I am trying to get tacacs authentication to work for user ronald (to start with) on our Fortigate 600D firewall.
Tacacs server is a Centos 7 linux machine running tac_plus.
Firewall config:
config global config system admin edit "ronald" set remote-auth enable set accprofile "super_admin" set vdom "OOB" set remote-group "fwadmins" set password ENC SH2NlBggP0nKPW8lt6sfJaohuRG4BpAyUSjXp8jp6Fb/+RIZX5LtM5yMm2/S84= next edit "ronald" set remote-auth enable set accprofile "super_admin" set vdom "OOB" set remote-group "fwadmins" set password ENC SH2NlBggP0nKPW8lt6sfJaohuRG4BpAyUSjXp8jp6Fb/+RIZX5LtM5yMm2/S84= end
config vdom edit OOB config user tacacs+ edit "tacserver" set server "10.11.1.11" set key ENC rRpp8EzKAhzRCOb0OaiS+voJjnRaN7g86rhrkLG3H4t6EF6QOrMPDTmR1Sx9yEYen1ScT6xpMBIlfjggc9IYcz2VlS42rFxaPeIA4cuWuvSxm/ HMJN2cA6b1+ZfBRYI+w74d6+wtKiVIKFwHpFCfxBTwtsbigNBtkLw55zqd2dKLWmg3FjWD0UbrQ+0/E/Hg== set authorization enable set source-ip 10.10.1.1 next end
config vdom edit OOB config user group edit "fwadmins" set member "tacserver" config match edit 1 set server-name "tacserver" set group-name "tacacs-servers" next end next end
tac_plus.conf config on Centos machine:
key = "xxxxxxxxxx" accounting file = /var/log/tac.acct # authentication users not appearing elsewhere via # the file /etc/passwd default authentication = file /etc/passwd acl = default { permit = 10\.10\.1\. }
# Group that is allowed to do most configuration on all interfaces etc. group = admin { login = PAM service = exec { priv-lvl = 15 } service = fortigate { admin_prof = "super_admin" } acl = default }
user = ronald { login = PAM member = admin }
However authentication is not working, when trying to login on the firewall with user ronald the tac_plus logfile shows:
Feb 12 10:17:28 tacserver tac_plus[5327]: connect from 10.10.1.1 [10.10.1.1] Feb 12 10:17:28 tacserver kernel: tac_plus[5327]: segfault at 0 ip 00007fdeb37ea097 sp 00007ffc3d945ab8 error 4 in libc-2.17.so[7fdeb36b5000+1b8000]
Can you please help me troubleshoot and fix this? I am already working for months on this with no result.
Best regards,
Ronald
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi
Is your TACACS working with a switch for example ? Or did you verify with a tool that TACACS is properly working ?
Is your source interface from fortigate the one that TACACS knows ?
Is ronald account in the /etc/passwd file ?
--------------------------------------------
If all else fails, use the force !
Fortigate side config looks good to me. So something is wrong on the tac_plus side. You might want to ask their forum about it.
Try do disable
#default authentication = file /etc/passwd #acl = default { #permit = 10\.10\.1\. #}
Use local use
########
user = test3 { member = admin3 pap = cleartext xxxxxx login = cleartext "xxxxxx" }
group = admin3 { login = cleartext 1 service = fortigate { optional admin_prof = prof_admin } }
I have experience with tac_plus and a few others. What I would do
1: set up the localhost as a tacacas clients ( you need to define it in tac_plus )
2: use the tacplus client to test any user/passwword
3: I would investigate the PAP or CHAP support also
http://socpuppet.blogspot...acacs-authen-type.html
http://socpuppet.blogspot.com/2016/03/
PCNSE
NSE
StrongSwan
Hi
Is your TACACS working with a switch for example ? Or did you verify with a tool that TACACS is properly working ?
Is your source interface from fortigate the one that TACACS knows ?
Is ronald account in the /etc/passwd file ?
--------------------------------------------
If all else fails, use the force !
Yes tacacs is working for our cisco switches!
Yes it is the correct source interface.
No ronald is not in /etc/passwd file.
Thanks for all suggestions guys, I will do some more test and come back to it later on!
I changed the tac_pus config file into this (nothing changed on fortigate firewall):
key = "1234567890" accounting file = /var/log/tac.acct acl = default { permit = 10\.10\.1\. permit = 10\.40\.1\. }
# Group that is allowed to do most configuration on all interfaces etc. group = admin { login = PAM service = exec { priv-lvl = 15 } service = fortigate { optional admin_prof = "super_admin" } acl = default }
user = ronald { login = PAM member = admin global = cleartext "12345" }
Stil not working but now at least I get some usefull logging. Any ideas about what is going wrong in authenticating?
Thu Aug 23 09:55:47 2018 [10456]: Read AUTHEN/START size=35 Thu Aug 23 09:55:47 2018 [10456]: validation request from 10.10.1.1 Thu Aug 23 09:55:47 2018 [10456]: PACKET: key=1234567890 Thu Aug 23 09:55:47 2018 [10456]: version 193 (0xc1), type 1, seq no 1, flags 0x1 Thu Aug 23 09:55:47 2018 [10456]: session_id 3911889360 (0xe92ab1d0), Data length 23 (0x17) Thu Aug 23 09:55:47 2018 [10456]: End header Thu Aug 23 09:55:47 2018 [10456]: Packet body hex dump: Thu Aug 23 09:55:47 2018 [10456]: 0x1 0x0 0x2 0x1 0x7 0x0 0x0 0x8 0x61 0x30 0x30 0x30 0x38 0x36 0x32 0x47 0x73 Thu Aug 23 09:55:47 2018 [10456]: 0x78 0x37 0x35 0x30 0x65 0x73 Thu Aug 23 09:55:47 2018 [10456]: type=AUTHEN/START, priv_lvl = 0 Thu Aug 23 09:55:47 2018 [10456]: action=login Thu Aug 23 09:55:47 2018 [10456]: authen_type=pap Thu Aug 23 09:55:47 2018 [10456]: service=login Thu Aug 23 09:55:47 2018 [10456]: user_len=7 port_len=0 (0x0), rem_addr_len=0 (0x0) Thu Aug 23 09:55:47 2018 [10456]: data_len=8 Thu Aug 23 09:55:47 2018 [10456]: User: Thu Aug 23 09:55:47 2018 [10456]: ronald Thu Aug 23 09:55:47 2018 [10456]: port: Thu Aug 23 09:55:47 2018 [10456]: rem_addr: Thu Aug 23 09:55:47 2018 [10456]: data: Thu Aug 23 09:55:47 2018 [10456]: 12345 Thu Aug 23 09:55:47 2018 [10456]: End packet Thu Aug 23 09:55:47 2018 [10456]: Authen Start request Thu Aug 23 09:55:47 2018 [10456]: choose_authen chose default_fn Thu Aug 23 09:55:47 2018 [10456]: Calling authentication function Thu Aug 23 09:55:47 2018 [10456]: cfg_get_value: name=ronald isuser=1 attr=pap rec=1 Thu Aug 23 09:55:47 2018 [10456]: cfg_get_value: recurse group = admin Thu Aug 23 09:55:47 2018 [10456]: cfg_get_pvalue: returns NULL Thu Aug 23 09:55:47 2018 [10456]: cfg_get_value: name=ronald isuser=1 attr=global rec=1 Thu Aug 23 09:55:47 2018 [10456]: cfg_get_pvalue: returns cleartext 12345 Thu Aug 23 09:55:47 2018 [10456]: verify daemon 12345 == NAS 12345 Thu Aug 23 09:55:47 2018 [10456]: Password is correct Thu Aug 23 09:55:47 2018 [10456]: cfg_get_value: name=ronald isuser=1 attr=expires rec=1 Thu Aug 23 09:55:47 2018 [10456]: cfg_get_value: recurse group = admin Thu Aug 23 09:55:47 2018 [10456]: cfg_get_pvalue: returns NULL Thu Aug 23 09:55:47 2018 [10456]: Password has not expired <no expiry date set> Thu Aug 23 09:55:47 2018 [10456]: cfg_get_value: name=ronald isuser=1 attr=acl rec=1 Thu Aug 23 09:55:47 2018 [10456]: cfg_get_value: recurse group = admin Thu Aug 23 09:55:47 2018 [10456]: cfg_get_pvalue: returns default Thu Aug 23 09:55:47 2018 [10456]: cfg_acl_check(default, 10.10.1.1) Thu Aug 23 09:55:47 2018 [10456]: ip 10.10.1.1 matched permit regex 10\.10\.1\. of acl filter default Thu Aug 23 09:55:47 2018 [10456]: host ACLs for user 'ronald' permit Thu Aug 23 09:55:47 2018 [10456]: pap-login query for 'ronald' unknown-port from 10.10.1.1 accepted Thu Aug 23 09:55:47 2018 [10456]: Writing AUTHEN/SUCCEED size=18 Thu Aug 23 09:55:47 2018 [10456]: PACKET: key=1234567890 Thu Aug 23 09:55:47 2018 [10456]: version 193 (0xc1), type 1, seq no 2, flags 0x1 Thu Aug 23 09:55:47 2018 [10456]: session_id 3911889360 (0xe92ab1d0), Data length 6 (0x6) Thu Aug 23 09:55:47 2018 [10456]: End header Thu Aug 23 09:55:47 2018 [10456]: Packet body hex dump: Thu Aug 23 09:55:47 2018 [10456]: 0x1 0x0 0x0 0x0 0x0 0x0 Thu Aug 23 09:55:47 2018 [10456]: type=AUTHEN status=1 (AUTHEN/SUCCEED) flags=0x0 Thu Aug 23 09:55:47 2018 [10456]: msg_len=0, data_len=0 Thu Aug 23 09:55:47 2018 [10456]: msg: Thu Aug 23 09:55:47 2018 [10456]: data: Thu Aug 23 09:55:47 2018 [10456]: End packet Thu Aug 23 09:55:47 2018 [10456]: cfg_get_hvalue: name=10.10.1.1 attr=key Thu Aug 23 09:55:47 2018 [10456]: cfg_get_hvalue: no host named 10.10.1.1 Thu Aug 23 09:55:47 2018 [10456]: cfg_get_phvalue: returns NULL Thu Aug 23 09:55:47 2018 [10456]: hash: session_id=3501271785, key=1234567890, version=193, seq_no=2 Thu Aug 23 09:55:47 2018 [10456]: no prev. hash Thu Aug 23 09:55:47 2018 [10456]: hash: Thu Aug 23 09:55:47 2018 [10456]: 0x29 Thu Aug 23 09:55:47 2018 [10456]: 0xb9 Thu Aug 23 09:55:47 2018 [10456]: 0xbd Thu Aug 23 09:55:47 2018 [10456]: 0x53 Thu Aug 23 09:55:47 2018 [10456]: 0x2a Thu Aug 23 09:55:47 2018 [10456]: 0x7c Thu Aug 23 09:55:47 2018 [10456]: 0xf6 Thu Aug 23 09:55:47 2018 [10456]: 0x4f Thu Aug 23 09:55:47 2018 [10456]: 0x20 Thu Aug 23 09:55:47 2018 [10456]: 0xc6 Thu Aug 23 09:55:47 2018 [10456]: 0x89 Thu Aug 23 09:55:47 2018 [10456]: 0xb9 Thu Aug 23 09:55:47 2018 [10456]: 0xd8 Thu Aug 23 09:55:47 2018 [10456]: 0x4e Thu Aug 23 09:55:47 2018 [10456]: 0x9e Thu Aug 23 09:55:47 2018 [10456]: 0x54 Thu Aug 23 09:55:47 2018 [10456]: 10.10.1.1: disconnect Thu Aug 23 09:55:47 2018 [10456]: exit status=0 Thu Aug 23 09:55:47 2018 [10455]: session.peerip is 10.10.1.1 Thu Aug 23 09:55:47 2018 [10455]: session request from 10.10.1.1 sock=2 Thu Aug 23 09:55:47 2018 [10455]: forked 10457 Thu Aug 23 09:55:47 2018 [10457]: connect from 10.10.1.1 [10.10.1.1] Thu Aug 23 09:55:47 2018 [10457]: Waiting for packet Thu Aug 23 09:55:47 2018 [10457]: cfg_get_hvalue: name=10.10.1.1 attr=key Thu Aug 23 09:55:47 2018 [10457]: cfg_get_hvalue: no host named 10.10.1.1 Thu Aug 23 09:55:47 2018 [10457]: cfg_get_phvalue: returns NULL Thu Aug 23 09:55:47 2018 [10457]: hash: session_id=2379916, key=1234567890, version=192, seq_no=1 Thu Aug 23 09:55:47 2018 [10457]: no prev. hash Thu Aug 23 09:55:47 2018 [10457]: hash: Thu Aug 23 09:55:47 2018 [10457]: 0x9f Thu Aug 23 09:55:47 2018 [10457]: 0xb LEFT OUT SOME HASH INFO Thu Aug 23 09:55:47 2018 [10457]: Read AUTHOR size=67 Thu Aug 23 09:55:47 2018 [10457]: validation request from 10.10.1.1 Thu Aug 23 09:55:47 2018 [10457]: PACKET: key=1234567890 Thu Aug 23 09:55:47 2018 [10457]: version 192 (0xc0), type 2, seq no 1, flags 0x1 Thu Aug 23 09:55:47 2018 [10457]: session_id 2354062336 (0x8c502400), Data length 55 (0x37) Thu Aug 23 09:55:47 2018 [10457]: End header Thu Aug 23 09:55:47 2018 [10457]: Packet body hex dump: Thu Aug 23 09:55:47 2018 [10457]: 0x6 0x0 0x2 0x1 0x7 0x0 0x0 0x3 0x11 0x9 0xb 0x61 0x30 0x30 0x30 0x38 0x36 0x32 Thu Aug 23 09:55:47 2018 [10457]: 0x73 0x65 0x72 0x76 0x69 0x63 0x65 0x3d 0x66 0x6f 0x72 0x74 0x69 0x67 0x61 0x74 Thu Aug 23 09:55:47 2018 [10457]: 0x65 0x6d 0x65 0x6d 0x62 0x65 0x72 0x6f 0x66 0x2a 0x61 0x64 0x6d 0x69 0x6e 0x5f Thu Aug 23 09:55:47 2018 [10457]: 0x70 0x72 0x6f 0x66 0x2a Thu Aug 23 09:55:47 2018 [10457]: type=AUTHOR, priv_lvl=0, authen=2 Thu Aug 23 09:55:47 2018 [10457]: method=tacacs+ Thu Aug 23 09:55:47 2018 [10457]: svc=1 user_len=7 port_len=0 rem_addr_len=0 Thu Aug 23 09:55:47 2018 [10457]: arg_cnt=3 Thu Aug 23 09:55:47 2018 [10457]: User: Thu Aug 23 09:55:47 2018 [10457]: ronald Thu Aug 23 09:55:47 2018 [10457]: port: Thu Aug 23 09:55:47 2018 [10457]: rem_addr: Thu Aug 23 09:55:47 2018 [10457]: arg[0]: size=17 Thu Aug 23 09:55:47 2018 [10457]: service=fortigate Thu Aug 23 09:55:47 2018 [10457]: arg[1]: size=9 Thu Aug 23 09:55:47 2018 [10457]: memberof* Thu Aug 23 09:55:47 2018 [10457]: arg[2]: size=11 Thu Aug 23 09:55:47 2018 [10457]: admin_prof* Thu Aug 23 09:55:47 2018 [10457]: End packet Thu Aug 23 09:55:47 2018 [10457]: Start authorization request Thu Aug 23 09:55:47 2018 [10457]: cfg_get_value: name=ronald isuser=1 attr=acl rec=1 Thu Aug 23 09:55:47 2018 [10457]: cfg_get_value: recurse group = admin Thu Aug 23 09:55:47 2018 [10457]: cfg_get_pvalue: returns default Thu Aug 23 09:55:47 2018 [10457]: cfg_acl_check(default, 10.10.1.1) Thu Aug 23 09:55:47 2018 [10457]: ip 10.10.1.1 matched permit regex 10\.10\.1\. of acl filter default Thu Aug 23 09:55:47 2018 [10457]: host ACLs for user 'ronald' permit Thu Aug 23 09:55:47 2018 [10457]: do_author: user='ronald' Thu Aug 23 09:55:47 2018 [10457]: cfg_get_value: name=ronald isuser=1 attr=before rec=1 Thu Aug 23 09:55:47 2018 [10457]: cfg_get_value: recurse group = admin Thu Aug 23 09:55:47 2018 [10457]: cfg_get_pvalue: returns NULL Thu Aug 23 09:55:47 2018 [10457]: user 'ronald' found Thu Aug 23 09:55:47 2018 [10457]: cfg_get_svc_node: username=ronald N_svc proto= svcname=fortigate rec=1 Thu Aug 23 09:55:47 2018 [10457]: cfg_get_svc_node: recurse group = admin Thu Aug 23 09:55:47 2018 [10457]: cfg_get_svc_node: found N_svc proto= svcname=fortigate Thu Aug 23 09:55:47 2018 [10457]: nas:service=fortigate (passed thru) Thu Aug 23 09:55:47 2018 [10457]: nas:memberof* svr:absent/deny -> delete memberof* (i) Thu Aug 23 09:55:47 2018 [10457]: nas:admin_prof* svr:admin_prof*super_admin -> replace with admin_prof*super_admin (h) Thu Aug 23 09:55:47 2018 [10457]: replaced 2 args Thu Aug 23 09:55:47 2018 [10457]: cfg_get_value: name=ronald isuser=1 attr=after rec=1 Thu Aug 23 09:55:47 2018 [10457]: cfg_get_value: recurse group = admin Thu Aug 23 09:55:47 2018 [10457]: cfg_get_pvalue: returns NULL Thu Aug 23 09:55:47 2018 [10457]: Writing AUTHOR/PASS_REPL size=59 Thu Aug 23 09:55:47 2018 [10457]: PACKET: key=1234567890 Thu Aug 23 09:55:47 2018 [10457]: version 192 (0xc0), type 2, seq no 2, flags 0x1 Thu Aug 23 09:55:47 2018 [10457]: session_id 2354062336 (0x8c502400), Data length 47 (0x2f) Thu Aug 23 09:55:47 2018 [10457]: End header Thu Aug 23 09:55:47 2018 [10457]: Packet body hex dump: Thu Aug 23 09:55:47 2018 [10457]: 0x2 0x2 0x0 0x0 0x0 0x0 0x11 0x16 0x73 0x65 0x72 0x76 0x69 0x63 0x65 0x3d 0x66 Thu Aug 23 09:55:47 2018 [10457]: 0x6f 0x72 0x74 0x69 0x67 0x61 0x74 0x65 0x61 0x64 0x6d 0x69 0x6e 0x5f 0x70 0x72 Thu Aug 23 09:55:47 2018 [10457]: 0x6f 0x66 0x2a 0x73 0x75 0x70 0x65 0x72 0x5f 0x61 0x64 0x6d 0x69 0x6e Thu Aug 23 09:55:47 2018 [10457]: type=AUTHOR/REPLY status=2 (AUTHOR/PASS_REPL) Thu Aug 23 09:55:47 2018 [10457]: msg_len=0, data_len=0 arg_cnt=2 Thu Aug 23 09:55:47 2018 [10457]: msg: Thu Aug 23 09:55:47 2018 [10457]: data: Thu Aug 23 09:55:47 2018 [10457]: arg[0] size=17 Thu Aug 23 09:55:47 2018 [10457]: service=fortigate Thu Aug 23 09:55:47 2018 [10457]: arg[1] size=22 Thu Aug 23 09:55:47 2018 [10457]: admin_prof*super_admin Thu Aug 23 09:55:47 2018 [10457]: End packet Thu Aug 23 09:55:47 2018 [10457]: cfg_get_hvalue: name=10.10.1.1 attr=key Thu Aug 23 09:55:47 2018 [10457]: cfg_get_hvalue: no host named 10.10.1.1 Thu Aug 23 09:55:47 2018 [10457]: cfg_get_phvalue: returns NULL Thu Aug 23 09:55:47 2018 [10457]: hash: session_id=2379916, key=1234567890, version=192, seq_no=2 Thu Aug 23 09:55:47 2018 [10457]: no prev. hash Thu Aug 23 09:55:47 2018 [10457]: hash: Thu Aug 23 09:55:47 2018 [10457]: 0xfe LEFT OUT SOME HASH INFO Thu Aug 23 09:55:47 2018 [10457]: authorization query for 'ronald' unknown from 10.10.1.1 accepted Thu Aug 23 09:55:47 2018 [10457]: 10.10.1.1: disconnect Thu Aug 23 09:55:47 2018 [10457]: exit status=0 Thu Aug 23 09:56:29 2018 [10455]: Received signal 15, shutting down Thu Aug 23 09:56:29 2018 [10455]: exit status=0
Hi Ronald,
I am facing the same issue with ios switch which work fine with tac_plus and nexus switches which give the same error :
Mar 11 13:20:08 tacasdev kernel: tac_plus[211206]: segfault at 0 ip 00007fcc4f17ed56 sp 00007ffdd8eb5c18 error 4 in libc-2.17.so[7fcc4f040000+1c3000]
Did you make progress on this issue ?
Regards.
Yannick.
Hello Yannick,
Unfortunalty, I did not...
Regards,
Ronald
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.