Fortinet white logo
Fortinet white logo

Administration Guide

Remote administrators with TACACS+ VSA attributes

Remote administrators with TACACS+ VSA attributes

Vendor-Specific Attributes (VSAs) can be used with TACACS+ authentication and authorization in wildcard system administrator access to FortiGates from browsers and SSH. The memberof VSA can be used in remote TACACS+ user group for group matching. The vdom VSA returned from TACACS+ can be used to overwrite the VDOM in the system admin settings. The admin_prof VSA returned from TACACS+ can be used to overwrite the accprofile in the system admin settings.

Example

In this example, a FortiGate is configured with multiple VDOMs, and the root acts as the management VDOM. Administrators attempt to log in with SSH or HTTPS through each VDOM.

Using the VSA values for the vdom and admin_prof attributes returned from the TACACS+ server, the FortiGate can allow access only to the VDOMs returned with the permissions from the corresponding administrator profile. If no VSA values are returned from TACACS+ , then the FortiGate uses the default values under the config system admin settings.

The TACACS+ server settings are configured as follows:

user = admin-all-vdom {
    default service = permit
    member = sys_admin_all_vdom
    …
}
user = admin-vdom1 {
    default service = permit
    member = sys_admin_vdom1
    …
}
group = sys_admin_all_vdom {
default service = permit
    service = fortigate {
        memberof = group3
        admin_prof = admin_all_vdom
    }
}
group = sys_admin_vdom1 {
default service = permit
    service = fortigate {
        memberof = group3
        admin_prof = admin_vdom1
        vdom = vdom1  
    }
}

For multiple VDOMs, each VDOM must be specified in a separate field. For example, for access to vdom1 and vdom2:

vdom = vdom1
vdom = vdom2
Note

Some TACACS+ servers, such as Linux TACACS+ servers, may only return the last VDOM specified.

The authentication process is as follows:

Authentication for admin-all-vdom:
  1. The administrator attempts to log in to the FortiGate over the remote TACACS+ user group, remote-tacacs.

  2. The FortiGate sends an authorization request to the TACACS+ server.

  3. TACACS+ authenticates the admin-all-vdom user. The user matches the sys_admin_all_vdom TACACS+ group. TACACS+ returns following VSA values:

    • memberof = group3

    • admin_prof = admin_all_vdom

  4. The FortiGate authenticates and authorizes the user based on the returned memberof group. The admin_prof value overwrites the accprofile setting configured under system admin. Since no other VDOM VSA is returned, the FortiGate matches the user to the default VDOM configured under system admin, which is admin_no_access.

Authentication for admin-vdom1:
  1. The administrator attempts to log in to the FortiGate over the remote TACACS+ user group, remote-tacacs.

  2. vdom1 forwards the request to the management VDOM, which is the root.

  3. The FortiGate sends an authorization request to the TACACS+ server through the management VDOM.

  4. TACACS+ authenticates the admin-vdom1 user. The user matches the sys_admin_vdom1 TACACS+ group. TACACS+ returns following VSA values:

    • memberof = group3

    • admin_prof = admin_vdom1

    • vdom = vdom1

  5. The FortiGate authenticates and authorizes the user based on the returned memberof group. The other VSA values overwrite the accprofile and VDOM settings configured under system admin. The user is only allowed to access vdom1 with the administrative permissions allowed for admin_vdom1.

To configure the FortiGate:
  1. Create two system administrator profiles.

    1. Configure admin_vdom1 who has read-write access to vdom1 (except for firewall policies) and is redistricted from using diagnose commands in the CLI:

      config system accprofile
          edit "admin_vdom1"
              set secfabgrp read-write
              set ftviewgrp read-write
              set authgrp read-write
              set fwgrp custom
              set cli-diagnose disable
              config fwgrp-permission
                  set policy read
                  set address read
                  set service read
                  set schedule read
                  set others read
              end
          next
      end
    2. Configure admin_all_vdom who has read-write access to all VDOMs, but not with super_admin permissions:

      config system accprofile
          edit "admin_all_vdom"
              set secfabgrp read-write
              set ftviewgrp read-write
              set authgrp read-write
              set sysgrp read
              set netgrp read-write
              set loggrp read-write
              set fwgrp read-write
              set vpngrp read
              set utmgrp read
              set wanoptgrp read
              set wifi read
          next
      end
  2. Configure the TACACS+ server:

    config user tacacs+
        edit "tac1"
            set server "10.1.100.34"
            set key XXXXXXXXXXXX
            set authorization enable
        next
    end
  3. Configure the remote TACACS+ group with group matching:

    config user group
        edit "remote-tacacs"
            set member "tac1"
            config match
                edit 1
                    set server-name "tac1"
                    set group-name "group3"
                next
            end
        next
    end
  4. Configure the wildcard administrative user assigned to the remote TACACS+ group:

    config system admin
        edit "remote-admin"
            set remote-auth enable
            set accprofile "admin_no_access"  
            set vdom "root" "vdom1"
            set wildcard enable   
            set remote-group "remote-tacacs"
            set accprofile-override enable
            set vdom-override enable
        next
    end
To verify the configuration:
  1. Log in as admin-vdom1 using a browser and SSH. The following behavior is expected:

    • The user can only access vdom1 (returned by TACACS+ in the vdom VSA).

    • The user can view firewall policies, but they cannot not create new policies.

    • The user cannot run diagnose debug application commands in the PuTTY SSH session.

  2. Log in as admin_all_vdom using a browser and SSH. The following behavior is expected:

    • The user has no VSA VDOM configured on the TACACS+ server, so the default setting in the system admin configuration should apply. The user can access the root and vdom1 VDOMs.

    • The user has no access to system global in the CLI, and the prompt symbol is a $ instead of a #.

Remote administrators with TACACS+ VSA attributes

Remote administrators with TACACS+ VSA attributes

Vendor-Specific Attributes (VSAs) can be used with TACACS+ authentication and authorization in wildcard system administrator access to FortiGates from browsers and SSH. The memberof VSA can be used in remote TACACS+ user group for group matching. The vdom VSA returned from TACACS+ can be used to overwrite the VDOM in the system admin settings. The admin_prof VSA returned from TACACS+ can be used to overwrite the accprofile in the system admin settings.

Example

In this example, a FortiGate is configured with multiple VDOMs, and the root acts as the management VDOM. Administrators attempt to log in with SSH or HTTPS through each VDOM.

Using the VSA values for the vdom and admin_prof attributes returned from the TACACS+ server, the FortiGate can allow access only to the VDOMs returned with the permissions from the corresponding administrator profile. If no VSA values are returned from TACACS+ , then the FortiGate uses the default values under the config system admin settings.

The TACACS+ server settings are configured as follows:

user = admin-all-vdom {
    default service = permit
    member = sys_admin_all_vdom
    …
}
user = admin-vdom1 {
    default service = permit
    member = sys_admin_vdom1
    …
}
group = sys_admin_all_vdom {
default service = permit
    service = fortigate {
        memberof = group3
        admin_prof = admin_all_vdom
    }
}
group = sys_admin_vdom1 {
default service = permit
    service = fortigate {
        memberof = group3
        admin_prof = admin_vdom1
        vdom = vdom1  
    }
}

For multiple VDOMs, each VDOM must be specified in a separate field. For example, for access to vdom1 and vdom2:

vdom = vdom1
vdom = vdom2
Note

Some TACACS+ servers, such as Linux TACACS+ servers, may only return the last VDOM specified.

The authentication process is as follows:

Authentication for admin-all-vdom:
  1. The administrator attempts to log in to the FortiGate over the remote TACACS+ user group, remote-tacacs.

  2. The FortiGate sends an authorization request to the TACACS+ server.

  3. TACACS+ authenticates the admin-all-vdom user. The user matches the sys_admin_all_vdom TACACS+ group. TACACS+ returns following VSA values:

    • memberof = group3

    • admin_prof = admin_all_vdom

  4. The FortiGate authenticates and authorizes the user based on the returned memberof group. The admin_prof value overwrites the accprofile setting configured under system admin. Since no other VDOM VSA is returned, the FortiGate matches the user to the default VDOM configured under system admin, which is admin_no_access.

Authentication for admin-vdom1:
  1. The administrator attempts to log in to the FortiGate over the remote TACACS+ user group, remote-tacacs.

  2. vdom1 forwards the request to the management VDOM, which is the root.

  3. The FortiGate sends an authorization request to the TACACS+ server through the management VDOM.

  4. TACACS+ authenticates the admin-vdom1 user. The user matches the sys_admin_vdom1 TACACS+ group. TACACS+ returns following VSA values:

    • memberof = group3

    • admin_prof = admin_vdom1

    • vdom = vdom1

  5. The FortiGate authenticates and authorizes the user based on the returned memberof group. The other VSA values overwrite the accprofile and VDOM settings configured under system admin. The user is only allowed to access vdom1 with the administrative permissions allowed for admin_vdom1.

To configure the FortiGate:
  1. Create two system administrator profiles.

    1. Configure admin_vdom1 who has read-write access to vdom1 (except for firewall policies) and is redistricted from using diagnose commands in the CLI:

      config system accprofile
          edit "admin_vdom1"
              set secfabgrp read-write
              set ftviewgrp read-write
              set authgrp read-write
              set fwgrp custom
              set cli-diagnose disable
              config fwgrp-permission
                  set policy read
                  set address read
                  set service read
                  set schedule read
                  set others read
              end
          next
      end
    2. Configure admin_all_vdom who has read-write access to all VDOMs, but not with super_admin permissions:

      config system accprofile
          edit "admin_all_vdom"
              set secfabgrp read-write
              set ftviewgrp read-write
              set authgrp read-write
              set sysgrp read
              set netgrp read-write
              set loggrp read-write
              set fwgrp read-write
              set vpngrp read
              set utmgrp read
              set wanoptgrp read
              set wifi read
          next
      end
  2. Configure the TACACS+ server:

    config user tacacs+
        edit "tac1"
            set server "10.1.100.34"
            set key XXXXXXXXXXXX
            set authorization enable
        next
    end
  3. Configure the remote TACACS+ group with group matching:

    config user group
        edit "remote-tacacs"
            set member "tac1"
            config match
                edit 1
                    set server-name "tac1"
                    set group-name "group3"
                next
            end
        next
    end
  4. Configure the wildcard administrative user assigned to the remote TACACS+ group:

    config system admin
        edit "remote-admin"
            set remote-auth enable
            set accprofile "admin_no_access"  
            set vdom "root" "vdom1"
            set wildcard enable   
            set remote-group "remote-tacacs"
            set accprofile-override enable
            set vdom-override enable
        next
    end
To verify the configuration:
  1. Log in as admin-vdom1 using a browser and SSH. The following behavior is expected:

    • The user can only access vdom1 (returned by TACACS+ in the vdom VSA).

    • The user can view firewall policies, but they cannot not create new policies.

    • The user cannot run diagnose debug application commands in the PuTTY SSH session.

  2. Log in as admin_all_vdom using a browser and SSH. The following behavior is expected:

    • The user has no VSA VDOM configured on the TACACS+ server, so the default setting in the system admin configuration should apply. The user can access the root and vdom1 VDOMs.

    • The user has no access to system global in the CLI, and the prompt symbol is a $ instead of a #.