FAZ user type group version type tacacs and issues

I ran into a strange issue. When setting up a VM fortinalyzer for redundant TacPlus we are deployed the user group

i.e (

config system admin group
    edit "tacplusgroups"
            set member "AAA1" "AAA2"           
    next
end

And within the wildcard we specify the  group type and the group name.


        set user_type group
        set group "tacplusgroups"
        set wildcard enable
        set radius-accprofile-override enable

This works fine for SSH access but when login via webGUI the  dashboard shows no objects.

e.g ( a broken FAZ )

      We are running 5.4.0 b1019







We had to revert back to  user type tac_plus to get our  dashboard populated. Time for a FTNT support case.



Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

FAZ setup for AAA access

In this blog we look at how simple the configuration for  AAA redundant with remote-group. Here a Fortianalyzer has been setup for AAA authentication via TACACS+

The 1st step is to define the AAA components

Then we can setup a "wildcard"  account with the type as "group".

Ensure that  set radius-accprofile-override is enable if you want to override access profiles via AAA.



Now you can use the  diag cmd to validate a remote-user and the profile.

Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

ACS patch #3

The ongoing issues of  firefox breaking   cisco ACS should be restored via a simple patch. We've pushed  the   gpg patch file today.

Hopefully the  issues with "corruption" of the ACS database will be resolved for good !

Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \