Hello,
I'm actually having an issue when configuration Tacacs+. Authentication is working correctly but I don't have access to vdoms. I'm running on FortiOS v5.4.5,build1138 (GA).
Configuration :
config vdom
edit elbc-mgmt
config user tacacs+
edit "TACACS-ISE"
set server "x.x.x.x"
set key ENC zqwEyuAFNC55u3Ve4ryjqLYTZTF91Wva825q4IkLKYKoIGUZ3l11QyuAOukWRP8Ejn11hODEqj/+yox3kD20pt0JWuhMSC7U/EVRSiwb9o6Dwx9SRlGhoXSPmHtQ15iN+8kGdn6FLsqzxpOAsXqJY79sqR6DsoPVsjxBx19ceUpJjary0oApEngL80aZeFIdluwA==
set authorization enable
next
end
config user group
edit "TACACS_Group"
set member "TACACS-ISE"
next
end
config global
config system admin
edit "TACACS_User"
set remote-auth enable
set accprofile "noaccess"
set comments ''
set vdom "elbc-mgmt"
set schedule ''
set two-factor disable
set email-to ''
set sms-server fortiguard
set sms-phone ''
set guest-auth disable
set wildcard enable
set remote-group "TACACS_Group"
set accprofile-override enable
set radius-vdom-override disable
next
config system accprofile
edit "noaccess"
next
edit "Read_Write"
set mntgrp read-write
set admingrp read-write
set updategrp read-write
set authgrp read-write
set sysgrp read-write
set netgrp read-write
set loggrp read-write
set routegrp read-write
set fwgrp read-write
set vpngrp read-write
set utmgrp read-write
set wanoptgrp read-write
set endpoint-control-grp read-write
set wifi read-write
next
edit "Read_Only"
set mntgrp read
set admingrp read
set updategrp read
set authgrp read
set sysgrp read
set netgrp read
set loggrp read
set routegrp read
set fwgrp read
set vpngrp read
set utmgrp read
set wanoptgrp read
set endpoint-control-grp read
set wifi read
next
end
Below admin status command :
FortiGate $ get system admin status username: user login local: ssh login device: base-mgmt:10.101.10.4:22 login remote: 10.101.10.15:64576 login vdom: elbc-mgmt login access profile: Read_Write login started: 2017-10-02 13:57:02 current time: 2017-10-02 13:57:15
Does anyone encounter this issue? User need to have access to all vdoms but it seems in my case he only have access to 1 vdom.
Thank you for your help
Eric
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Do you have a remote-wildcard user or what type of user ? You might need to add the user in ALLvdoms?
e.g
config sys admin
edit wildcard
set accprofile "profileALL" set vdom root AWS GCP AZURE CUST1 CUSTo CUSTB CUSTC set remote-group "tac_plus_group" next end
tac_plus_group is our tac_plusd tacacs-servers
Ken
PCNSE
NSE
StrongSwan
It should be a wildcard.
On ISE server, depending on access level it's sending, it will send "admin_prof" value which are "Read_Write" and "Read_Only".
Configuration is based on https://blog.willsplace.co.uk/quick-dirty-fortigate-tacacs-config/
I have tried to add multiple vdom
config system admin edit "TACACS_User" set remote-auth enable set accprofile "noaccess" set vdom "elbc-mgmt vdom1 vdom2 vdom3" set wildcard enable set remote-group "TACACS_Group" set accprofile-override enable next end
But when accessing to device, even though it seems user doesn't have admin access (sending value "Read_Only") user seems to have write access(manager to change configuration in vdom elbc-mgmt).
In configuration there is a radius-vdom-override but it doesn't seem there's the same thing for Tacacs+.
Eric
Will if you have "set accprofile-override enable" that will override the locally set accessprofile. Are you sure that's not what happening?
Going by what you listed in the FGT.config,
1: your users are wildcard
2: accprofile are override if present in the tacacs authorization
3: the users have access to ONLY "elbc-mgmt vdom1 vdom2 vdom3"
Is that speculation correct as far as what you want?
If that's what you want, I would look at the tacacs-server profiles.
PCNSE
NSE
StrongSwan
1. radius-vdom-override is supposed to work for both RADIUS and TACACS+ accounts
2. unless you are Super_admin with Global scope, then you have access to VDOMs specified in profile
3. older FOS also controlled if you access through interface belonging to the set VDOMs, so if you accessed through interface from non-allowed VDOM, you were blocked
4. for accessprofile override sniff or 'diag test authserver' to see what your TACACS+ really return as acc profile. As you have profile override enabled, then what came from server, and if the same profile exist on FGT (exact string match) that will be applied. If there is nothing from server or non-matching acc profile then default profile from wildcard admin config will be used (set accprofile "noaccess").
5. if you have acc profile like "Read_Only" from first post, and you are able to write to any of read-only config categories, then it's a bug, please report it
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Hello,
Sorry was a bit busy for the last few days.
About the "Read_Only" acc profile I got it wrong. used multiple connexion and got the wrong windows. This Profile can't "edit".
I was also in contact with Professional services and they told me "Tacacs+ VDOM Override is not supported for TACACS+" so I have requested a new feature.
Thank you for your help and your time
Eric
did you ever hear anything back on this NFR?
Hello Tsilvey,
No I never got a feedback from them. I had to use Radius rather than TACACS+.
Eric
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.