Created on 04-07-2017 07:30 AM Edited on 10-07-2022 08:28 AM By Anonymous
Description
Solution
FortiManager / FortiAnalyzer side configuration# config system admin tacacs
edit "TACACS_SERVERS"
set server <primary_server_ip>
set secondary-server <secondary_server_ip>
set key "$$$"
set secondary-key "$$$"
set authen-type auto
set authorization enable
next
end
# config system admin profile
edit "no_access"
next
end
# config system admin user
edit "wildcard_tac_plus"
set profileid "no_access"
set adom "all_adoms"
set policy-package "all_policy_packages"
set user_type tacacs-plus
set tacacs-plus-server "TACACS_SERVERS"
set wildcard enable
set radius-accprofile-override enable
next
endNote: As of versions 5.6.6 / 6.0.3 the admin user CLI syntax was changed is follows:
set radius-accprofile-override => set ext-auth-accprofile-override
set radius-adom-override => set ext-auth-adom-override
set radius-group-match => set ext-authgroup-matchThe set remote-group parameter should not be used for this wildcard user.
On the FortiManager / FortiAnalyzer define the different admin profiles (as needed) for the TACACS+ admins.Note ' set profileid "no_access" ' as what is wanted is to provide a minimal access level when for whatever reason it would be impossible to obtain or evaluate 'accprofile-overide' and data from TACACS+ Authorization Response.From the CLI under config system admin profile, or via the GUI under:System Settings -> Admin -> Profile.
For example RO_profile, RW_profile, Policy_only_profile... etc.
TACACS+ server side configuration
The admin_prof attribute should match the admin access profile names defined in FortiManager.For ADOM override function and so 'ext-auth-adom-override' to work, user need 'adom' AVP containing string name of existing VDOM defined in FortiManager. In case user likes to grant access to multiple VDOMs, simply add additional 'adom' AVPs with respective VDOM names. And all of those should be inside TACACS+ server response.
In case of adom_override one might also want to set minimalistic/empty adom in system admin user, similarly to minimalistic access profile.Note:Important is to set 'service' AVP to 'FortiGate', as below.
It is a Service Dictionary name, so 'FortiGate' is used regardless the same access is here granted to FortiManager. And possibly to other Fortinet's products like FortiAnalyzer.
Example:service=fortigate {
memberof=RO_admin_group
admin_prof=RO_profile
adom=root
adom=FortiGates64
adom=FortiGates7
}
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.