Lets test the configuration from the fortigate CLI. Enforcement Policy: HomeLAB – Fortigate PolicyĬreate in the local user database two accounts:.Authentication Source: Local User Repository.Service Rule: Hits when the NAD (Fortigate) IP equals 172.16.200.254.Last but not least… We have to configure the ClearPass Service for the incoming TACACS+ Requests.
Since the “Readony” profile has not yet been created within the fortigate configuration, we now do this for reference via the web-gui. The “admin_prof” value is the must equal a admin profile in your Fortigate box.Ĭonfigure Aruba ClearPass Enforcement policyįor this test we create a very simple Enforcement Policy that look into the local user repository and check if the user have the role “TACACS Super Admin” or “TACACS Helpdesk” and when the policy rule hits it will enforce the Admin or Readonly profile. The “memberof” value can be a random name. We create two enforcement profiles one with administrator rights and one with operator rights. Ĭonfigure Aruba ClearPass Enforcement profiles Note: This point is where i was failing the fist time ). Set member "ClearPass" #CLEARPASS SERVER#Ĭonfigure Aruba ClearPass TACACS+ Dictionaryįirst things first! When configuring TACACS+ for a Fortigate it’s important that the Fortigate TACACS+ Dictionary is loaded into the ClearPass server. Set key “SECRETHERE” #CLEARPASS NAD PSK SECRET# Fortigate KB Article for reference here, link.Ĭonfigure your Fortigate for TACACS+ Authentication # ADD TACACS SERVER In this post i will describe the configuration needs to use TACACS+ for authentication login on a Fortigate (v6.0.10).