- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tacacs.net ACCprofile bypass
Good day,
I'm setting up a Tacacs.net server to authenticate all our FGTs and it's working fine.
But, when a diferent (TacacsUserGroup) tries to log in a FGT which doesn't have configured it's (TacacsAdmin_profile), it logs in as a super_admin instead of denying access.
Tacacs.net config for that group:
<Service>
<Set>service=fortigate</Set>
<Set>memberof=FGT_access</Set>
<Set>admin_prof=csu</Set>
</Service>
debug fnmbad
[705] parse_author_reply-Authorization arg0: memberof=FGT_access
[705] parse_author_reply-Authorization arg1: admin_prof=csu // This profile doesn't exist in the FGT.
[709] parse_author_reply-Authorization result=2
[788] auth_tac_plus_result-Passed group matching
[1059] find_matched_usr_grps-Group 'tacacs_access' passed group matching
[1060] find_matched_usr_grps-Add matched group 'tacacs_access'(2)
[217] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 637653419, len=2000
[747] destroy_auth_session-delete session 637653419
[1041] tac_plus_destroy-tacacs_server
Seems only matches the group on FGT but doesn't care for admin_profile matching..
"set accprofile-override enable" it's set.
Any clue?
Regards.
Solved! Go to Solution.
- Labels:
-
Customer Service
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey noc,
in the underlying wildcard admin entry on FortiGate, you should still have an admin profile set, even if the accprofile-override is enabled.
If a TACACS admin trying to log in does NOT have a valid admin profile attribute supplied by TACACS, FortiGate defaults to whatever profile is specified in the wildcard admin entry.
I would suggest setting the default admin entry to a read-only profile or one without any permissions at all.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey noc,
in the underlying wildcard admin entry on FortiGate, you should still have an admin profile set, even if the accprofile-override is enabled.
If a TACACS admin trying to log in does NOT have a valid admin profile attribute supplied by TACACS, FortiGate defaults to whatever profile is specified in the wildcard admin entry.
I would suggest setting the default admin entry to a read-only profile or one without any permissions at all.