In this post i will describe the configuration needs to use TACACS+ for authentication login on a Fortigate (v6.0.10). Fortigate KB Article for reference here, link.
Configure your Fortigate for TACACS+ Authentication
### ADD TACACS SERVER
config user tacacs+
edit "ClearPass"
set server "172.16.200.2" ###CLEARPASS IP ADDRESS###
set key “SECRETHERE” ###CLEARPASS NAD PSK SECRET###
set authorization enable
set authen-type pap ###DONT USE CHAP###
next
end
### ADD TACACS USER GROUP
config user group
edit "ClearPass-TACACS"
set member "ClearPass" ###CLEARPASS SERVER###
next
end
### CREATE A ACCESSPROFILE WITH NOACCESS
config system accprofile
edit "noaccess"
next
end
### CREATE A BACKGROUND USER
config system admin
edit "tacacs_admin"
set remote-auth enable
set accprofile "noaccess"
set vdom "root"
set wildcard enable
set remote-group "ClearPass-TACACS"
set accprofile-override enable
next
end
Configure Aruba ClearPass TACACS+ Dictionary
First things first! When configuring TACACS+ for a Fortigate it’s important that the Fortigate TACACS+ Dictionary is loaded into the ClearPass server. Easy import the below .xml script below.
Note: This point is where i was failing the fist time ;).
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
<TipsHeader exportTime="Wed Sep 16 15:08:59 CEST 2020" version="6.9"/>
<TacacsServiceDictionaries>
<TacacsServiceDictionary dispName="fortigate" name="fortigate">
<ServiceAttribute dataType="String" dispName="service" name="service"/>
<ServiceAttribute dataType="String" dispName="memberof" name="memberof"/>
<ServiceAttribute dataType="String" dispName="admin_prof" name="admin_prof"/>
</TacacsServiceDictionary>
</TacacsServiceDictionaries>
</TipsContents>
Configure Aruba ClearPass Enforcement profiles
We create two enforcement profiles one with administrator rights and one with operator rights. The “memberof” value can be a random name. The “admin_prof” value is the must equal a admin profile in your Fortigate box.
Configure Aruba ClearPass Enforcement policy
For this test we create a very simple Enforcement Policy that look into the local user repository and check if the user have the role “TACACS Super Admin” or “TACACS Helpdesk” and when the policy rule hits it will enforce the Admin or Readonly profile.
Since the “Readony” profile has not yet been created within the fortigate configuration, we now do this for reference via the web-gui.
Configure Aruba ClearPass Service
Last but not least… We have to configure the ClearPass Service for the incoming TACACS+ Requests.
- Type: TACACS+ Enforcement
- Service Rule: Hits when the NAD (Fortigate) IP equals 172.16.200.254
- Authentication Source: Local User Repository
- Enforcement Policy: HomeLAB – Fortigate Policy
Configure Aruba ClearPass Local Users
Create in the local user database two accounts:
- testuser with the role [TACACS Super Admin]
- testuser-ro with the role [TACACS Helpdesk] (read-only)
TESTING TIME!!!
Lets test the configuration from the fortigate CLI. Yes! You can still login with your local admin account, because we didn’t remove it in the Fortigate box.
Aruba ClearPass Access Tracker
In the Aruba ClearPass Access Tracker we can monitor the login events.
Some extra slides about the “testuser” request for reference…
