Vendor-Specific Attributes for TACACS 7.2.1
Vendor-Specific Attributes (VSAs) can be used with TACACS authentication and authorization in wildcard system administrator access to FortiGates from browsers and SSH. The memberof VSA can be used in remote TACACS user group for group matching. The vdom VSA returned from TACACS can be used to overwrite the VDOM in the system admin settings. The admin_prof VSA returned from TACACS can be used to overwrite the accprofile in the system admin settings.
Example
In this example, a FortiGate is configured with multiple VDOMs, and the root acts as the management VDOM. Administrators attempt to log in with SSH or HTTPS through each VDOM.
Using the VSA values for the vdom and admin_prof attributes returned from the TACACS server, the FortiGate can allow access only to the VDOMs returned with the permissions from the corresponding administrator profile. If no VSA values are returned from TACACS, then the FortiGate uses the default values under the config system admin settings.
The TACACS server settings are configured as follows:
user = admin-all-vdom {
default service = permit
member = sys_admin_all_vdom
…
}
user = admin-vdom1 {
default service = permit
member = sys_admin_vdom1
…
}
group = sys_admin_all_vdom {
default service = permit
service = fortigate {
memberof = group3
admin_prof = admin_all_vdom
}
}
group = sys_admin_vdom1 {
default service = permit
service = fortigate {
memberof = group3
admin_prof = admin_vdom1
vdom = vdom1
}
}
For multiple VDOMs, each VDOM must be specified in a separate field. For example, for access to vdom1 and vdom2:
vdom = vdom1 vdom = vdom2
|
Some TACACS servers, such as Linux TACACS servers, may only return the last VDOM specified. |
The authentication process is as follows:
Authentication for admin-all-vdom:
- The administrator attempts to log in to the FortiGate over the remote TACACS user group,
remote-tacacs. - The FortiGate sends an authorization request to the TACACS server.
- TACACS authenticates the admin-all-vdom user. The user matches the
sys_admin_all_vdomTACACS group. TACACS returns following VSA values:memberof = group3admin_prof = admin_all_vdom
- The FortiGate authenticates and authorizes the user based on the returned
memberofgroup. The admin_prof value overwrites theaccprofilesetting configured undersystem admin. Since no other VDOM VSA is returned, the FortiGate matches the user to the default VDOM configured undersystem admin, which isadmin_no_access.
Authentication for admin-vdom1:
- The administrator attempts to log in to the FortiGate over the remote TACACS user group,
remote-tacacs. - vdom1 forwards the request to the management VDOM, which is the root.
- The FortiGate sends an authorization request to the TACACS server through the management VDOM.
- TACACS authenticates the admin-vdom1 user. The user matches the
sys_admin_vdom1TACACS group. TACACS returns following VSA values:memberof = group3admin_prof = admin_vdom1vdom = vdom1
- The FortiGate authenticates and authorizes the user based on the returned
memberofgroup. The other VSA values overwrite theaccprofileand VDOM settings configured undersystem admin. The user is only allowed to access vdom1 with the administrative permissions allowed for admin_vdom1.
To configure the FortiGate:
- Create two system administrator profiles.
- Configure admin_vdom1 who has read-write access to vdom1 (except for firewall policies) and is redistricted from using diagnose commands in the CLI:
config system accprofile edit "admin_vdom1" set secfabgrp read-write set ftviewgrp read-write set authgrp read-write set fwgrp custom set system-diagnostics disable config fwgrp-permission set policy read set address read set service read set schedule read set others read end next end - Configure admin_all_vdom who has read-write access to all VDOMs, but not with super_admin permissions:
config system accprofile edit "admin_all_vdom" set secfabgrp read-write set ftviewgrp read-write set authgrp read-write set sysgrp read set netgrp read-write set loggrp read-write set fwgrp read-write set vpngrp read set utmgrp read set wanoptgrp read set wifi read next end
- Configure admin_vdom1 who has read-write access to vdom1 (except for firewall policies) and is redistricted from using diagnose commands in the CLI:
- Configure the TACACS server:
config user tacacs+ edit "tac1" set server "10.1.100.34" set key XXXXXXXXXXXX set authorization enable next end - Configure the remote TACACS group with group matching:
config user group edit "remote-tacacs" set member "tac1" config match edit 1 set server-name "tac1" set group-name "group3" next end next end - Configure the wildcard administrative user assigned to the remote TACACS group:
config system admin edit "remote-admin" set remote-auth enable set accprofile "admin_no_access" set vdom "root" "vdom1" set wildcard enable set remote-group "remote-tacacs" set accprofile-override enable set vdom-override enable next end
To verify the configuration:
- Log in as admin-vdom1 using a browser and SSH. The following behavior is expected:
- The user can only access vdom1 (returned by TACACS in the
vdomVSA). - The user can view firewall policies, but they cannot not create new policies.
- The user cannot run
diagnose debug applicationcommands in the PuTTY SSH session.
- The user can only access vdom1 (returned by TACACS in the
- Log in as admin_all_vdom using a browser and SSH. The following behavior is expected:
- The user has no VSA VDOM configured on the TACACS server, so the default setting in the
system adminconfiguration should apply. The user can access the root and vdom1 VDOMs. - The user has no access to
system globalin the CLI, and the prompt symbol is a$instead of a#.
- The user has no VSA VDOM configured on the TACACS server, so the default setting in the