Monday, 21 August 2017

Fortigate Firewall Integration to Cisco ISE 2.2 Tacacs+ Server with Active Directory Credential Authorization

This setup is useful if you have several Fortigate firewalls and you want to manage the access from a centralized tacacs+ server (ISE) instead of manually creating the accounts locally in the firewalls. They key to this setup is that you should enable the authorization and the accprofile-override settings in the Fortigate firewall to receive & apply the authorization attributes from the tacacs+ server.

Lab Network Setup:

Credits to Eve-Ng

IP Addressing Scheme:

10.254.0.12 - Fortigate FW
10.254.0.13 - Cisco ISE


AD Credentials:

Admin account - kagarcia
Read-Only account - test123


Fortigate Configuration:

CLI:

config user tacacs+
edit "ise"
set server "10.254.0.13"
set key [shared-secret]
set authorization enable
next
end 
config user group
edit "Active_Directory"
set member "ise"
next
end
config system accprofile
edit "DenyAccess"
next
end
config system admin edit "*"
set remote-auth enable
set accprofile "DenyAccess"
set vdom "root"
set wildcard enable
set remote-group "Active_Directory"
set accprofile-override enable
next
end 

Web-GUI:

Create new user group and assign the created tacacs+ server as remote server

Create new admin profile for default profile of AD logins which is deny access 

Fortigate available Admin Profiles 

Create new administrator "*" which will match any AD ID Username from the remote server 

Fortigate available Administrators accounts 

Cisco ISE Configuration:


Create new tacacs profile for administrator access authorization result

Create new tacacs profile for read-only access authorization result

Create additional authorization policy for admin & read-only access specific to the IP address of the firewall together with the created tacacs profile
Tacacs+ Authorization Result Summary Details



Fortigate logged in users


Cheers to my first blog! :)
Posted by at
Labels: , , , , ,

8 comments:

  1. Unknown21 August 2017 at 21:43

    Cheers :)

    ReplyDelete
  2. papa seck24 September 2019 at 08:56

    hello i want to do the same thing but for users to access by vpn.i need your help please.i have users on a tacacs+ server.
    cordially.

    ReplyDelete
    Replies
    1. kagarcia30 September 2019 at 05:24

      Hi papa seck, usually it can be registered as an external authentication server from your vpn appliance and just invoke the server profile in your authentication policy. You can email me for more detailed discussion.

      Delete
  3. Unknown11 November 2019 at 23:43

    Hello garcia, thanks for your great article. Can we use "user groups" defined in ISE rathen than in AD with the same configuration ?

    ReplyDelete
    Replies
    1. kagarcia12 November 2019 at 19:50

      Yes you have the option to choose which credential database you want to use on this kind of setup. You just need to modify the tacacs profile to the option that you prefer.

      Delete
  4. Vinay18 February 2021 at 13:44

    Life saver :) Thanks alot

    ReplyDelete
  5. CE9 January 2025 at 03:01

    Tacacs test from Fortinet GUI works fine, but while doing tacacs auth test command from FG cli. It's failing with Admin Profile: None error. Required profiles created in ISE and FG too.

    ReplyDelete

Subscribe to: Post Comments (Atom)