Custom Access Requirement for Specific Device in tacplus

Sujith S

unread,

Jul 7, 2025, 8:41:10 AMJul 7

to Event-Driven Servers

We are currently using tacplus_ng integrated with Active Directory, and everything is working well. We have two AD groups:

RW (ReadWrite)
RO (ReadOnly)
These are mapped to two corresponding profiles:

readwrite
readonly
Our current setup enforces access based on group membership as expected. However, we now have a new requirement:

If a user belongs to the RO group and tries to access the device at 192.168.1.1, they should be granted readwrite access instead of readonly.

Could you please advise how we can implement this exception in tacplus_ng? Is there a way to override the default group-to-profile mapping for a specific device?

Message has been deleted

Marc Huber

unread,

Jul 7, 2025, 11:02:56 AMJul 7

to event-driv...@googlegroups.com

Hi,

you can check for the device address and assign your readwrite profile accordingly:

if (member == RO) {
    if (device.address == 192.168.1.1)
        profile = readwrite
    else
        profile = readonly
    permit
}

Cheers,

Marc

Could you please advise how we can implement this exception in tacplus_ng? Is there a way to override the default group-to-profile mapping for a specific device? --
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/event-driven-servers/6496f474-9a62-4666-b952-6da06eb8107dn%40googlegroups.com.

Sujith S

unread,

Jul 7, 2025, 11:44:36 PMJul 7

to Event-Driven Servers

Thanks Marc,

Could you please help me to configure Fortigate and PaloAlto firewalls
Below is wroking fine for Cisco devices
ruleset {
rule {
script {

if (memberof =~ /(?i)^cn=Networking-RW,ou=static groups/) {
profile = netadmin
permit

} else if (memberof =~ /(?i)^cn=Networking-RO,ou=static groups/ && device.address == "192.168.1.1") {
profile = netadmin
permit

} else if (memberof =~ /(?i)^cn=Networking-RO,ou=static groups/) {
profile = readonly
permit

} else {
deny
}

}
}
}

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Tried below for fortigate. But not working
ruleset {
rule {
script {

if (service == fortigate) {
if (memberof =~ /(?i)^cn=Networking-RW,ou=static groups/) {
set memberof = "ADMIN-RW"
set admin_prof = "super_admin"
permit
} else if (memberof =~ /(?i)^cn=Networking-RO,ou=static groups/) {
set memberof = "ADMIN-RO"
set admin_prof = "readonly"
permit
} else {
deny
}
}
---------------------------------------------------------------------------------------------------------------------------------------------

Jul 08 03:35:03 cilchshrslog01 tac_plus-ng[226032]: 5/4dbd2815: 172.17.12.158 user (len: 18): sujith.s
Jul 08 03:35:03 cilchshrslog01 tac_plus-ng[226032]: 5/4dbd2815: 172.17.12.158 port (len: 0):
Jul 08 03:35:03 cilchshrslog01 tac_plus-ng[226032]: 5/4dbd2815: 172.17.12.158 rem_addr (len: 14): 192.168.1.1
Jul 08 03:35:03 cilchshrslog01 tac_plus-ng[226032]: 5/4dbd2815: 172.17.12.158 ---<end packet>---
Jul 08 03:35:03 cilchshrslog01 tac_plus-ng[226032]: 5/4dbd2815: 172.17.12.158 authen: hdr->seq_no: 1
Jul 08 03:35:03 cilchshrslog01 tac_plus-ng[226032]: 5/4dbd2815: 172.17.12.158 looking for user sujith.s realm default
Jul 08 03:35:03 cilchshrslog01 tac_plus-ng[226032]: 5/4dbd2815: 172.17.12.158 user lookup succeded
Jul 08 03:35:03 cilchshrslog01 tac_plus-ng[226032]: 5/4dbd2815: 172.17.12.158 evaluating ACL __internal__username_acl__
Jul 08 03:35:03 cilchshrslog01 tac_plus-ng[226032]: 5/4dbd2815: 172.17.12.158 regex: '[]<>/()|=[*"':$]+' <=> 'sujith.s = 0
Jul 08 03:35:03 cilchshrslog01 tac_plus-ng[226032]: 5/4dbd2815: 172.17.12.158 line 502: [user] regex '[]<>/()|=[*"':$]+' => false
Jul 08 03:35:03 cilchshrslog01 tac_plus-ng[226032]: 5/4dbd2815: 172.17.12.158 line 502: [permit]
Jul 08 03:35:03 cilchshrslog01 tac_plus-ng[226032]: 5/4dbd2815: 172.17.12.158 ACL __internal__username_acl__: match
Jul 08 03:35:03 cilchshrslog01 tac_plus-ng[226032]: 5/4dbd2815: 172.17.12.158 looking for user sujith.s in MAVIS backend
Jul 08 03:35:03 cilchshrslog01 tac_plus-ng[226032]: 5/4dbd2815: 172.17.12.158 result for user sujith.s is ACK [17 ms]
Jul 08 03:35:03 cilchshrslog01 tac_plus-ng[226032]: 5/4dbd2815: 172.17.12.158 looking for user sujith.s realm default
Jul 08 03:35:03 cilchshrslog01 tac_plus-ng[226032]: 5/4dbd2815: 172.17.12.158 user lookup succeded
Jul 08 03:35:03 cilchshrslog01 tac_plus-ng[226032]: 5/4dbd2815: 172.17.12.158 evaluating ACL default#0
Jul 08 03:35:03 cilchshrslog01 tac_plus-ng[226032]: 5/4dbd2815: 172.17.12.158 pcre2: '(?i)^cn=Networking-RW,ou=static groups' <=> 'CN=Networking-RW,OU=Static Groups,OU=Domain Groups,DC=****=net' = 1
Jul 08 03:35:03 cilchshrslog01 tac_plus-ng[226032]: 5/4dbd2815: 172.17.12.158 line 138: [memberof] <pcre-regex> '(?i)^cn=Networking-RW,ou=static groups' => true
Jul 08 03:35:03 cilchshrslog01 tac_plus-ng[226032]: 5/4dbd2815: 172.17.12.158 line 139: [profile] 'netadmin'
Jul 08 03:35:03 cilchshrslog01 tac_plus-ng[226032]: 5/4dbd2815: 172.17.12.158 line 140: [permit]
Jul 08 03:35:03 cilchshrslog01 tac_plus-ng[226032]: 5/4dbd2815: 172.17.12.158 ACL default#0: match
Jul 08 03:35:03 cilchshrslog01 tac_plus-ng[226032]: 5/4dbd2815: 172.17.12.158 sujith.s 192.168.1.1: ACL default#0: permit (profile: netadmin)
Jul 08 03:35:03 cilchshrslog01 tac_plus-ng[226032]: 5/4dbd2815: 172.17.12.158 pap login for 'sujith.s' from 192.168.1.1 succeeded (profile=netadmin)
Jul 08 03:35:03 cilchshrslog01 tac_plus-ng[226032]: 5/4dbd2815: 172.17.12.158 Writing AUTHEN/PASS size=18
Jul 08 03:35:03 cilchshrslog01 tac_plus-ng[226032]: 5/4dbd2815: 172.17.12.158 ---<start packet>---
Jul 08 03:35:03 cilchshrslog01 tac_plus-ng[226032]: 5/4dbd2815: 172.17.12.158 key used: Mykey
Jul 08 03:35:03 cilchshrslog01 tac_plus-ng[226032]: 5/4dbd2815: 172.17.12.158 version: 193, type: 1, seq no: 2, flags: unencrypted
Jul 08 03:35:03 cilchshrslog01 tac_plus-ng[226032]: 5/4dbd2815: 172.17.12.158 session id: 4dbd2815, data length: 6

Message has been deleted

Marc Huber

unread,

Jul 8, 2025, 10:26:21 AMJul 8

to event-driv...@googlegroups.com

Hi,

I've no detail knowledge of FortiGate authentication. I'd likely start with trying to debug this on the FortiGate first, I think I've seen a pretty comprehensive TechTip on that on the FortiNet site some time ago.

Cheers,

Marc

On 08.07.2025 15:10, Sujith S wrote:

Hi Marc

below is my config cisco devices is working fine for cisco and paloalto devices
But facing issue with Fortigate

readonly users are getting only readonly access. But readwrite group members not getting readwrite access. Please help me to fix this

ruleset {
rule {
script {
# For RW group (common to FortiGate and Cisco)
if (memberof =~ /(?i)^cn=Networkinginfrastructure-RW,ou=static groups/) {
if (device.address == "172.17.12.158") {
# FortiGate
set memberof = "ADMIN-RW"
set admin_prof = "rw_admin"
}
profile = netadmin
permit

# For RO group on FortiGate
} else if (memberof =~ /(?i)^cn=Networkinginfrastructure-RO-SG,ou=static groups/) {
if (device.address == "172.17.12.158") {
set memberof = "ADMIN-RO"
set admin_prof = "soc_admin_readonly"

}
profile = readonly
permit

} else {
deny
}
}
}
}
}

Jul 08 13:00:29 cilchshrslog01 tac_plus-ng[232972]: 7/01f2f88f: 172.17.12.158 evaluating ACL __internal__username_acl__
Jul 08 13:00:29 cilchshrslog01 tac_plus-ng[232972]: 7/01f2f88f: 172.17.12.158 regex: '[]<>/()|=[*"':$]+' <=> 'sujith.sudhakaran1' = 0
Jul 08 13:00:29 cilchshrslog01 tac_plus-ng[232972]: 7/01f2f88f: 172.17.12.158 line 502: [user] regex '[]<>/()|=[*"':$]+' => false
Jul 08 13:00:29 cilchshrslog01 tac_plus-ng[232972]: 7/01f2f88f: 172.17.12.158 line 502: [permit]
Jul 08 13:00:29 cilchshrslog01 tac_plus-ng[232972]: 7/01f2f88f: 172.17.12.158 ACL __internal__username_acl__: match
Jul 08 13:00:29 cilchshrslog01 tac_plus-ng[232972]: 7/01f2f88f: 172.17.12.158 looking for user sujith.sudhakaran1 in MAVIS backend
Jul 08 13:00:29 cilchshrslog01 tac_plus-ng[232972]: 7/01f2f88f: 172.17.12.158 result for user sujith.sudhakaran1 is ACK [32 ms]
Jul 08 13:00:29 cilchshrslog01 tac_plus-ng[232972]: 7/01f2f88f: 172.17.12.158 looking for user sujith.sudhakaran1 realm default
Jul 08 13:00:29 cilchshrslog01 tac_plus-ng[232972]: 7/01f2f88f: 172.17.12.158 user lookup succeded
Jul 08 13:00:29 cilchshrslog01 tac_plus-ng[232972]: 7/01f2f88f: 172.17.12.158 evaluating ACL default#0
Jul 08 13:00:29 cilchshrslog01 tac_plus-ng[232972]: 7/01f2f88f: 172.17.12.158 pcre2: '(?i)^cn=Networkinginfrastructure-RW,ou=static groups' <=> 'CN=Networkinginfrastructure-RW,OU=Static Groups,OU=Domain Groups,DC=envestnetpmc,DC=net' = 1
Jul 08 13:00:29 cilchshrslog01 tac_plus-ng[232972]: 7/01f2f88f: 172.17.12.158 line 112: [memberof] <pcre-regex> '(?i)^cn=Networkinginfrastructure-RW,ou=static groups' => true
Jul 08 13:00:29 cilchshrslog01 tac_plus-ng[232972]: 7/01f2f88f: 172.17.12.158 line 113: [nas] address '172.17.12.158' => true
Jul 08 13:00:29 cilchshrslog01 tac_plus-ng[232972]: 7/01f2f88f: 172.17.12.158 line 115: [set] 'memberof=ADMIN-RW'
Jul 08 13:00:29 cilchshrslog01 tac_plus-ng[232972]: 7/01f2f88f: 172.17.12.158 line 116: [set] 'admin_prof=rw_admin'
Jul 08 13:00:29 cilchshrslog01 tac_plus-ng[232972]: 7/01f2f88f: 172.17.12.158 line 118: [profile] 'netadmin'
Jul 08 13:00:29 cilchshrslog01 tac_plus-ng[232972]: 7/01f2f88f: 172.17.12.158 line 119: [permit]
Jul 08 13:00:29 cilchshrslog01 tac_plus-ng[232972]: 7/01f2f88f: 172.17.12.158 ACL default#0: match

On Monday, 7 July 2025 at 20:32:56 UTC+5:30 Marc Huber wrote:

To view this discussion visit https://groups.google.com/d/msgid/event-driven-servers/cac0e9b4-bbab-4fd6-be5a-6ea7042e66d3n%40googlegroups.com.

Message has been deleted

Marc Huber

unread,

Jul 8, 2025, 12:22:45 PMJul 8

to event-driv...@googlegroups.com

Hi,

your debug output shows an authentication request, but authorization
attributes (and I'd rather set those at at profile level, but not in the
rule set) will show up in authorization packets only. Please
double-check your debug output for authorization packets. Authorization
should happen just after authentication.

Cheers,

Marc

On 08.07.2025 16:44, Sujith S wrote:
> Hi Marc,
>
> Please refer this detailed article for fortigate configuration
> https://sharifulhoque.blogspot.com/2019/09/fortigate-using-radius-server-windows_4.html
>
> Currently, we are using Cisco ISE, and it's working fine with most
> devices.
>
> In Active Directory (AD), we have two user groups:
>
> Networkinginfrastructure-RW
>
> Networkinginfrastructure-RO
>
> Expected Behavior:
>
> Members of Networkinginfrastructure-RW should receive full admin access.
>
> Members of Networkinginfrastructure-RO should receive read-only access.
>
> Issue:
> This configuration is working as expected for Cisco and Palo Alto devices.
> However, on the FortiGate, members of the Networkinginfrastructure-RW
> group are incorrectly getting read-only access instead of full admin.
>
> Below is the ruleset configuration I am using. I suspect the issue
> might lie here. Could you please review and confirm?

>
> ruleset {
> rule {
> script {
> # For RW group (common to FortiGate and Cisco)

> if (service == fortigate){

>
> if (memberof =~
> /(?i)^cn=Networkinginfrastructure-RW,ou=static groups/) {
> if (device.address == "172.17.12.158") {
> # FortiGate
> set memberof = "ADMIN-RW"

> set admin_prof = "env_rw_admin"

>
> }
> profile = netadmin
> permit
>
> # For RO group on FortiGate
> } else if (memberof =~
> /(?i)^cn=Networkinginfrastructure-RO-SG,ou=static groups/) {
> if (device.address == "172.17.12.158") {
> set memberof = "ADMIN-RO"
> set admin_prof = "soc_admin_readonly"
> }
> profile = readonly
> permit
>
> } else {
> deny
> }
> }
> }
> }
> }
>

> Logs
> Readonly user Girish
>
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 looking for user Girish.Kumar in MAVIS backend
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 result for user Girish.Kumar is ACK [18 ms]
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 looking for user Girish.Kumar realm default
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 user lookup succeded
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 evaluating ACL default#0
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 pcre2: '(?i)^cn=Networkinginfrastructure-RW,ou=static
> groups' <=> 'CN=NetworkingInfrastructure-RO-SG,OU=Static
> Groups,OU=Domain Groups,DC=estnetpmc,DC=net' = 0
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:

> 172.17.12.158 line 112: [memberof] <pcre-regex>

> '(?i)^cn=Networkinginfrastructure-RW,ou=static groups' => false
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 line 112: [else]
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 pcre2:
> '(?i)^cn=Networkinginfrastructure-RO-SG,ou=static groups' <=>
> 'CN=NetworkingInfrastructure-RO-SG,OU=Static Groups,OU=Domain
> Groups,DC=estnetpmc,DC=net' = 1
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 line 122: [memberof] <pcre-regex>
> '(?i)^cn=Networkinginfrastructure-RO-SG,ou=static groups' => true
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 line 123: [nas] address '172.17.12.158' => true
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 line 124: [set] 'memberof=ADMIN-RO'
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 line 125: [set] 'admin_prof=soc_admin_readonly'
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 line 127: [profile] 'readonly'
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 line 128: [permit]
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 ACL default#0: match
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 Girish.Kumar 172.16.100.102: ACL default#0: permit
> (profile: readonly)
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 pap login for 'Girish.Kumar' from 172.16.100.102
> succeeded (profile=readonly)
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 Writing AUTHEN/PASS size=18
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:

> 172.17.12.158 ---<start packet>---

> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 key used: Mykey
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:

> 172.17.12.158 version: 193, type: 1, seq no: 2, flags: unencrypted

> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 session id: 43177bd5, data length: 6
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 AUTHEN, status=1 (AUTHEN/PASS) flags=0x0
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 msg_len=0, data_len=0
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 msg (len: 0):
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:
> 172.17.12.158 data (len: 0):
> Jul 08 11:53:58 cilchshrslog01 tac_plus-ng[232045]: 21/43177bd5:

> 172.17.12.158 ---<end packet>---
>
>
>

> Readwrite user sujith.sudhakaran1
>
> handle_req-Rcvd auth req 152767791 for sujith.sudhakaran1 in ADMIN-RO
> opt=0001c001 prot=11
> [489] __compose_group_list_from_req-Group 'ADMIN-RO', type 1
> [616] fnbamd_pop3_start-sujith.sudhakaran1
> [378] radius_start-Didn't find radius servers (0)
> [1235] __tac_plus_try_next_server-Try CHI-ISE:10.152.10.51
> [361] __tac_plus_dns_cb-Resolved CHI-ISE:10.152.10.51 to 10.152.10.51,
> cur stack size:1
> [281] sock_connect-connecting CHI-ISE:10.152.10.51: 10.152.10.51
> [1235] __tac_plus_try_next_server-Try TEST:172.17.12.204
> [361] __tac_plus_dns_cb-Resolved TEST:172.17.12.204 to 172.17.12.204,
> cur stack size:1
> [281] sock_connect-connecting TEST:172.17.12.204: 172.17.12.204
> [497] ldap_start-Didn't find ldap servers
> [480] fnbamd_cfg_get_ext_idp_list-
> [454] __fnbamd_cfg_get_ext_idp_list_by_group-
> [460] __fnbamd_cfg_get_ext_idp_list_by_group-Group 'ADMIN-RO'
> [490] fnbamd_cfg_get_ext_idp_list-Total external identity provider
> servers to try: 0
> [652] create_auth_session-Total 2 server(s) to try
> [1980] handle_req-r=4
> [393] is_sock_connected-tcp connected
> [500] build_authen_start-building authen start packet: authen_type=2(pap)
> [803] tac_plus_result-Authen sending request
> [408] pak_send-Encrypting pkt
> [1231] fsm_tac_plus_update_result-Continue pending for req 152767791
> [813] tac_plus_result-Authen receiving reply
> [465] pak_recv-read all header, data len 6
> [1231] fsm_tac_plus_update_result-Continue pending for req 152767791
> [813] tac_plus_result-Authen receiving reply
> [560] parse_authen_reply-authen result=1(pass)
> [1623] fnbam_user_auth_group_match-req id: 152767791, server: TEST,
> local auth: 0, dn match: 0
> [292] find_matched_usr_grps-Passed group matching
> [209] fnbamd_comm_send_result-Sending result 0 (nid 0) for req
> 152767791, len=2540
> [808] destroy_auth_session-delete session 152767791
> [1244] tac_plus_destroy-CHI-ISE
> [1244] tac_plus_destroy-TEST
> [1086] fnbamd_ext_idps_destroy-
> [208] __fnbamd_remote_ca_refresh-
> [2507] handle_req-Rcvd auth_cert req id=152767792, len=1599, opt=8
> [983] __cert_auth_ctx_init-req_id=152767792, opt=8
> [992] __cert_auth_ctx_init-OCSP resp is found.
> [103] __cert_chg_st- 'Init'
>

Reply all

Reply to author

Forward

Custom Access Requirement for Specific Device in tacplus_ng Setup

Sujith S

Marc Huber

Sujith S

Marc Huber

Marc Huber