AAA

1. FreeRadius
2. tac_plus
3. Cisco
4. Fortinet
5. CheckPoint
6. Links

FreeRadius

/usr/local/etc/raddb/clients.conf

client cisco {
        ipaddr          = 8.8.8.8
        secret          = testing123
}

/usr/local/etc/raddb/users

cisco         Cleartext-Password := "cisco"
              Service-Type = NAS-Prompt-User,
              Reply-Message := "Hello, %{User-Name}",
              Cisco-AVpair = "shell:priv-lvl=15"

/usr/local/etc/raddb/sites-available/default

        #  Read the 'users' file.  In v3, this is located in
        #  raddb/mods-config/files/authorize
        files

        # MAC Auth
        rewrite_called_station_id

        # Now check against the authorized_macs file
        authorized_macs
        if (!ok) {
           # Reject if the MAC address was not permitted.
           reject
        } else {
           # accept
           update control {
              Auth-Type := Accept
           }
        }

/usr/local/etc/raddb/mods-available/files

files authorized_macs {
        # The default key attribute to use for matches.  The content
        # of this attribute is used to match the "name" of the
        # entry.
        key = "%{Calling-Station-ID}"

        usersfile = ${confdir}/authorized_macs

}

/usr/local/etc/raddb/authorized_macs

fe-0c-29-67-50-fe       Cleartext-Password := "fe-0c-29-67-50-fe"
                        Tunnel-Type = VLAN,
                        Tunnel-Medium-Type = 6,
                        User-Name = "WLAN Client"

tac_plus

id = tac_plus {

    authentication log = /var/log/tac_plus/authentication/%Y-%m-%d.log
    authorization log = /var/log/tac_plus/authorization/%Y-%m-%d.log
    accounting log = /var/log/tac_plus/accounting/%Y-%m-%d.log

    dns reverse-lookup = no

    mavis module = tacinfo_cache {
         directory = /tmp/tacinfo
    }

    ## You can use either the Perl module ...
    mavis module = external {
         exec = /usr/local/lib/mavis/mavis_tacplus_radius.pl
         setenv RADIUS_HOST = "11.11.11.11:1812, 12.12.12.12:1812" # could add more hosts here, comma-separated
         setenv RADIUS_SECRET = "testing123"
         # setenv RADIUS_GROUP_ATTR = Class
         # setenv RADIUS_PASSWORD_ATTR = Password # defaults to: User-Password
    }

    host = 10.0.0.0/8 {
      address = 10.0.0.0/8
      welcome banner = "\n  Welcome to TACACS. Today is %A.\n\n"
      motd banner = "\n  You are logged in.\n"
      key = secret
    }

    group = admin {
      default service = permit
      service = shell {
        set priv-lvl = 15
        default command = permit
      }
      service = fortigate {
        set memberof = FGT_admins
        set admin_prof = super_admin
        set vdom = root
      }
    }

    user backend = mavis
    login backend = mavis

Cisco

Fortinet

CheckPoint

Links

• https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-TACACS-authentication-and/ta-p/192810
• https://community.checkpoint.com/t5/Security-Gateways/TACACS-RBA-on-GAiA/td-p/28005