|
TACACS+ is a solution to use device management, this protocol can provide user authentication, and the intention is to secure the network devices with a centralized system, TACACS+ uses TCP port 49.
In this example, a FortiSwitch will be configured on Standalone mode, the TACACS+ Server is a KVM Forti Authenticator hosted on Ubuntu Server machine.
- Configure the TACACS user account to authenticate, IP 10.10.70.90 is from the TACACS+ Server KVM Forti Authenticator, and the FortiSwitch IP is 10.10.70.4, remember the key must be the same on the TACACS+ and under FortiSwitch:
FortiSwitch # config user tacacs+
config user tacacs+
edit "FAC-TACACS"
set authen-type auto
set authorization enable
set key ENC r2cfBEFAX4xK4GCaIebrTigvgf8KfEjk0n/ElOj+ML6R6LL3q1rAXSAMWZWSh/ViryQqt8ln9pE1D/m6tYdSPPhbP+WI72a7GqIcBj4pHRhUqZCFFOvfuhb4lry/5+sOxwt2E8UJbPXOs2ng8/qNQ0+aBsoQcDGSo7P9NC4YdGWnqnXw
set port 49
set server "10.10.70.90"
set source-ip 0.0.0.0
next
end
- Configure the TACACS+user group and we need to include the member created on step 1:
FortiSwitch (group) # edit TACACS_Group
set group-type firewall
set authtimeout 0
set http-digest-realm ''
set member "FAC-TACACS"
next
end
- Configure the TACACS+ system admin user account. It is necessary to point to the group created in step 2:
FortiSwitch # config system admin
edit "userswitch"
set remote-auth enable
set accprofile "prof_admin"
set wildcard enable
set remote-group "TACACS_Group"
next
end
Now let's configure our KVM Forti Authenticator as TACAC+ Server, it is considered that Switch and TACACS+ are under the same segment:
- Include the FortiSwitch IP as a client: Go to Authentication -> TACACS+ Service -> Clients, in this example, the entire segment is included:
- Create the policy, this will check the authentication method and will move the clients to the policy: Go to Authentication -> TACACS+ Service -> Policies, and select 'Create New'. A new TACACS+ Policy Wizard will be open, move from left to right the segment created.
Select the Username format:
Select the Authentication factor:
Finish the configuration policy Update and exit:
- To create authorization rules, go to Authentication -> TACACS+ Service -> Authorization. Authorization rules can be specified within user groups or on individual user accounts.
- To create a Local User, go to Authentication -> User Management -> Local Users and select 'Create New'. Select under the TACACS+ menu the Rule created before RuleFortiSwitch for this user called rgreen3:
- Assign the authorization rule, move from left to right the user created, in this case, rgreen3, and under the dropdown button TACACS+ authorization rule select the RuleFortiSwitch created before go to Authentication -> User Management -> User Groups.
Let's test the configuration, go to the FortiSwitch, and check that it is logged as an admin account:
FortiSwitch # diagnose test authserver tacacs+ FAC-TACACS rgreen3 fortinet
authenticate user 'rgreen3' on server 'FAC-TACACS' succeeded
Let´s log out from the admin account and use the rgreen3 user instead:
Under FortiAuthenticator TACACS+ Server, the user is authenticated correctly:
10.10.70.4 pap login for 'rgreen3~10.10.70.4' (realm: radiusRealm) (realm: radiusRealm) succeeded
10.10.70.4 pap login for 'rgreen3~10.10.70.4' (realm: radiusRealm) (realm: radiusRealm) succeeded
|
