Security

last person joined: 2 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).

Tutorial - Clearpass TACACS+ Fortigate Login

  • 1.  Tutorial - Clearpass TACACS+ Fortigate Login

    Posted Sep 16, 2020 12:52 PM

    In this post i will describe the configuration needs to use TACACS+ for authentication login on a Fortigate (v6.0.10). Fortigate KB Article for reference here, link.

     

    Configure your Fortigate for TACACS+ Authentication

    ### ADD TACACS SERVER
    config user tacacs+
        edit "ClearPass"
           	set server "172.16.200.2"	###CLEARPASS IP ADDRESS###
       	set key “SECRETHERE”	        ###CLEARPASS NAD PSK SECRET###
           	set authorization enable
            set authen-type pap	        ###DONT USE CHAP###
        next
    end
    
    ### ADD TACACS USER GROUP
    config user group
        edit "ClearPass-TACACS"
         	set member "ClearPass"		###CLEARPASS SERVER###
        next
    end
    
    ### CREATE A ACCESSPROFILE WITH NOACCESS
    config system accprofile
          edit "noaccess"
        next
    end
    
    ### CREATE A BACKGROUND USER
    config system admin
        edit "tacacs_admin"
            set remote-auth enable
            set accprofile "noaccess"
            set vdom "root"
            set wildcard enable
            set remote-group "ClearPass-TACACS"
            set accprofile-override enable
        next
    end

     

    Configure Aruba ClearPass TACACS+ Dictionary

    First things first! When configuring TACACS+ for a Fortigate it’s important that the Fortigate TACACS+ Dictionary is loaded into the ClearPass server. Easy import the below .xml script below.

    Note: This point is where i was failing the fist time ;).

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
      <TipsHeader exportTime="Wed Sep 16 15:08:59 CEST 2020" version="6.9"/>
    <TacacsServiceDictionaries>
        <TacacsServiceDictionary dispName="fortigate" name="fortigate">
          <ServiceAttribute dataType="String" dispName="service" name="service"/>
          <ServiceAttribute dataType="String" dispName="memberof" name="memberof"/>
          <ServiceAttribute dataType="String" dispName="admin_prof" name="admin_prof"/>
        </TacacsServiceDictionary>
      </TacacsServiceDictionaries>
    </TipsContents>
     

    88.png

    Configure Aruba ClearPass Enforcement profiles

    We create two enforcement profiles one with administrator rights and one with operator rights. The “memberof” value can be a random name. The “admin_prof” value is the must equal a admin profile in your Fortigate box.

    2.png3.png

     

    Configure Aruba ClearPass Enforcement policy

    For this test we create a very simple Enforcement Policy that look into the local user repository and check if the user have the role “TACACS Super Admin” or “TACACS Helpdesk” and when the policy rule hits it will enforce the Admin or Readonly profile.

    4.png

    Since the “Readony” profile has not yet been created within the fortigate configuration, we now do this for reference via the web-gui.

    5.png

     

    Configure Aruba ClearPass Service

    Last but not least… We have to configure the ClearPass Service for the incoming TACACS+ Requests.

    • Type: TACACS+ Enforcement
    • Service Rule: Hits when the NAD (Fortigate) IP equals 172.16.200.254
    • Authentication Source: Local User Repository
    • Enforcement Policy: HomeLAB – Fortigate Policy

    6.png

     

    Configure Aruba ClearPass Local Users

    Create in the local user database two accounts:

    • testuser with the role [TACACS Super Admin]
    • testuser-ro with the role [TACACS Helpdesk] (read-only)

    7.png

     

    TESTING TIME!!!

    Lets test the configuration from the fortigate CLI. Yes! You can still login with your local admin account, because we didn’t remove it in the Fortigate box.

    8.png

    Aruba ClearPass Access Tracker

    In the Aruba ClearPass Access Tracker we can monitor the login events.

    9.png

    Some extra slides about the “testuser” request for reference…

    10.png11.png12.png13.png