Hot!Tacacs configuration - Authentication OK but no access to vdom

Author
Eric N
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/09/29 07:52:01
  • Status: offline
2017/10/02 05:05:05 (permalink) 5.4
0

Tacacs configuration - Authentication OK but no access to vdom

Hello,
 
I'm actually having an issue when configuration Tacacs+. Authentication is working correctly but I don't have access to vdoms. I'm running on FortiOS v5.4.5,build1138 (GA).
 
Configuration : 
config vdom
edit elbc-mgmt
config user tacacs+
    edit "TACACS-ISE"
        set server "x.x.x.x"
        set key ENC zqwEyuAFNC55u3Ve4ryjqLYTZTF91Wva825q4IkLKYKoIGUZ3l11QyuAOukWRP8Ejn11hODEqj/+yox3kD20pt0JWuhMSC7U/EVRSiwb9o6Dwx9SRlGhoXSPmHtQ15iN+8kGdn6FLsqzxpOAsXqJY79sqR6DsoPVsjxBx19ceUpJjary0oApEngL80aZeFIdluwA==
        set authorization enable
    next
end
config user group
    edit "TACACS_Group"
        set member "TACACS-ISE"
    next
end
 
config global
config system admin
    edit "TACACS_User"
        set remote-auth enable
        set accprofile "noaccess"
        set comments ''
        set vdom "elbc-mgmt"
        set schedule ''
        set two-factor disable
        set email-to ''
        set sms-server fortiguard
        set sms-phone ''
        set guest-auth disable
        set wildcard enable
        set remote-group "TACACS_Group"
        set accprofile-override enable
        set radius-vdom-override disable
    next

config system accprofile
    edit "noaccess"
    next
    edit "Read_Write"
        set mntgrp read-write
        set admingrp read-write
        set updategrp read-write
        set authgrp read-write
        set sysgrp read-write
        set netgrp read-write
        set loggrp read-write
        set routegrp read-write
        set fwgrp read-write
        set vpngrp read-write
        set utmgrp read-write
        set wanoptgrp read-write
        set endpoint-control-grp read-write
        set wifi read-write
    next
    edit "Read_Only"
        set mntgrp read
        set admingrp read
        set updategrp read
        set authgrp read
        set sysgrp read
        set netgrp read
        set loggrp read
        set routegrp read
        set fwgrp read
        set vpngrp read
        set utmgrp read
        set wanoptgrp read
        set endpoint-control-grp read
        set wifi read
    next
end

 
Below admin status command :
 
FortiGate $ get system admin status
username: user
login local: ssh
login device: base-mgmt:10.101.10.4:22
login remote: 10.101.10.15:64576
login vdom: elbc-mgmt
login access profile: Read_Write
login started: 2017-10-02 13:57:02
current time: 2017-10-02 13:57:15

 
Does anyone encounter this issue? User need to have access to all vdoms but it seems in my case he only have access to 1 vdom.
 
Thank you for your help
Eric
post edited by Eric N - 2017/10/02 08:16:11
#1

7 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 5209
    • Scores: 339
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Tacacs configuration - Authentication OK but no access to vdom 2017/10/02 06:17:30 (permalink)
    0
    Do you have a remote-wildcard user or what type of user ? You might need to add the user in ALLvdoms?
     
     
    e.g
     
    config sys admin
    edit wildcard
            set accprofile "profileALL"
            set vdom root AWS GCP AZURE CUST1 CUSTo CUSTB CUSTC
            set remote-group "tac_plus_group"
        next
    end
     
    tac_plus_group is our  tac_plusd   tacacs-servers
     
    Ken
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #2
    Eric N
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/09/29 07:52:01
    • Status: offline
    Re: Tacacs configuration - Authentication OK but no access to vdom 2017/10/02 08:15:27 (permalink)
    0
    It should be a wildcard. 
     
    On ISE server, depending on access level it's sending, it will send "admin_prof" value which are "Read_Write" and "Read_Only".
    Configuration is based on https://blog.willsplace.co.uk/quick-dirty-fortigate-tacacs-config/ 
     
    I have tried to add multiple vdom

    config system admin
    edit "TACACS_User"
    set remote-auth enable
    set accprofile "noaccess"
    set vdom "elbc-mgmt vdom1 vdom2 vdom3"
    set wildcard enable
    set remote-group "TACACS_Group"
    set accprofile-override enable
    next
    end

    But when accessing to device, even though it seems user doesn't have admin access (sending value "Read_Only") user seems to have write access(manager to change configuration in vdom elbc-mgmt). 
    In configuration there is a radius-vdom-override but it doesn't seem there's the same thing for Tacacs+.
     
    Eric
    #3
    emnoc
    Expert Member
    • Total Posts : 5209
    • Scores: 339
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Tacacs configuration - Authentication OK but no access to vdom 2017/10/02 09:15:35 (permalink)
    0
    Will if you have "set accprofile-override enable" that will override the locally set  accessprofile. Are you sure that's not what happening?
     
    Going by what you listed in the FGT.config,
     
    1: your users are wildcard
    2:  accprofile are override if present in the tacacs authorization
    3: the users have access to ONLY "elbc-mgmt vdom1 vdom2 vdom3"
     
    Is that speculation correct as far as what you want?
     
    If that's what you want, I would look at the tacacs-server profiles.

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #4
    xsilver_FTNT
    Expert Member
    • Total Posts : 430
    • Scores: 91
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Status: offline
    Re: Tacacs configuration - Authentication OK but no access to vdom 2017/10/03 04:11:48 (permalink)
    0
    1. radius-vdom-override is supposed to work for both RADIUS and TACACS+ accounts
    2. unless you are Super_admin with Global scope, then you have access to VDOMs specified in profile
    3. older FOS also controlled if you access through interface belonging to the set VDOMs, so if you accessed through interface from non-allowed VDOM, you were blocked
    4. for accessprofile override sniff or 'diag test authserver' to see what your TACACS+ really return as acc profile. As you have profile override enabled, then what came from server, and if the same profile exist on FGT (exact string match) that will be applied. If there is nothing from server or non-matching acc profile then default profile from wildcard admin config will be used (set accprofile "noaccess").
    5. if you have acc profile like "Read_Only" from first post, and you are able to write to any of read-only config categories, then it's a bug, please report it
    post edited by xsilver_FTNT - 2017/10/03 04:14:16

    Kind Regards,
    Tomas
    #5
    Eric N
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/09/29 07:52:01
    • Status: offline
    Re: Tacacs configuration - Authentication OK but no access to vdom 2017/10/05 00:47:30 (permalink)
    0
    Hello,
     
    Sorry was a bit busy for the last few days. 
     
    About the "Read_Only" acc profile I got it wrong. used multiple connexion and got the wrong windows. This Profile can't "edit". 
    I was also in contact with Professional services and they told me "Tacacs+ VDOM Override is not  supported for TACACS+" so I have requested a new feature. 
     
    Thank you for your help and your time
    Eric
    #6
    tsilvey
    New Member
    • Total Posts : 10
    • Scores: 2
    • Reward points: 0
    • Joined: 2008/05/26 19:42:13
    • Status: offline
    Re: Tacacs configuration - Authentication OK but no access to vdom 2019/02/22 11:53:00 (permalink)
    0
    did you ever hear anything back on this NFR?
    #7
    Eric N
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/09/29 07:52:01
    • Status: offline
    Re: Tacacs configuration - Authentication OK but no access to vdom 2019/02/25 01:13:56 (permalink)
    0
    Hello Tsilvey,
     
    No I never got a feedback from them. I had to use Radius rather than TACACS+.
     
    Eric
    #8
    Jump to:
    © 2019 APG vNext Commercial Version 5.5