Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Tacacs configuration - Authentication OK but n...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tacacs configuration - Authentication OK but no access to vdom
Hello,
I'm actually having an issue when configuration Tacacs+. Authentication is working correctly but I don't have access to vdoms. I'm running on FortiOS v5.4.5,build1138 (GA).
Configuration :
config vdom
edit elbc-mgmt
config user tacacs+
edit "TACACS-ISE"
set server "x.x.x.x"
set key ENC zqwEyuAFNC55u3Ve4ryjqLYTZTF91Wva825q4IkLKYKoIGUZ3l11QyuAOukWRP8Ejn11hODEqj/+yox3kD20pt0JWuhMSC7U/EVRSiwb9o6Dwx9SRlGhoXSPmHtQ15iN+8kGdn6FLsqzxpOAsXqJY79sqR6DsoPVsjxBx19ceUpJjary0oApEngL80aZeFIdluwA==
set authorization enable
next
end
config user group
edit "TACACS_Group"
set member "TACACS-ISE"
next
end
config global
config system admin
edit "TACACS_User"
set remote-auth enable
set accprofile "noaccess"
set comments ''
set vdom "elbc-mgmt"
set schedule ''
set two-factor disable
set email-to ''
set sms-server fortiguard
set sms-phone ''
set guest-auth disable
set wildcard enable
set remote-group "TACACS_Group"
set accprofile-override enable
set radius-vdom-override disable
next
config system accprofile
edit "noaccess"
next
edit "Read_Write"
set mntgrp read-write
set admingrp read-write
set updategrp read-write
set authgrp read-write
set sysgrp read-write
set netgrp read-write
set loggrp read-write
set routegrp read-write
set fwgrp read-write
set vpngrp read-write
set utmgrp read-write
set wanoptgrp read-write
set endpoint-control-grp read-write
set wifi read-write
next
edit "Read_Only"
set mntgrp read
set admingrp read
set updategrp read
set authgrp read
set sysgrp read
set netgrp read
set loggrp read
set routegrp read
set fwgrp read
set vpngrp read
set utmgrp read
set wanoptgrp read
set endpoint-control-grp read
set wifi read
next
end
Below admin status command :
FortiGate $ get system admin status username: user login local: ssh login device: base-mgmt:10.101.10.4:22 login remote: 10.101.10.15:64576 login vdom: elbc-mgmt login access profile: Read_Write login started: 2017-10-02 13:57:02 current time: 2017-10-02 13:57:15
Does anyone encounter this issue? User need to have access to all vdoms but it seems in my case he only have access to 1 vdom.
Thank you for your help
Eric
Labels:
- Labels:
-
5.4
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have a remote-wildcard user or what type of user ? You might need to add the user in ALLvdoms?
e.g
config sys admin
edit wildcard
set accprofile "profileALL" set vdom root AWS GCP AZURE CUST1 CUSTo CUSTB CUSTC set remote-group "tac_plus_group" next end
tac_plus_group is our tac_plusd tacacs-servers
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It should be a wildcard.
On ISE server, depending on access level it's sending, it will send "admin_prof" value which are "Read_Write" and "Read_Only".
Configuration is based on https://blog.willsplace.co.uk/quick-dirty-fortigate-tacacs-config/
I have tried to add multiple vdom
config system admin edit "TACACS_User" set remote-auth enable set accprofile "noaccess" set vdom "elbc-mgmt vdom1 vdom2 vdom3" set wildcard enable set remote-group "TACACS_Group" set accprofile-override enable next end
But when accessing to device, even though it seems user doesn't have admin access (sending value "Read_Only") user seems to have write access(manager to change configuration in vdom elbc-mgmt).
In configuration there is a radius-vdom-override but it doesn't seem there's the same thing for Tacacs+.
Eric
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Will if you have "set accprofile-override enable" that will override the locally set accessprofile. Are you sure that's not what happening?
Going by what you listed in the FGT.config,
1: your users are wildcard
2: accprofile are override if present in the tacacs authorization
3: the users have access to ONLY "elbc-mgmt vdom1 vdom2 vdom3"
Is that speculation correct as far as what you want?
If that's what you want, I would look at the tacacs-server profiles.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1. radius-vdom-override is supposed to work for both RADIUS and TACACS+ accounts
2. unless you are Super_admin with Global scope, then you have access to VDOMs specified in profile
3. older FOS also controlled if you access through interface belonging to the set VDOMs, so if you accessed through interface from non-allowed VDOM, you were blocked
4. for accessprofile override sniff or 'diag test authserver' to see what your TACACS+ really return as acc profile. As you have profile override enabled, then what came from server, and if the same profile exist on FGT (exact string match) that will be applied. If there is nothing from server or non-matching acc profile then default profile from wildcard admin config will be used (set accprofile "noaccess").
5. if you have acc profile like "Read_Only" from first post, and you are able to write to any of read-only config categories, then it's a bug, please report it
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Sorry was a bit busy for the last few days.
About the "Read_Only" acc profile I got it wrong. used multiple connexion and got the wrong windows. This Profile can't "edit".
I was also in contact with Professional services and they told me "Tacacs+ VDOM Override is not supported for TACACS+" so I have requested a new feature.
Thank you for your help and your time
Eric
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
did you ever hear anything back on this NFR?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Tsilvey,
No I never got a feedback from them. I had to use Radius rather than TACACS+.
Eric
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- FortiNAC and Dynamic VLAN assignment for... 35 Views
- SD-WAN(ish) design 23 Views
- Traffic Shaping Configuration Issue Affecting ... 98 Views
- Unreliable SSL VPN Performance and Poor... 161 Views
- FortiEMS and AutoConnect/AlwaysUP 286 Views
Labels
-
FortiGate
8,479 -
FortiClient
1,719 -
5.2
801 -
FortiManager
713 -
5.4
639 -
FortiAnalyzer
548 -
FortiAP
459 -
FortiSwitch
457 -
6.0
416 -
FortiClient EMS
408 -
5.6
362 -
FortiMail
309 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
222 -
FortiWeb
200 -
5.0
196 -
IPsec
186 -
FortiNAC
180 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
98 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
75 -
Firewall policy
71 -
4.0MR3
64 -
FortiProxy
59 -
Fortivoice
53 -
FortiADC
53 -
High Availability
52 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
DNS
40 -
Routing
39 -
BGP
39 -
LDAP
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
24 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
SSL SSH inspection
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1662 | |
| 1077 | |
| 752 | |
| 443 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.