Security

Reply
Occasional Contributor II

Access to Fortigate devices via CPPM TACACS

Hi All,

 

Does anyone have any experience with settings up TACACS+ via CPPM for Fortigate devices?  If so does anyone have a pre-made dictionary they can share and a few simple steps?

 

Thanks in advance.

Matt.

Re: Access to Fortigate devices via CPPM TACACS

I don't have an existing dictionary you can import, but here's the information you would need to add:

 

You need to create 2 different Shell Profiles (Full Admin and Read-Only). They should have the following attributes.....

 

Full Admin

service=fortigate

memberof=<group name>

admin_prof=<profile name>

 

Read-Only

service=fortigate

memberof=<group name>

admin_prof=<profile name>

 

Hope that helps. I don't have a device to test with, but I believe that is correct.



Michael Haring
If my answer is helpful, a Kudos is always appreciated!
Occasional Contributor I

Re: Access to Fortigate devices via CPPM TACACS

Hi,

 

I'm having the same issue.  I'm trying to authenticate 2 user’s types, 1 with super_admin access and one with readonly access. The issue I’ve been having is getting remote authorization working on the Fortigate.  I can authenticate users using CPPM TACACS but authorization isn’t working.

 

The issue appears to be on the CPPM side and that the shell profile isn’t matching something on the Fortigate. The error message I see in CPPM and the shell profile is attached.

 

At the moment, I'm trying to get remote-auth to work for super_admin access by setting the admin profile to noaccess.

 

On the Fortigate I have set remote-auth, wildcard, accprofile-override and radius-vdom-override to enable.

 

I hope this makes sense, if not let me know needs clarifying.

 

Thanks

Sean

Occasional Contributor I

Re: Access to Fortigate devices via CPPM TACACS

I created 2 different Shell Profiles (Full Admin and Read-Only) with the attributes stated above but it didnt work.

 

The Fortigate authenticate all users but doesn't authorize them meaning CPPM doesn't overide the local admin profile.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: