Fortinet SSL VPN with tacacs+ and mavis Active Directory backend - group troubles
247 views
Skip to first unread message
dja...@markleygroup.com
May 8, 2018, 3:56:44 PM5/8/18
to Event-Driven Servers
We need to be able to restrict logins to our firewall to a specific group. But if the user is in not in AAA-firewallusers, but *is* in any other group that has "default service = permit", the user is still successfully authenticated. How can I indicate that a user has to be in a specific group? Is that possible? Am I missing something obvious?
mavis module = external { script out = { # Require group membership: if (undef($TACMEMBER) && $RESULT == ACK) set $RESULT = NAK }
setenv LDAP_SERVER_TYPE = "microsoft" setenv LDAP_HOSTS = "ldaps://bos1-lin-duo01:636 ldaps://bos1-lin-duo02:636"
setenv LDAP_SCOPE = sub setenv LDAP_BASE = "dc=mgcsops,dc=net" setenv LDAP_FILTER = "(&(objectclass=user)(sAMAccountName=%s))" setenv LDAP_USER = a...@our.domain setenv LDAP_PASSWD = "itsasecret" setenv AD_GROUP_PREFIX = AAA-
setenv REQUIRE_AD_GROUP_PREFIX = 1 }
user backend = mavis login backend = mavis pap backend = mavis
group = firewallusers {
default service = permit
}
group = VPN { default service = permit }
# maps to AD group AAA-Admins group = Admins { default service = permit service = shell { default command = permit default attribute = permit optional shell:roles="\"network-admin\"" set shell:priv-lvl=15 set priv-lvl = 15 } service = junos-exec { set local-user-name = read-write } }dja...@markleygroup.com
May 11, 2018, 3:07:24 PM5/11/18
to Event-Driven Servers
It seems like I should be able to do this with realms, but I have not been able to figure out how so far. Can someone who understands realms give me an assist?
I have thisin the config, and then below that I have
host = test_forti { key = "test" address = 10.254.1.129 aaa realm = Forti client realm = Forti }realm = Forti { mavis module = external { setenv AD_GROUP_PREFIX = Forti- setenv FLAG_USE_MEMBEROF = 1 script out = { if (undef($TACMEMBER) && $RESULT == ACK) set $RESULT = NAK } setenv LDAP_SERVER_TYPE = "microsoft" setenv LDAP_HOSTS = "ldaps://bos1-lin-duo01:636 ldaps://bos1-lin-duo02:636" setenv LDAP_SCOPE = sub setenv LDAP_BASE = "dc=mgcsops,dc=net" setenv LDAP_FILTER = "(&(objectclass=user)(sAMAccountName=%s))" aaa realm = Forti user backend = mavis login backend = mavis pap backend = mavis
group = VPN { default service = permit mavis realm = Forti service = fortigate { # set memberof=<TACACS+ group> # set admin_prof=<Required Acc Profile> } }}
Shin Sterneck
Jun 3, 2018, 9:24:37 AM6/3/18
to Event-Driven Servers
Hello,
regards,
Shin
Daniel Jacobs
Jun 4, 2018, 12:57:50 PM6/4/18
to event-driv...@googlegroups.com
Thank you, Shin. That looks like it should work, and is simpler than implementing realms.
--
You received this message because you are subscribed to a topic in the Google Groups "Event-Driven Servers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/event-driven-servers/ByhpBVbhcsM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to event-driven-servers+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages