Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
iyotov
Staff
Staff

Created on ‎04-07-2017 07:30 AM Edited on ‎10-07-2022 08:28 AM By Anonymous

Article Id 198250

Technical Tip: Configure TACACS+ access profile override on FortiManager or FortiAnalyzer

Description

 

This article describes how to configure TACACS+ access profile override on FortiManager or FortiAnalyzer.


Solution

 

FortiManager / FortiAnalyzer side configuration
 
# config system admin tacacs
    edit "TACACS_SERVERS"
       set server <primary_server_ip>
       set secondary-server <secondary_server_ip>
       set key "$$$"
       set secondary-key "$$$"
       set authen-type auto
       set authorization enable
    next
  end

# config system admin profile
    edit "no_access"
    next
  end

# config system admin user
    edit "wildcard_tac_plus"
      set profileid "no_access"
      set adom "all_adoms"
      set policy-package "all_policy_packages"
      set user_type tacacs-plus
      set tacacs-plus-server "TACACS_SERVERS"
      set wildcard enable
      set radius-accprofile-override enable
    next
  end

Note: As of versions 5.6.6 / 6.0.3 the admin user CLI syntax was changed is follows:


set radius-accprofile-override  =>  set ext-auth-accprofile-override
set radius-adom-override        =>  set ext-auth-adom-override
set radius-group-match          =>  set ext-authgroup-match

 
The set remote-group parameter should not be used for this wildcard user.

On the FortiManager / FortiAnalyzer define the different admin profiles (as needed) for the TACACS+ admins. 
 
Note ' set profileid "no_access" ' as what is wanted is to provide a minimal access level when for whatever reason it would be impossible to obtain or evaluate 'accprofile-overide' and data from TACACS+ Authorization Response.
 
From the CLI under config system admin profile, or via the GUI under:
 
System Settings -> Admin -> Profile.

For example RO_profile, RW_profile, Policy_only_profile... etc.

TACACS+ server side configuration

The admin_prof attribute should match the admin access profile names defined in FortiManager.
For ADOM override function and so 'ext-auth-adom-override' to work, user need 'adom' AVP containing string name of existing VDOM defined in FortiManager. In case user likes to grant access to multiple VDOMs, simply add additional 'adom' AVPs with respective VDOM names. And all of those should be inside TACACS+ server response.
In case of adom_override one might also want to set minimalistic/empty adom in system admin user, similarly to minimalistic access profile.
 
Note:
Important is to set 'service' AVP to 'FortiGate', as below.
It is a Service Dictionary name, so 'FortiGate' is used regardless the same access is here granted to FortiManager. And possibly to other Fortinet's products like FortiAnalyzer.

Example:
service=fortigate {
memberof=RO_admin_group
admin_prof=RO_profile
adom=root
adom=FortiGates64
adom=FortiGates7
}
4055
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.