Security

Reply
Highlighted
MVP Expert
MVP Expert

Tutorial - Clearpass TACACS+ Fortigate Login

In this post i will describe the configuration needs to use TACACS+ for authentication login on a Fortigate (v6.0.10). Fortigate KB Article for reference here, link.

 

Configure your Fortigate for TACACS+ Authentication

### ADD TACACS SERVER
config user tacacs+
    edit "ClearPass"
       	set server "172.16.200.2"	###CLEARPASS IP ADDRESS###
   	set key “SECRETHERE”	        ###CLEARPASS NAD PSK SECRET###
       	set authorization enable
        set authen-type pap	        ###DONT USE CHAP###
    next
end

### ADD TACACS USER GROUP
config user group
    edit "ClearPass-TACACS"
     	set member "ClearPass"		###CLEARPASS SERVER###
    next
end

### CREATE A ACCESSPROFILE WITH NOACCESS
config system accprofile
      edit "noaccess"
    next
end

### CREATE A BACKGROUND USER
config system admin
    edit "tacacs_admin"
        set remote-auth enable
        set accprofile "noaccess"
        set vdom "root"
        set wildcard enable
        set remote-group "ClearPass-TACACS"
        set accprofile-override enable
    next
end

 

Configure Aruba ClearPass TACACS+ Dictionary

First things first! When configuring TACACS+ for a Fortigate it’s important that the Fortigate TACACS+ Dictionary is loaded into the ClearPass server. Easy import the below .xml script below.

Note: This point is where i was failing the fist time ;).

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
  <TipsHeader exportTime="Wed Sep 16 15:08:59 CEST 2020" version="6.9"/>
<TacacsServiceDictionaries>
    <TacacsServiceDictionary dispName="fortigate" name="fortigate">
      <ServiceAttribute dataType="String" dispName="service" name="service"/>
      <ServiceAttribute dataType="String" dispName="memberof" name="memberof"/>
      <ServiceAttribute dataType="String" dispName="admin_prof" name="admin_prof"/>
    </TacacsServiceDictionary>
  </TacacsServiceDictionaries>
</TipsContents>
 

88.png

Configure Aruba ClearPass Enforcement profiles

We create two enforcement profiles one with administrator rights and one with operator rights. The “memberof” value can be a random name. The “admin_prof” value is the must equal a admin profile in your Fortigate box.

2.png3.png

 

Configure Aruba ClearPass Enforcement policy

For this test we create a very simple Enforcement Policy that look into the local user repository and check if the user have the role “TACACS Super Admin” or “TACACS Helpdesk” and when the policy rule hits it will enforce the Admin or Readonly profile.

4.png

Since the “Readony” profile has not yet been created within the fortigate configuration, we now do this for reference via the web-gui.

5.png

 

Configure Aruba ClearPass Service

Last but not least… We have to configure the ClearPass Service for the incoming TACACS+ Requests.

  • Type: TACACS+ Enforcement
  • Service Rule: Hits when the NAD (Fortigate) IP equals 172.16.200.254
  • Authentication Source: Local User Repository
  • Enforcement Policy: HomeLAB – Fortigate Policy

6.png

 

Configure Aruba ClearPass Local Users

Create in the local user database two accounts:

  • testuser with the role [TACACS Super Admin]
  • testuser-ro with the role [TACACS Helpdesk] (read-only)

7.png

 

TESTING TIME!!!

Lets test the configuration from the fortigate CLI. Yes! You can still login with your local admin account, because we didn’t remove it in the Fortigate box.

8.png

Aruba ClearPass Access Tracker

In the Aruba ClearPass Access Tracker we can monitor the login events.

9.png

Some extra slides about the “testuser” request for reference…

10.png11.png12.png13.png

Kind Regards Marcel Koedijk
HPE ASE Flexnetwork | ACMP | ACCP | Ekahau ECSE Design - Was this post usefull, Kudos are welcome.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: