TACACS+ integration with Fortigate Firewall

1. Add the TACACS+ server to the FortiGate using the following commands on the CLI:

config user tacacs+
    edit <server name>
        set authorization enable
        set server <server ip>
        set key <server key>
        set authen-type chap
    next
end

The auto config doesn't work with TACACS+ so you have to set the authentication type as "chap".
You'll find the server key in the configuration file of your TACACS+ server.

2. Create a user group and add the server as a member:

config user group
    edit <tacacs+ group name>
        set member <server name>
    next
end

With this method, any user who has an account on the remote server can authenticate.

Note: Another method would be to create TACACS+ user accounts directly on your FortiGate. In this case, you have to specify which TACACS+ server you want to use for each user you create:

 

config user local
    edit <user name>
        set type tacacs+
        set tacacs+-server <server name>
    next
end

3. Create an admin user set up for remote login, wildcard and a no-access profile.

For this step, you have to be in global context if your FortiGate is configured with vdoms:

 

config global

Start by creating the access profile (minimum level so that the access profile on the TACACS+ server can be set on top of it):

 

config system accprofile
    edit noaccess
    next
end

Then create your admin:

 

config system admin
    edit <profile name>
        set remote-auth enable
        set accprofile "noaccess"
        set vdom "root"
        set wildcard enable
        set remote-group <tacacs+ group name>
        set accprofile-override enable
    next
end

Enabling the override means you will be able to give a TACACS+ admin user more rights than the noaccess profile would allow.

TACACS+ server configuration:

Create your users and user groups in the TACACS+ server configuration file.

A basic example:

 

group = read-only {
    default service = permit
}

An admin group example:

group = admins {
    default service = permit
    service = fortigate {
        admin_prof = super_admin
    }
}

Calling the "fortigate" service and setting "admin_prof" to "super_admin" allows you to give users of this group admin access.

For your users, configure chap as the authentication method to make it work with your FortiGate:

 

user = <regular user name> {
    default service = permit
    member = read-only
    login = cleartext <password>
    chap = cleartext <password>
}

user = <admin user name> {
    default service = permit
    member = admins
    login = cleartext <password>
    chap = cleartext <password>
}

Verification:

In order to check your configuration, use the following command in your FortiGate CLI:
diagnose test authserver tacacs+ <server name> <user name> <password>
This will test the given credentials against the remote server. It will also give you the authenticated user's admin profile.
 
Example output:
 
authenticate user 'fortiadmin' on server 'tac_plus' succeeded
Admin profile: super_admin

Comments

Post a Comment

Popular posts from this blog

Configure IPsec site-to-site VPN in Linux Machine

Image
 Configure IPsec site-to-site VPN in Linux Machine: Update the system and install the package  apt update && sudo apt upgrade -y  apt install strongswan -y Check if the following kernel parameter is set or not sysctl net.ipv4.ip_forward=1 To list all configured parameters: sysctl -a root@ubuntu-server-main:~# sysctl net.ipv4.ip_forward=1 net.ipv4.ip_forward = 1 root@ubuntu-server-main:~# sysctl net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.all.accept_redirects = 0 root@ubuntu-server-main:~# sysctl net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.all.send_redirects = 0 root@ubuntu-server-main:~# Network Diagram: IPsec Config: Configure the PSK and update the VPN endpoints ++++++++++++++ cat /etc/ipsec.secrets # source      destination 192.168.0.2   192.168.0.108 : PSK "87zRQqylaoeF5I8o4lRhwvmUzf+pYdDpsCOlesIeFA/2xrtxKXJTbCPZgqplnXgPX5uprL+aRgxD8ua7MmdWaQ" ++++++++++++++ cat /etc/ipsec.conf: config setup         charondebug="all"         uniqueids=yes  
Read more

TACACS+ Installation on Linux [CentOS]

 TACACS+  Installation on CentOS: In the example below I will show you how to install tac_plus on a CentOS server. There’s a RPM available so this will save you the hassle of compiling the source code yourself. Let’s add the repository first: [root@server ~]# cd /etc/yum.repos.d/ [root@server yum.repos.d]# vim nux-misc.repo We will create a new repository file where we can grab tac_plus. This is what you should enter: [nux-misc] name=Nux Misc baseurl=http://li.nux.ro/download/nux/misc/el6/x86_64/ enabled=0 gpgcheck=1 gpgkey=http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro Save the file and install tac_plus with the following command: [root@server ~]# yum --enablerepo=nux-misc install tac_plus That’s all you need to do. All configuration is done from a single config file. Let’s take a look at its contents: [root@server /]# vim /etc/tac_plus.conf You will see a lot of things in this default configuration file. Let me walk you through some of the fields. The first thing you see is a key,
Read more

Free Radius setup/configuration in Linux [Ubuntu/CentOS]

Free Radius setup/configuration in Linux [Ubuntu/CentOS]   1) Free RADIUS Client: CentOS:  yum install freeradius-utils Ubuntu: apt-get install freeradius-utils   2) Free RADIUS Server: Add the client device to free RADIUS server: i) vi /etc/freeradius/3.0/clients.conf  ii) Append below lines to the file above ############# client FortiGate-VM64-Xen {        ipaddr           = 192.168.0.108        secret           = testing123 } client sumit-linux-amp {        ipaddr           = 192.168.0.190        secret           = testing123 } #############   iii) Add users to the RADIUS server: Append below lines to the file "users" > vi /etc/freeradius/3.0/users #############  sumit1 Cleartext-Password := "password" sumit2 Cleartext-Password := "password"   #############   iv) restart the free RADIUS services: Ubuntu: > systemctl restart freeradius   CentOS: >  systemctl restart freeradius                   > sudo firewall-cmd --add-service={http,https,ra
Read more