This setup is useful if you have several Fortigate firewalls and you want to manage the access from a centralized tacacs+ server (ISE) instead of manually creating the accounts locally in the firewalls. They key to this setup is that you should enable the authorization and the accprofile-override settings in the Fortigate firewall to receive & apply the authorization attributes from the tacacs+ server.
Lab Network Setup:
Credits to Eve-Ng
IP Addressing Scheme:
10.254.0.12 - Fortigate FW
10.254.0.13 - Cisco ISE
AD Credentials:
Admin account - kagarcia
Read-Only account - test123
Fortigate Configuration:
CLI:
config user tacacs+
edit "ise"
set server "10.254.0.13"
set key [shared-secret]
set authorization enable
next
end
config user group
edit "Active_Directory"
set member "ise"
next
end
config system accprofile
edit "DenyAccess"
next
end
config system admin edit "*"
set remote-auth enable
set accprofile "DenyAccess"
set vdom "root"
set wildcard enable
set remote-group "Active_Directory"
set accprofile-override enable
next
end
Web-GUI:
 |
Create new user group and assign the created tacacs+ server as remote server
|
 |
Create new admin profile for default profile of AD logins which is deny access
|
 |
Fortigate available Admin Profiles
|
 |
Create new administrator "*" which will match any AD ID Username from the remote server
|
 |
Fortigate available Administrators accounts
|
Cisco ISE Configuration:
 |
| Create new tacacs profile for administrator access authorization result |
 |
| Create new tacacs profile for read-only access authorization result |
 |
| Create additional authorization policy for admin & read-only access specific to the IP address of the firewall together with the created tacacs profile |
Tacacs+ Authorization Result Summary Details
 |
 |
Fortigate logged in users
Cheers to my first blog! :)
