Tacacs configuration - Authentication OK but no access to vdom

Eric_N · ‎10-02-2017

Hello,

I'm actually having an issue when configuration Tacacs+. Authentication is working correctly but I don't have access to vdoms. I'm running on FortiOS v5.4.5,build1138 (GA).

Configuration :

config vdom
edit elbc-mgmt
config user tacacs+
    edit "TACACS-ISE"
        set server "x.x.x.x"
        set key ENC zqwEyuAFNC55u3Ve4ryjqLYTZTF91Wva825q4IkLKYKoIGUZ3l11QyuAOukWRP8Ejn11hODEqj/+yox3kD20pt0JWuhMSC7U/EVRSiwb9o6Dwx9SRlGhoXSPmHtQ15iN+8kGdn6FLsqzxpOAsXqJY79sqR6DsoPVsjxBx19ceUpJjary0oApEngL80aZeFIdluwA==
        set authorization enable
    next
end
config user group
    edit "TACACS_Group"
        set member "TACACS-ISE"
    next
end
 
config global
config system admin
    edit "TACACS_User"
        set remote-auth enable
        set accprofile "noaccess"
        set comments ''
        set vdom "elbc-mgmt"
        set schedule ''
        set two-factor disable
        set email-to ''
        set sms-server fortiguard
        set sms-phone ''
        set guest-auth disable
        set wildcard enable
        set remote-group "TACACS_Group"
        set accprofile-override enable
        set radius-vdom-override disable
    next

config system accprofile
    edit "noaccess"
    next
    edit "Read_Write"
        set mntgrp read-write
        set admingrp read-write
        set updategrp read-write
        set authgrp read-write
        set sysgrp read-write
        set netgrp read-write
        set loggrp read-write
        set routegrp read-write
        set fwgrp read-write
        set vpngrp read-write
        set utmgrp read-write
        set wanoptgrp read-write
        set endpoint-control-grp read-write
        set wifi read-write
    next
    edit "Read_Only"
        set mntgrp read
        set admingrp read
        set updategrp read
        set authgrp read
        set sysgrp read
        set netgrp read
        set loggrp read
        set routegrp read
        set fwgrp read
        set vpngrp read
        set utmgrp read
        set wanoptgrp read
        set endpoint-control-grp read
        set wifi read
    next
end

Below admin status command :

FortiGate $ get system admin status username: user login local: ssh login device: base-mgmt:10.101.10.4:22 login remote: 10.101.10.15:64576 login vdom: elbc-mgmt login access profile: Read_Write login started: 2017-10-02 13:57:02 current time: 2017-10-02 13:57:15

Does anyone encounter this issue? User need to have access to all vdoms but it seems in my case he only have access to 1 vdom.

Thank you for your help

Eric

emnoc · ‎10-02-2017

Do you have a remote-wildcard user or what type of user ? You might need to add the user in ALLvdoms?

e.g

config sys admin

edit wildcard

set accprofile "profileALL" set vdom root AWS GCP AZURE CUST1 CUSTo CUSTB CUSTC set remote-group "tac_plus_group" next end

tac_plus_group is our tac_plusd tacacs-servers

Ken

PCNSE

NSE

StrongSwan

Eric_N · ‎10-02-2017

It should be a wildcard.

On ISE server, depending on access level it's sending, it will send "admin_prof" value which are "Read_Write" and "Read_Only".

Configuration is based on https://blog.willsplace.co.uk/quick-dirty-fortigate-tacacs-config/

I have tried to add multiple vdom

config system admin edit "TACACS_User" set remote-auth enable set accprofile "noaccess" set vdom "elbc-mgmt vdom1 vdom2 vdom3" set wildcard enable set remote-group "TACACS_Group" set accprofile-override enable next end

But when accessing to device, even though it seems user doesn't have admin access (sending value "Read_Only") user seems to have write access(manager to change configuration in vdom elbc-mgmt).

In configuration there is a radius-vdom-override but it doesn't seem there's the same thing for Tacacs+.

Eric

emnoc · ‎10-02-2017

Will if you have "set accprofile-override enable" that will override the locally set accessprofile. Are you sure that's not what happening?

Going by what you listed in the FGT.config,

1: your users are wildcard

2: accprofile are override if present in the tacacs authorization

3: the users have access to ONLY "elbc-mgmt vdom1 vdom2 vdom3"

Is that speculation correct as far as what you want?

If that's what you want, I would look at the tacacs-server profiles.

PCNSE

NSE

StrongSwan

xsilver_FTNT · ‎10-03-2017

1. radius-vdom-override is supposed to work for both RADIUS and TACACS+ accounts

2. unless you are Super_admin with Global scope, then you have access to VDOMs specified in profile

3. older FOS also controlled if you access through interface belonging to the set VDOMs, so if you accessed through interface from non-allowed VDOM, you were blocked

4. for accessprofile override sniff or 'diag test authserver' to see what your TACACS+ really return as acc profile. As you have profile override enabled, then what came from server, and if the same profile exist on FGT (exact string match) that will be applied. If there is nothing from server or non-matching acc profile then default profile from wildcard admin config will be used (set accprofile "noaccess").

5. if you have acc profile like "Read_Only" from first post, and you are able to write to any of read-only config categories, then it's a bug, please report it

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Eric_N · ‎10-05-2017

Hello,

Sorry was a bit busy for the last few days.

About the "Read_Only" acc profile I got it wrong. used multiple connexion and got the wrong windows. This Profile can't "edit".

I was also in contact with Professional services and they told me "Tacacs+ VDOM Override is not supported for TACACS+" so I have requested a new feature.

Thank you for your help and your time

Eric

tsilvey · ‎02-22-2019

did you ever hear anything back on this NFR?

Eric_N · ‎02-25-2019

Hello Tsilvey,

No I never got a feedback from them. I had to use Radius rather than TACACS+.

Eric