Hot![Solved] TACACS + Fortigate doesnt challenge on authorization

Author
limvuihan
New Member
  • Total Posts : 11
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/01/25 23:22:07
  • Status: offline
2017/10/15 23:56:43 (permalink)
0

[Solved] TACACS + Fortigate doesnt challenge on authorization

Hi All,
 
I have 2 different location device 100D and 600C both device configure with same configuration according to KB. 
 
100D
- did challenge authorization
- successful overwrite user profile
 
debug log
 
fnbamd_tac_plus.c[507] parse_authen_reply-authen result=1(pass)
fnbamd_tac_plus.c[282] sock_connect-trying server 1: 
fnbamd_fsm.c[1034] fsm_tac_plus_result-Continue pending for req 2025560676
fnbamd_tac_plus.c[360] is_sock_connected-tcp connected x.x.x.x
fnbamd_tac_plus.c[528] build_author_req-building author req packet: authen_type=2(pap)
fnbamd_tac_plus.c[372] pak_send-Encrypting pkt
 
600C
- doesnt challenge authorization 
debug log
fnbamd_tac_plus.c[507] parse_authen_reply-authen result=1(pass)
fnbamd_fsm.c[822] find_matched_usr_grps-Skipped group matching
fnbamd_comm.c[169] fnbamd_comm_send_result-Sending result 0 for req 1187971785
fnbamd_fsm.c[565] destroy_auth_session-delete session 1187971785
 
 
I'm wondering why 600C doesnt challenge for authorization since both configuration is same
 
 KB steps is not complete.
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD33320&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=117824295&stateId=0%200%20117826054
 
Solved
cli
config user tacacs+
edit xxxx
set authorization enable
 
post edited by limvuihan - 2017/10/16 02:44:01
#1

9 Replies Related Threads

    xsilver
    Expert Member
    • Total Posts : 482
    • Scores: 123
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Location: EMEA
    • Status: offline
    Re: TACACS + Fortigate doesnt challenge on authorization 2017/10/16 02:39:28 (permalink)
    0
    Hi,
     
    same FortiOS (which version we are talking about) ?
    both configs truly has 'set authorization enable' in TACACS+ user config on FGT ?
     
    Best regards,
    Tomas

    Kind Regards,
    Tomas
    #2
    limvuihan
    New Member
    • Total Posts : 11
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/01/25 23:22:07
    • Status: offline
    Re: TACACS + Fortigate doesnt challenge on authorization 2017/10/16 03:32:46 (permalink)
    0
    version 5.2.10
     
    only 100D with 'set authorization enable'
     
    600C doesn't
     
    #3
    xsilver
    Expert Member
    • Total Posts : 482
    • Scores: 123
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Location: EMEA
    • Status: offline
    Re: TACACS + Fortigate doesnt challenge on authorization 2017/10/16 05:08:51 (permalink)
    0
    Hi,
    so we are done here and now you see why 600D do not attempt to do any authorization.
    Best regards,
    Tomas

    Kind Regards,
    Tomas
    #4
    emnoc
    Expert Member
    • Total Posts : 5546
    • Scores: 357
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: TACACS + Fortigate doesnt challenge on authorization 2017/10/16 05:52:08 (permalink)
    0
    I don't believe it has anything to do with the fortigate model ( 600C or 600D ) btw. Have you upgraded to 5.2.11 which is the latest in that train?
     
    FWIW I have a 80C that does this  just great so I's not a  Fortigate model # but probably more of a  "fortiOS" version imho
     
    Also  ensure you have auth override enable '   set accprofile-override enable '  . I've seen a lot of sec-engineer beaten on why  they don't pull the authorizations from  the AAA servers.
     
     
    Ken
     

    PCNSE 
    NSE 
    StrongSwan  
    #5
    xsilver
    Expert Member
    • Total Posts : 482
    • Scores: 123
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Location: EMEA
    • Status: offline
    Re: TACACS + Fortigate doesnt challenge on authorization 2017/10/16 06:01:32 (permalink)
    0
    Hi emnoc,
    good point with override.
    Sure it's not supposed to be model issue (at least not on bigger unit, but be aware that lowest ranges has limited remote auth possibilities).
    As limvuihan stated in his previous post he did not had "both configuration" as same as he thought so.
    And 100D had 'set authorization enable' while 600C had not.
    That's why 600C did not even tried to gather authorization and do something more then pure auth.
    Kind regards,
    Tomas

    Kind Regards,
    Tomas
    #6
    emnoc
    Expert Member
    • Total Posts : 5546
    • Scores: 357
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: TACACS + Fortigate doesnt challenge on authorization 2017/10/16 06:26:32 (permalink)
    0
    The accprofile overide is enable under the "USER" and has a indirect relation to the "   set authorization enable " within  that tacacs cfg cmd
     
    In the OP, he probably does NOT have "accprofile override" for the direct user or wildcard named account.
     
    Again, I'm 100% sure,  and confident it' has nothing to do with the  model#
     
    ;)
     
    Here's a C model  run 5.2.11 tacacs cfg btw.
     
     
    config user tacacs+
        edit "ESDescolarprimario"
            set server "1.1.1.1"
            set key ENC gltbeihm7Q5aysofGUPmdytYtVFb0AuOjCL5HI4u2LqMzfjbHX4d0vDqTnsxL72hTIQmotB7PUJpbYTZF2aD0dEEjhX/K3jELAlJZUuYegDPIR0uUXnBcd/Nt/HcTSMeHBLTMVs2o7EzflZ4VysK8558DeY52a9mTmvY/XVIDlAerUqOomyz1XPiAkGfwiimoffoVg==
            set authorization enable
        next
    end
     
    config system admin
        edit "wildcard"
            set remote-auth enable
            set remote-group  miauthorigroupo
            set vdom "root"
            set wildcard enable
            set accprofile-override enable     <-----HERE! if not enable, will not use authorization

        next
    end
     
    I hope that clear it up some what. I would personally do a "show full" from the CLI and validate the cfg before blaming  the model# or FortiOS version#.
     
     
    Ken
     
     

    PCNSE 
    NSE 
    StrongSwan  
    #7
    limvuihan
    New Member
    • Total Posts : 11
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/01/25 23:22:07
    • Status: offline
    Re: TACACS + Fortigate doesnt challenge on authorization 2017/10/19 01:20:26 (permalink)
    0
    Override accprofile is different from challenge authorization.
    override profile just to allow the shell profile to be override existing administrator profile.
     
     
    #8
    emnoc
    Expert Member
    • Total Posts : 5546
    • Scores: 357
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: TACACS + Fortigate doesnt challenge on authorization 2017/10/19 08:41:22 (permalink)
    0
    [QOUTE]
    Override accprofile is different from challenge authorization.

     
    Okay what is "challenge authorization" ?  What is an example?
     
    Keep in mind that fportiOS really does NOT support the  true function and definition of  tripleA ( AAA )

    PCNSE 
    NSE 
    StrongSwan  
    #9
    Kevin.Morales
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/03/16 14:47:24
    • Status: offline
    Re: TACACS + Fortigate doesnt challenge on authorization 2020/02/18 08:38:14 (permalink)
    0
    So, I need to create a username into Fortigate  to be allowed to login ?, 

    ---
    Kevin Morales
    #10
    Jump to:
    © 2020 APG vNext Commercial Version 5.5