Wednesday, March 16, 2016

Controlling fortigate cisco ACS 5.8 tacacs+ access profiles

To pass access profiles with the cisco ACS  you need to craft custom attributes for tacacs. The tacacs attributes should match a local define accprofile.

The profiles are used only after a ACCEPT from a success authentication. This is how authorization and the level is granted to the end_user.

Here's a screen shot of the Shell Profiles from the profile elements within cisco ACS.
( see  the blue and  wine colored arrows )

Key Points:

  • The user can only be within ONE accprofile. The AccessProfile provide READ NONE or WRITE for the various commands section levels ( e.g firewall, system,etc.....)

  • If a wildcard user is enable, this profile can override the define accprofile for the wildcard.

  • If the accprofile reference does not exist, the "default accprofile for that user is granted"

A  FortiOS sample  accprofile configuration:

config sys accprofile
    edit "CORP_LEVEL2"
        set comments "TIER#2 ENGINEERS"
        set mntgrp read
        set admingrp read
        set updategrp read
        set authgrp read-write
        set sysgrp read
        set netgrp read
        set loggrp read
        set routegrp read
        set fwgrp custom
        set vpngrp read
        set utmgrp read
        set wanoptgrp read
        set endpoint-control-grp read
        set wifi read
            config fwgrp-permission
                set policy read-write
                set address read-write
                set service read-write
                set schedule read
                set packet-capture read
                set others read-write
    edit "CORP_ENG_SR"
        set comments "SENIOR SEC-ENG"
        set mntgrp read-write
        set admingrp read
        set updategrp read-write
        set authgrp read-write
        set sysgrp read-write
        set netgrp read-write
        set loggrp read-write
        set routegrp read-write
        set fwgrp read-write
        set vpngrp read-write
        set utmgrp read-write
        set wanoptgrp read-write
        set endpoint-control-grp read-write
        set wifi read-write


The cli diag debug app fnbamd -1 command will provide details on authen/authorization.

and  the following command will show authentication  PASS/FAIL and any accprofile  that's applied

diag test authserver tacacs+ < TAC_USER_NAME_HERE>  <username> <password>

e.g testing socadmin1

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
        /  \

No comments:

Post a Comment