Fortinet white logo
Fortinet white logo

Handbook

Configuring TACACS+ authentication

Configuring TACACS+ authentication

You can configure administrator authentication using a Terminal Access Controller Access-Control System Plus (TACACS+) server.

Once you complete the TACACS+ server configuration, create an administrator user under System > Admin > Administrator page and select 'TACACS+' as the Strategy. When 'TACACS+' is selected, no local password option is available. You can also specify the SPP or SPP Policy Group assignment, access profile and trusted host list for that user. For more details about creating a user profile, see here.

If TACACS+ is enabled, when a user logs in, an authentication request is made to the remote TACACS+ server.

If authentication succeeds, and the user has a configuration on the System > Admin > Administrator page, the SPP or SPP Policy Group assignment, access profile and trusted host list are applied. If the user does not have a configuration on the Administrator page, an authorization request will be sent to TACACS+ server. If the Authorization response contains attribute value pairs except 'service=fortiddos', user will be logged in as per the policy defined in attribute value pairs, otherwise the user will be logged in as per assignments obtained from the 'Default Access Strategy' settings described in Step 3.

Before you begin:

  • You must have Read-Write permission for System settings.

To configure FortiDDoS for TACACS+ authentication:

  1. Go to System > Authentication > TACACS+.
  2. Complete the 'TACACS+ Server Configuration'

    Settings Guidelines
    Status Select to enable TACACS+ server configuration or deselect to disable.
    Primary Server IP IP address or FQDN of the primary TACACS+ server.
    Primary Server Secret TACACS+ server shared secret – maximum 116 characters (special characters are allowed).
    Port TACACS+ port number in the range: 1 - 65535. The default value is 49.
    Secondary Server IP (Optional) IP address or FQDN of a backup TACACS+ server.
    Secondary Server Secret (Optional) TACACS+ server shared secret – maximum 116 characters (special characters are allowed).
    Authentication Protocol
    • PAP - Password Authentication Protocol
    • CHAP - Challenge Handshake Authentication Protocol (defined in RFC 1994)
    • ASCII
    • Auto - Automatically selects one of the above protocols.

    Trusted Hosts

    Source IP address and netmask from which the administrator is allowed to log in. For multiple addresses, separate each entry with a space. You can specify up to three trusted areas. They can be single hosts, subnets, or a mixture.

    Configuring trusted hosts hardens the security of the system. In addition to knowing the password, an administrator can connect only from the computer or subnets you specify.

    Trusted host definitions apply both to the web UI and to the CLI when accessed through Telnet, SSH, or the CLI console widget. Local console access is not affected by trusted hosts, as the local console is by definition not remote, and does not occur through the network.

    If ping is enabled, the address you specify here is also a source IP address to which the system will respond when it receives a ping or traceroute signal.

    To allow logins only from one computer, enter only its IP address and 32- or 128-bit netmask:192.0.2.2/322001:0db8:85a3:::8a2e:0370:7334/128

    To allow login attempts from any IP address (not recommended), enter:0.0.0.0/0.0.0.0.

    Caution: If you restrict trusted hosts, do so for all administrator accounts. Failure to do so means that all accounts are still exposed to the risk of brute force login attacks. This is because if you leave even one administrator account unrestricted (i.e. 0.0.0.0/0), the system must allow login attempts on all network interfaces where remote administrative protocols are enabled, and wait until after a login attempt has been received in order to check that user name’s trusted hosts list.

    Tip: If you allow login from the Internet, set a longer and more complex password, and enable only secure administrative access protocols. We also recommend that you restrict trusted hosts to IPs in your administrator’s geographical area.

    Tip: For improved security, restrict all trusted host addresses to single IP addresses of computer(s) from which only this administrator will log in.

    Access profile

    Select a user-defined or predefined profile. The predefined profile named super_admin_prof is a special access profile used by the admin account. However, selecting this access profile will not confer all permissions of the admin account. For example, the new administrator would not be able to reset lost administrator passwords.

    Note: This option does not appear for the admin administrator account, which by definition always uses the super_admin_prof access profile.

    Test Connectivity
    Test Connectivity Select to test connectivity using a test username and password specified next. Click the Test button after you have saved the configuration.
    Username User name for the connectivity test.
    Password Corresponding password.
  3. Complete the 'Default Access Strategy for remote TACACS+ user' with reference to the figure/table below.

  4. Save the configuration.

    CLI commands:

    config system authentication tacacs+ 
      set state {enable|disable}
      set primary-server <ip|domain>
      set primary-secret <string>
      set port <port>
      set backup-server <ip|domain>
      set backup-secret <string>
      set authprot {pap|chap|ascii|auto}
      set is-system-admin {yes|no}
      set is-spp-admin {yes|no}
      set dft-domain <SPP>
      set dft-accprofile <profile>
      set dft-trusted-hosts <CIDR list>
    end
    

Configuring Cisco Secure ACS for FortiDDoS TACACS+ authentication

Log in to Cisco Secure Access Control System and follow the steps below.

Note: For more information about the settings under each tab, click Help on the top-right corner of the UI.

Step 1: Verify TACACS+ Configuration

  1. Go to System Administration > Configuration > Global System Options > TACACS+ Settings.
  2. Check whether the Port to Listen field under Connection Settings is set to '49'.

Step 2: Add the Client (FortiDDoS)

  1. Go to Network Resources > Network Devices and AAA Clients.
  2. Click Create to add TACACS+ clients (FortiDDoS).
    FortiDDoS is a client to ACS (TACACS+) server.

  3. Enter the Name, Description, Network Device Groups and IP Address of FortiDDoS device.
  4. Select 'TACACS+' under Authentication Options and enter a Shared Secret.
  5. Click Submit.

Step 3: Create User Groups

User groups are created to associate a group of users to certain TACACS+ VSA policies.

  1. Go to Users and Identity Stores > Identity Groups.
  2. Click Create and create the user groups.


  3. Click Submit.

Step 4: Create ACS Shell Profiles

Shell profiles are configured to hold certain VSAs which the Administrator wants to associate with a user or group of users.

  1. Go to Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles.
  2. Click Create to create Shell profiles corresponding to the user groups created in Step 3.
  3. Under General tab, enter the Name and Description of the Shell profile.

  4. Under Custom Attributes tab, add the custom attributes based on the Shell profile.
    • AdminProf:
      • Fortinet-FDD-Access-Profile: super_admin_prof
      • Fortinet-FDD-IS-SYSTEM-ADMIN: 1
      • Fortinet-FDD-IS-SPP-ADMIN: 0
      • Fortinet-FDD-Trusted-Hosts: 172.30.153.0/24
    • SPPAdminProfSPP0:
      • Fortinet-FDD-Access-Profile: spp_admin_prof
      • Fortinet-FDD-IS-SYSTEM-ADMIN: 0
      • Fortinet-FDD-IS-SPP-ADMIN: 1
      • Fortinet-FDD-SPP-NAME: SPP-0
      • Fortinet-FDD-Trusted-Hosts: 172.30.153.0/24
    • MSSPProfPolicyGroup1:
      • Fortinet-FDD-Access-Profile: mssp_prof
      • Fortinet-FDD-IS-SYSTEM-ADMIN: 0
      • Fortinet-FDD-IS-SPP-ADMIN: 0
      • Fortinet-FDD-SPP-POLICY-GROUP: PolicyGroup1
      • Fortinet-FDD-Trusted-Hosts: 172.30.153.0/24

Step 5: Select the Authentication Protocols

  1. Go to Access Policies > Default Network Access > Allowed Protocol tab.
  2. Select the Authentication Protocol(s) by checking Allow PAP/ASCII and/or Allow CHAP.
    FortiDDoS supports PAP, CHAP and ASCII Protocols.

  3. Click Submit.

Step 6: Associate groups with Shell Profiles

Associating groups with Shell Profiles is an important step providing clear and useful access management technique for Administrators.

  1. Go to Access Profile > Access Services > Default Device Admin > Authorization and verify the associated groups.

Step 7: Create users

Create users and add them under certain groups as per their access control decided by the Administrator.

  1. Go to Users and Identity Stores > Internal Identity Stores > Users.
  2. Click Create to add users for Admin group, SPP Admin group and MSSP Admin group.
    • 'systemadmin' for AdminGroup
    • 'sppadmin' for SPPAdminGroup
    • 'msspadmin' for MSSPGroup

  3. You will now be able to log on to the FortiDDoS appliance and get the appropriate authorizations.

Configuring TACACS+ authentication

Configuring TACACS+ authentication

You can configure administrator authentication using a Terminal Access Controller Access-Control System Plus (TACACS+) server.

Once you complete the TACACS+ server configuration, create an administrator user under System > Admin > Administrator page and select 'TACACS+' as the Strategy. When 'TACACS+' is selected, no local password option is available. You can also specify the SPP or SPP Policy Group assignment, access profile and trusted host list for that user. For more details about creating a user profile, see here.

If TACACS+ is enabled, when a user logs in, an authentication request is made to the remote TACACS+ server.

If authentication succeeds, and the user has a configuration on the System > Admin > Administrator page, the SPP or SPP Policy Group assignment, access profile and trusted host list are applied. If the user does not have a configuration on the Administrator page, an authorization request will be sent to TACACS+ server. If the Authorization response contains attribute value pairs except 'service=fortiddos', user will be logged in as per the policy defined in attribute value pairs, otherwise the user will be logged in as per assignments obtained from the 'Default Access Strategy' settings described in Step 3.

Before you begin:

  • You must have Read-Write permission for System settings.

To configure FortiDDoS for TACACS+ authentication:

  1. Go to System > Authentication > TACACS+.
  2. Complete the 'TACACS+ Server Configuration'

    Settings Guidelines
    Status Select to enable TACACS+ server configuration or deselect to disable.
    Primary Server IP IP address or FQDN of the primary TACACS+ server.
    Primary Server Secret TACACS+ server shared secret – maximum 116 characters (special characters are allowed).
    Port TACACS+ port number in the range: 1 - 65535. The default value is 49.
    Secondary Server IP (Optional) IP address or FQDN of a backup TACACS+ server.
    Secondary Server Secret (Optional) TACACS+ server shared secret – maximum 116 characters (special characters are allowed).
    Authentication Protocol
    • PAP - Password Authentication Protocol
    • CHAP - Challenge Handshake Authentication Protocol (defined in RFC 1994)
    • ASCII
    • Auto - Automatically selects one of the above protocols.

    Trusted Hosts

    Source IP address and netmask from which the administrator is allowed to log in. For multiple addresses, separate each entry with a space. You can specify up to three trusted areas. They can be single hosts, subnets, or a mixture.

    Configuring trusted hosts hardens the security of the system. In addition to knowing the password, an administrator can connect only from the computer or subnets you specify.

    Trusted host definitions apply both to the web UI and to the CLI when accessed through Telnet, SSH, or the CLI console widget. Local console access is not affected by trusted hosts, as the local console is by definition not remote, and does not occur through the network.

    If ping is enabled, the address you specify here is also a source IP address to which the system will respond when it receives a ping or traceroute signal.

    To allow logins only from one computer, enter only its IP address and 32- or 128-bit netmask:192.0.2.2/322001:0db8:85a3:::8a2e:0370:7334/128

    To allow login attempts from any IP address (not recommended), enter:0.0.0.0/0.0.0.0.

    Caution: If you restrict trusted hosts, do so for all administrator accounts. Failure to do so means that all accounts are still exposed to the risk of brute force login attacks. This is because if you leave even one administrator account unrestricted (i.e. 0.0.0.0/0), the system must allow login attempts on all network interfaces where remote administrative protocols are enabled, and wait until after a login attempt has been received in order to check that user name’s trusted hosts list.

    Tip: If you allow login from the Internet, set a longer and more complex password, and enable only secure administrative access protocols. We also recommend that you restrict trusted hosts to IPs in your administrator’s geographical area.

    Tip: For improved security, restrict all trusted host addresses to single IP addresses of computer(s) from which only this administrator will log in.

    Access profile

    Select a user-defined or predefined profile. The predefined profile named super_admin_prof is a special access profile used by the admin account. However, selecting this access profile will not confer all permissions of the admin account. For example, the new administrator would not be able to reset lost administrator passwords.

    Note: This option does not appear for the admin administrator account, which by definition always uses the super_admin_prof access profile.

    Test Connectivity
    Test Connectivity Select to test connectivity using a test username and password specified next. Click the Test button after you have saved the configuration.
    Username User name for the connectivity test.
    Password Corresponding password.
  3. Complete the 'Default Access Strategy for remote TACACS+ user' with reference to the figure/table below.

  4. Save the configuration.

    CLI commands:

    config system authentication tacacs+ 
      set state {enable|disable}
      set primary-server <ip|domain>
      set primary-secret <string>
      set port <port>
      set backup-server <ip|domain>
      set backup-secret <string>
      set authprot {pap|chap|ascii|auto}
      set is-system-admin {yes|no}
      set is-spp-admin {yes|no}
      set dft-domain <SPP>
      set dft-accprofile <profile>
      set dft-trusted-hosts <CIDR list>
    end
    

Configuring Cisco Secure ACS for FortiDDoS TACACS+ authentication

Log in to Cisco Secure Access Control System and follow the steps below.

Note: For more information about the settings under each tab, click Help on the top-right corner of the UI.

Step 1: Verify TACACS+ Configuration

  1. Go to System Administration > Configuration > Global System Options > TACACS+ Settings.
  2. Check whether the Port to Listen field under Connection Settings is set to '49'.

Step 2: Add the Client (FortiDDoS)

  1. Go to Network Resources > Network Devices and AAA Clients.
  2. Click Create to add TACACS+ clients (FortiDDoS).
    FortiDDoS is a client to ACS (TACACS+) server.

  3. Enter the Name, Description, Network Device Groups and IP Address of FortiDDoS device.
  4. Select 'TACACS+' under Authentication Options and enter a Shared Secret.
  5. Click Submit.

Step 3: Create User Groups

User groups are created to associate a group of users to certain TACACS+ VSA policies.

  1. Go to Users and Identity Stores > Identity Groups.
  2. Click Create and create the user groups.


  3. Click Submit.

Step 4: Create ACS Shell Profiles

Shell profiles are configured to hold certain VSAs which the Administrator wants to associate with a user or group of users.

  1. Go to Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles.
  2. Click Create to create Shell profiles corresponding to the user groups created in Step 3.
  3. Under General tab, enter the Name and Description of the Shell profile.

  4. Under Custom Attributes tab, add the custom attributes based on the Shell profile.
    • AdminProf:
      • Fortinet-FDD-Access-Profile: super_admin_prof
      • Fortinet-FDD-IS-SYSTEM-ADMIN: 1
      • Fortinet-FDD-IS-SPP-ADMIN: 0
      • Fortinet-FDD-Trusted-Hosts: 172.30.153.0/24
    • SPPAdminProfSPP0:
      • Fortinet-FDD-Access-Profile: spp_admin_prof
      • Fortinet-FDD-IS-SYSTEM-ADMIN: 0
      • Fortinet-FDD-IS-SPP-ADMIN: 1
      • Fortinet-FDD-SPP-NAME: SPP-0
      • Fortinet-FDD-Trusted-Hosts: 172.30.153.0/24
    • MSSPProfPolicyGroup1:
      • Fortinet-FDD-Access-Profile: mssp_prof
      • Fortinet-FDD-IS-SYSTEM-ADMIN: 0
      • Fortinet-FDD-IS-SPP-ADMIN: 0
      • Fortinet-FDD-SPP-POLICY-GROUP: PolicyGroup1
      • Fortinet-FDD-Trusted-Hosts: 172.30.153.0/24

Step 5: Select the Authentication Protocols

  1. Go to Access Policies > Default Network Access > Allowed Protocol tab.
  2. Select the Authentication Protocol(s) by checking Allow PAP/ASCII and/or Allow CHAP.
    FortiDDoS supports PAP, CHAP and ASCII Protocols.

  3. Click Submit.

Step 6: Associate groups with Shell Profiles

Associating groups with Shell Profiles is an important step providing clear and useful access management technique for Administrators.

  1. Go to Access Profile > Access Services > Default Device Admin > Authorization and verify the associated groups.

Step 7: Create users

Create users and add them under certain groups as per their access control decided by the Administrator.

  1. Go to Users and Identity Stores > Internal Identity Stores > Users.
  2. Click Create to add users for Admin group, SPP Admin group and MSSP Admin group.
    • 'systemadmin' for AdminGroup
    • 'sppadmin' for SPPAdminGroup
    • 'msspadmin' for MSSPGroup

  3. You will now be able to log on to the FortiDDoS appliance and get the appropriate authorizations.