- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- [Solved] TACACS + Fortigate doesnt challenge on au...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[Solved] TACACS + Fortigate doesnt challenge on authorization
Hi All,
I have 2 different location device 100D and 600C both device configure with same configuration according to KB.
100D
- did challenge authorization
- successful overwrite user profile
debug log
fnbamd_tac_plus.c[507] parse_authen_reply-authen result=1(pass) fnbamd_tac_plus.c[282] sock_connect-trying server 1: fnbamd_fsm.c[1034] fsm_tac_plus_result-Continue pending for req 2025560676 fnbamd_tac_plus.c[360] is_sock_connected-tcp connected x.x.x.x fnbamd_tac_plus.c[528] build_author_req-building author req packet: authen_type=2(pap) fnbamd_tac_plus.c[372] pak_send-Encrypting pkt
600C
- doesnt challenge authorization
debug log
fnbamd_tac_plus.c[507] parse_authen_reply-authen result=1(pass) fnbamd_fsm.c[822] find_matched_usr_grps-Skipped group matching fnbamd_comm.c[169] fnbamd_comm_send_result-Sending result 0 for req 1187971785 fnbamd_fsm.c[565] destroy_auth_session-delete session 1187971785
I'm wondering why 600C doesnt challenge for authorization since both configuration is same
KB steps is not complete.
Solved
cli
config user tacacs+
edit xxxx
set authorization enable
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
same FortiOS (which version we are talking about) ?
both configs truly has 'set authorization enable' in TACACS+ user config on FGT ?
Best regards,
Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
version 5.2.10
only 100D with 'set authorization enable'
600C doesn't
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
so we are done here and now you see why 600D do not attempt to do any authorization.
Best regards,
Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't believe it has anything to do with the fortigate model ( 600C or 600D ) btw. Have you upgraded to 5.2.11 which is the latest in that train?
FWIW I have a 80C that does this just great so I's not a Fortigate model # but probably more of a "fortiOS" version imho
Also ensure you have auth override enable ' set accprofile-override enable ' . I've seen a lot of sec-engineer beaten on why they don't pull the authorizations from the AAA servers.
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi emnoc,
good point with override.
Sure it's not supposed to be model issue (at least not on bigger unit, but be aware that lowest ranges has limited remote auth possibilities).
As limvuihan stated in his previous post he did not had "both configuration" as same as he thought so.
And 100D had 'set authorization enable' while 600C had not.
That's why 600C did not even tried to gather authorization and do something more then pure auth.
Kind regards,
Tomas
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The accprofile overide is enable under the "USER" and has a indirect relation to the " set authorization enable " within that tacacs cfg cmd
In the OP, he probably does NOT have "accprofile override" for the direct user or wildcard named account.
Again, I'm 100% sure, and confident it' has nothing to do with the model#
;)
Here's a C model run 5.2.11 tacacs cfg btw.
config user tacacs+ edit "ESDescolarprimario" set server "1.1.1.1" set key ENC gltbeihm7Q5aysofGUPmdytYtVFb0AuOjCL5HI4u2LqMzfjbHX4d0vDqTnsxL72hTIQmotB7PUJpbYTZF2aD0dEEjhX/K3jELAlJZUuYegDPIR0uUXnBcd/Nt/HcTSMeHBLTMVs2o7EzflZ4VysK8558DeY52a9mTmvY/XVIDlAerUqOomyz1XPiAkGfwiimoffoVg== set authorization enable next end
config system admin edit "wildcard" set remote-auth enable
set remote-group miauthorigroupo set vdom "root" set wildcard enable set accprofile-override enable <-----HERE! if not enable, will not use authorization
next end
I hope that clear it up some what. I would personally do a "show full" from the CLI and validate the cfg before blaming the model# or FortiOS version#.
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Override accprofile is different from challenge authorization.
override profile just to allow the shell profile to be override existing administrator profile.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[QOUTE]
Override accprofile is different from challenge authorization.
Okay what is "challenge authorization" ? What is an example?
Keep in mind that fportiOS really does NOT support the true function and definition of tripleA ( AAA )
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, I need to create a username into Fortigate to be allowed to login ?,
---
Kevin Morales
---
Kevin Morales
Related Posts
- what "This can be a challenge... 4 Views
- SSLVPN client certs and radius 157 Views
- FortiClient EMS cloud fails to authorize... 625 Views
- API v2 Adding user to a... 307 Views
- Need Help - Configuring Policy for... 682 Views
Labels
-
FortiGate
6,506 -
FortiClient
1,300 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
262 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiAuthenticator
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.