting file = /var/log/tac.acct # authentication users not appearing elsewhere via # the file /etc/passwd default authentication = file /etc/passwd acl = default { permit = 10\.10\.1\. }

# Group that is allowed to do most configuration on all interfaces etc. group = admin { login = PAM service = exec { priv-lvl = 15 } service = fortigate { admin_prof = "super_admin" } acl = default }

user = ronald { login = PAM member = admin }

 

However authentication is not working, when trying to login on the firewall with user ronald the tac_plus logfile shows: 

Feb 12 10:17:28 tacserver tac_plus[5327]: connect from 10.10.1.1 [10.10.1.1] Feb 12 10:17:28 tacserver kernel: tac_plus[5327]: segfault at 0 ip 00007fdeb37ea097 sp 00007ffc3d945ab8 error 4 in libc-2.17.so[7fdeb36b5000+1b8000]

 

Can you please help me troubleshoot and fix this? I am already working for months on this with no result.

 

Best regards,

 

Ronald

1 Solution
Alexis_G
Contributor II

Hi

Is your TACACS working with a switch for example ? Or did you verify with a tool that TACACS is properly working ?

Is your source interface from fortigate the one that TACACS knows ?

 

Is ronald account in the /etc/passwd file ?

 

--------------------------------------------

If all else fails, use the force !

View solution in original post

-------------------------------------------- If all else fails, use the force !
8 REPLIES 8
Toshi_Esumi
Esteemed Contributor III

Fortigate side config looks good to me. So something is wrong on the tac_plus side. You might want to ask their forum about it.

Jeff_FTNT

Try do disable 

#default authentication = file /etc/passwd #acl = default { #permit = 10\.10\.1\. #}

 

Use local use

########

user = test3 {     member = admin3     pap = cleartext xxxxxx     login = cleartext "xxxxxx" }

group = admin3 {     login = cleartext 1     service = fortigate     {      optional admin_prof = prof_admin     } }

emnoc
Esteemed Contributor III

I have experience with tac_plus  and a few others. What I would do

 

1:  set up the localhost as a tacacas clients  ( you need to define it in tac_plus )

2: use the tacplus client to test any  user/passwword

3: I would investigate the  PAP or CHAP support also

 

 

http://socpuppet.blogspot...acacs-authen-type.html

http://socpuppet.blogspot.com/2016/03/

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Alexis_G
Contributor II

Hi

Is your TACACS working with a switch for example ? Or did you verify with a tool that TACACS is properly working ?

Is your source interface from fortigate the one that TACACS knows ?

 

Is ronald account in the /etc/passwd file ?

 

--------------------------------------------

If all else fails, use the force !

-------------------------------------------- If all else fails, use the force !
ronald1965

Yes tacacs is working for our cisco switches! 

 

Yes it is the correct source interface.

 

No ronald is not in /etc/passwd file.

 

Thanks for all suggestions guys, I will do some more test and come back to it later on!

ronald1965

I changed the tac_pus config file into this (nothing changed on fortigate firewall):

 

key = "1234567890" accounting file = /var/log/tac.acct acl = default { permit = 10\.10\.1\. permit = 10\.40\.1\. }

# Group that is allowed to do most configuration on all interfaces etc. group = admin { login = PAM service = exec { priv-lvl = 15 } service = fortigate { optional admin_prof = "super_admin" } acl = default }

user = ronald { login = PAM member = admin global = cleartext "12345" }

 

Stil not working but now at least I get some usefull logging. Any ideas about what is going wrong in authenticating?

 

Thu Aug 23 09:55:47 2018 [10456]: Read AUTHEN/START size=35 Thu Aug 23 09:55:47 2018 [10456]: validation request from 10.10.1.1 Thu Aug 23 09:55:47 2018 [10456]: PACKET: key=1234567890 Thu Aug 23 09:55:47 2018 [10456]: version 193 (0xc1), type 1, seq no 1, flags 0x1 Thu Aug 23 09:55:47 2018 [10456]: session_id 3911889360 (0xe92ab1d0), Data length 23 (0x17) Thu Aug 23 09:55:47 2018 [10456]: End header Thu Aug 23 09:55:47 2018 [10456]: Packet body hex dump: Thu Aug 23 09:55:47 2018 [10456]: 0x1 0x0 0x2 0x1 0x7 0x0 0x0 0x8 0x61 0x30 0x30 0x30 0x38 0x36 0x32 0x47 0x73 Thu Aug 23 09:55:47 2018 [10456]: 0x78 0x37 0x35 0x30 0x65 0x73 Thu Aug 23 09:55:47 2018 [10456]: type=AUTHEN/START, priv_lvl = 0 Thu Aug 23 09:55:47 2018 [10456]: action=login Thu Aug 23 09:55:47 2018 [10456]: authen_type=pap Thu Aug 23 09:55:47 2018 [10456]: service=login Thu Aug 23 09:55:47 2018 [10456]: user_len=7 port_len=0 (0x0), rem_addr_len=0 (0x0) Thu Aug 23 09:55:47 2018 [10456]: data_len=8 Thu Aug 23 09:55:47 2018 [10456]: User: Thu Aug 23 09:55:47 2018 [10456]: ronald Thu Aug 23 09:55:47 2018 [10456]: port: Thu Aug 23 09:55:47 2018 [10456]: rem_addr: Thu Aug 23 09:55:47 2018 [10456]: data: Thu Aug 23 09:55:47 2018 [10456]: 12345 Thu Aug 23 09:55:47 2018 [10456]: End packet Thu Aug 23 09:55:47 2018 [10456]: Authen Start request Thu Aug 23 09:55:47 2018 [10456]: choose_authen chose default_fn Thu Aug 23 09:55:47 2018 [10456]: Calling authentication function Thu Aug 23 09:55:47 2018 [10456]: cfg_get_value: name=ronald isuser=1 attr=pap rec=1 Thu Aug 23 09:55:47 2018 [10456]: cfg_get_value: recurse group = admin Thu Aug 23 09:55:47 2018 [10456]: cfg_get_pvalue: returns NULL Thu Aug 23 09:55:47 2018 [10456]: cfg_get_value: name=ronald isuser=1 attr=global rec=1 Thu Aug 23 09:55:47 2018 [10456]: cfg_get_pvalue: returns cleartext 12345 Thu Aug 23 09:55:47 2018 [10456]: verify daemon 12345 == NAS 12345 Thu Aug 23 09:55:47 2018 [10456]: Password is correct Thu Aug 23 09:55:47 2018 [10456]: cfg_get_value: name=ronald isuser=1 attr=expires rec=1 Thu Aug 23 09:55:47 2018 [10456]: cfg_get_value: recurse group = admin Thu Aug 23 09:55:47 2018 [10456]: cfg_get_pvalue: returns NULL Thu Aug 23 09:55:47 2018 [10456]: Password has not expired <no expiry date set> Thu Aug 23 09:55:47 2018 [10456]: cfg_get_value: name=ronald isuser=1 attr=acl rec=1 Thu Aug 23 09:55:47 2018 [10456]: cfg_get_value: recurse group = admin Thu Aug 23 09:55:47 2018 [10456]: cfg_get_pvalue: returns default Thu Aug 23 09:55:47 2018 [10456]: cfg_acl_check(default, 10.10.1.1) Thu Aug 23 09:55:47 2018 [10456]: ip 10.10.1.1 matched permit regex 10\.10\.1\. of acl filter default Thu Aug 23 09:55:47 2018 [10456]: host ACLs for user 'ronald' permit Thu Aug 23 09:55:47 2018 [10456]: pap-login query for 'ronald' unknown-port from 10.10.1.1 accepted Thu Aug 23 09:55:47 2018 [10456]: Writing AUTHEN/SUCCEED size=18 Thu Aug 23 09:55:47 2018 [10456]: PACKET: key=1234567890 Thu Aug 23 09:55:47 2018 [10456]: version 193 (0xc1), type 1, seq no 2, flags 0x1 Thu Aug 23 09:55:47 2018 [10456]: session_id 3911889360 (0xe92ab1d0), Data length 6 (0x6) Thu Aug 23 09:55:47 2018 [10456]: End header Thu Aug 23 09:55:47 2018 [10456]: Packet body hex dump: Thu Aug 23 09:55:47 2018 [10456]: 0x1 0x0 0x0 0x0 0x0 0x0 Thu Aug 23 09:55:47 2018 [10456]: type=AUTHEN status=1 (AUTHEN/SUCCEED) flags=0x0 Thu Aug 23 09:55:47 2018 [10456]: msg_len=0, data_len=0 Thu Aug 23 09:55:47 2018 [10456]: msg: Thu Aug 23 09:55:47 2018 [10456]: data: Thu Aug 23 09:55:47 2018 [10456]: End packet Thu Aug 23 09:55:47 2018 [10456]: cfg_get_hvalue: name=10.10.1.1 attr=key Thu Aug 23 09:55:47 2018 [10456]: cfg_get_hvalue: no host named 10.10.1.1 Thu Aug 23 09:55:47 2018 [10456]: cfg_get_phvalue: returns NULL Thu Aug 23 09:55:47 2018 [10456]: hash: session_id=3501271785, key=1234567890, version=193, seq_no=2 Thu Aug 23 09:55:47 2018 [10456]: no prev. hash Thu Aug 23 09:55:47 2018 [10456]: hash: Thu Aug 23 09:55:47 2018 [10456]: 0x29 Thu Aug 23 09:55:47 2018 [10456]: 0xb9 Thu Aug 23 09:55:47 2018 [10456]: 0xbd Thu Aug 23 09:55:47 2018 [10456]: 0x53 Thu Aug 23 09:55:47 2018 [10456]: 0x2a Thu Aug 23 09:55:47 2018 [10456]: 0x7c Thu Aug 23 09:55:47 2018 [10456]: 0xf6 Thu Aug 23 09:55:47 2018 [10456]: 0x4f Thu Aug 23 09:55:47 2018 [10456]: 0x20 Thu Aug 23 09:55:47 2018 [10456]: 0xc6 Thu Aug 23 09:55:47 2018 [10456]: 0x89 Thu Aug 23 09:55:47 2018 [10456]: 0xb9 Thu Aug 23 09:55:47 2018 [10456]: 0xd8 Thu Aug 23 09:55:47 2018 [10456]: 0x4e Thu Aug 23 09:55:47 2018 [10456]: 0x9e Thu Aug 23 09:55:47 2018 [10456]: 0x54 Thu Aug 23 09:55:47 2018 [10456]: 10.10.1.1: disconnect Thu Aug 23 09:55:47 2018 [10456]: exit status=0 Thu Aug 23 09:55:47 2018 [10455]: session.peerip is 10.10.1.1 Thu Aug 23 09:55:47 2018 [10455]: session request from 10.10.1.1 sock=2 Thu Aug 23 09:55:47 2018 [10455]: forked 10457 Thu Aug 23 09:55:47 2018 [10457]: connect from 10.10.1.1 [10.10.1.1] Thu Aug 23 09:55:47 2018 [10457]: Waiting for packet Thu Aug 23 09:55:47 2018 [10457]: cfg_get_hvalue: name=10.10.1.1 attr=key Thu Aug 23 09:55:47 2018 [10457]: cfg_get_hvalue: no host named 10.10.1.1 Thu Aug 23 09:55:47 2018 [10457]: cfg_get_phvalue: returns NULL Thu Aug 23 09:55:47 2018 [10457]: hash: session_id=2379916, key=1234567890, version=192, seq_no=1 Thu Aug 23 09:55:47 2018 [10457]: no prev. hash Thu Aug 23 09:55:47 2018 [10457]: hash: Thu Aug 23 09:55:47 2018 [10457]: 0x9f Thu Aug 23 09:55:47 2018 [10457]: 0xb LEFT OUT SOME HASH INFO Thu Aug 23 09:55:47 2018 [10457]: Read AUTHOR size=67 Thu Aug 23 09:55:47 2018 [10457]: validation request from 10.10.1.1 Thu Aug 23 09:55:47 2018 [10457]: PACKET: key=1234567890 Thu Aug 23 09:55:47 2018 [10457]: version 192 (0xc0), type 2, seq no 1, flags 0x1 Thu Aug 23 09:55:47 2018 [10457]: session_id 2354062336 (0x8c502400), Data length 55 (0x37) Thu Aug 23 09:55:47 2018 [10457]: End header Thu Aug 23 09:55:47 2018 [10457]: Packet body hex dump: Thu Aug 23 09:55:47 2018 [10457]: 0x6 0x0 0x2 0x1 0x7 0x0 0x0 0x3 0x11 0x9 0xb 0x61 0x30 0x30 0x30 0x38 0x36 0x32 Thu Aug 23 09:55:47 2018 [10457]: 0x73 0x65 0x72 0x76 0x69 0x63 0x65 0x3d 0x66 0x6f 0x72 0x74 0x69 0x67 0x61 0x74 Thu Aug 23 09:55:47 2018 [10457]: 0x65 0x6d 0x65 0x6d 0x62 0x65 0x72 0x6f 0x66 0x2a 0x61 0x64 0x6d 0x69 0x6e 0x5f Thu Aug 23 09:55:47 2018 [10457]: 0x70 0x72 0x6f 0x66 0x2a Thu Aug 23 09:55:47 2018 [10457]: type=AUTHOR, priv_lvl=0, authen=2 Thu Aug 23 09:55:47 2018 [10457]: method=tacacs+ Thu Aug 23 09:55:47 2018 [10457]: svc=1 user_len=7 port_len=0 rem_addr_len=0 Thu Aug 23 09:55:47 2018 [10457]: arg_cnt=3 Thu Aug 23 09:55:47 2018 [10457]: User: Thu Aug 23 09:55:47 2018 [10457]: ronald Thu Aug 23 09:55:47 2018 [10457]: port: Thu Aug 23 09:55:47 2018 [10457]: rem_addr: Thu Aug 23 09:55:47 2018 [10457]: arg[0]: size=17 Thu Aug 23 09:55:47 2018 [10457]: service=fortigate Thu Aug 23 09:55:47 2018 [10457]: arg[1]: size=9 Thu Aug 23 09:55:47 2018 [10457]: memberof* Thu Aug 23 09:55:47 2018 [10457]: arg[2]: size=11 Thu Aug 23 09:55:47 2018 [10457]: admin_prof* Thu Aug 23 09:55:47 2018 [10457]: End packet Thu Aug 23 09:55:47 2018 [10457]: Start authorization request Thu Aug 23 09:55:47 2018 [10457]: cfg_get_value: name=ronald isuser=1 attr=acl rec=1 Thu Aug 23 09:55:47 2018 [10457]: cfg_get_value: recurse group = admin Thu Aug 23 09:55:47 2018 [10457]: cfg_get_pvalue: returns default Thu Aug 23 09:55:47 2018 [10457]: cfg_acl_check(default, 10.10.1.1) Thu Aug 23 09:55:47 2018 [10457]: ip 10.10.1.1 matched permit regex 10\.10\.1\. of acl filter default Thu Aug 23 09:55:47 2018 [10457]: host ACLs for user 'ronald' permit Thu Aug 23 09:55:47 2018 [10457]: do_author: user='ronald' Thu Aug 23 09:55:47 2018 [10457]: cfg_get_value: name=ronald isuser=1 attr=before rec=1 Thu Aug 23 09:55:47 2018 [10457]: cfg_get_value: recurse group = admin Thu Aug 23 09:55:47 2018 [10457]: cfg_get_pvalue: returns NULL Thu Aug 23 09:55:47 2018 [10457]: user 'ronald' found Thu Aug 23 09:55:47 2018 [10457]: cfg_get_svc_node: username=ronald N_svc proto= svcname=fortigate rec=1 Thu Aug 23 09:55:47 2018 [10457]: cfg_get_svc_node: recurse group = admin Thu Aug 23 09:55:47 2018 [10457]: cfg_get_svc_node: found N_svc proto= svcname=fortigate Thu Aug 23 09:55:47 2018 [10457]: nas:service=fortigate (passed thru) Thu Aug 23 09:55:47 2018 [10457]: nas:memberof* svr:absent/deny -> delete memberof* (i) Thu Aug 23 09:55:47 2018 [10457]: nas:admin_prof* svr:admin_prof*super_admin -> replace with admin_prof*super_admin (h) Thu Aug 23 09:55:47 2018 [10457]: replaced 2 args Thu Aug 23 09:55:47 2018 [10457]: cfg_get_value: name=ronald isuser=1 attr=after rec=1 Thu Aug 23 09:55:47 2018 [10457]: cfg_get_value: recurse group = admin Thu Aug 23 09:55:47 2018 [10457]: cfg_get_pvalue: returns NULL Thu Aug 23 09:55:47 2018 [10457]: Writing AUTHOR/PASS_REPL size=59 Thu Aug 23 09:55:47 2018 [10457]: PACKET: key=1234567890 Thu Aug 23 09:55:47 2018 [10457]: version 192 (0xc0), type 2, seq no 2, flags 0x1 Thu Aug 23 09:55:47 2018 [10457]: session_id 2354062336 (0x8c502400), Data length 47 (0x2f) Thu Aug 23 09:55:47 2018 [10457]: End header Thu Aug 23 09:55:47 2018 [10457]: Packet body hex dump: Thu Aug 23 09:55:47 2018 [10457]: 0x2 0x2 0x0 0x0 0x0 0x0 0x11 0x16 0x73 0x65 0x72 0x76 0x69 0x63 0x65 0x3d 0x66 Thu Aug 23 09:55:47 2018 [10457]: 0x6f 0x72 0x74 0x69 0x67 0x61 0x74 0x65 0x61 0x64 0x6d 0x69 0x6e 0x5f 0x70 0x72 Thu Aug 23 09:55:47 2018 [10457]: 0x6f 0x66 0x2a 0x73 0x75 0x70 0x65 0x72 0x5f 0x61 0x64 0x6d 0x69 0x6e Thu Aug 23 09:55:47 2018 [10457]: type=AUTHOR/REPLY status=2 (AUTHOR/PASS_REPL) Thu Aug 23 09:55:47 2018 [10457]: msg_len=0, data_len=0 arg_cnt=2 Thu Aug 23 09:55:47 2018 [10457]: msg: Thu Aug 23 09:55:47 2018 [10457]: data: Thu Aug 23 09:55:47 2018 [10457]: arg[0] size=17 Thu Aug 23 09:55:47 2018 [10457]: service=fortigate Thu Aug 23 09:55:47 2018 [10457]: arg[1] size=22 Thu Aug 23 09:55:47 2018 [10457]: admin_prof*super_admin Thu Aug 23 09:55:47 2018 [10457]: End packet Thu Aug 23 09:55:47 2018 [10457]: cfg_get_hvalue: name=10.10.1.1 attr=key Thu Aug 23 09:55:47 2018 [10457]: cfg_get_hvalue: no host named 10.10.1.1 Thu Aug 23 09:55:47 2018 [10457]: cfg_get_phvalue: returns NULL Thu Aug 23 09:55:47 2018 [10457]: hash: session_id=2379916, key=1234567890, version=192, seq_no=2 Thu Aug 23 09:55:47 2018 [10457]: no prev. hash Thu Aug 23 09:55:47 2018 [10457]: hash: Thu Aug 23 09:55:47 2018 [10457]: 0xfe LEFT OUT SOME HASH INFO Thu Aug 23 09:55:47 2018 [10457]: authorization query for 'ronald' unknown from 10.10.1.1 accepted Thu Aug 23 09:55:47 2018 [10457]: 10.10.1.1: disconnect Thu Aug 23 09:55:47 2018 [10457]: exit status=0 Thu Aug 23 09:56:29 2018 [10455]: Received signal 15, shutting down Thu Aug 23 09:56:29 2018 [10455]: exit status=0

yannick

Hi Ronald,

I am facing the same issue with ios switch which work fine with tac_plus and nexus switches which give the same error :

Mar 11 13:20:08 tacasdev kernel: tac_plus[211206]: segfault at 0 ip 00007fcc4f17ed56 sp 00007ffdd8eb5c18 error 4 in libc-2.17.so[7fcc4f040000+1c3000]

 

Did you make progress on this issue ?

 

Regards.

 

Yannick.

ronald1965

Hello Yannick,

 

Unfortunalty, I did not...

 

Regards,

 

Ronald

Labels
Top Kudoed Authors