Fortinet black logo

Administration Guide

Creating authorization rules

Creating authorization rules

TACACS+ authorization can be managed from Authentication > TACACS+ Service > Authorization. In the TACACS+ Authorization menu, you can configure Rules, non-shell Services, and Shell Commands. Authorization rules can be specified within user groups or on individual user accounts. See Assigning authorization rules.

Caution

After successful authentication, FortiAuthenticator creates an authorization session for the user that lasts 28,800 seconds (8 hours). Any changes made to authorization rule configurations during that time will not apply to the user until the 8 hour session has expired.

To configure the maximum time duration (in seconds) for which an authenticated TACACS+ user is authorized to issue commands, go to Authentication > User Account Policies > General, and enter a value between 120 - 36,000 for Session duration of authenticated TACACS+ user.

To create an authorization rule:
  1. Go to Authentication > TACACS+ Service > Authorization, select Rules, and click Create New.
    The Create New TACACS+ Rule window opens.
  2. Enter the following information:
    NameEnter a name for the authorization rule.
    Privilege level

    Determines the access level users have before they are required to enter an enable password.

    The privilege level can be set in the range of 0 and 15.

    Currently, escalation/elevation of privileges using the enable mode is not supported.

    Default permission for non-shell services

    Set the permissions for non-shell services.

    Non-shell services cannot be specified and are only supported as Allow all or Deny all.

    Allowed services

    Specify the list of allowed services. See Services.

    Default permission for shell commands

    Set the permissions for shell commands not explicitly specified under Allowed shell commands.

    Shell commands

    Select the configured shell commands to include in this authorization rule.

  3. Click OK to save the authorization rule.
To create a shell command:
  1. Go to Authentication > TACACS+ Service > Authorization, select Shell commands, and click Create New.
    The Create New TACACS+ Shell Command window opens.
  2. Enter the following information:
    NameEnter a name for the shell command.
    CommandEnter the shell command.
    Default permission for unspecified arguments

    Set the permission for command arguments not explicitly specified under Allowed/Denied arguments.

    Allowed arguments/Denied arguments

    Specify all sets of arguments to be allowed or denied.

    One set of arguments can be provided per line, and curly braces are not permitted.

  3. Select OK to save the shell command.
To create a non-shell service:
  1. Go to Authentication > TACACS+ Service > Authorization, select Services, and click Create New.
    The Edit TACACS+ Service window opens.
  2. Enter the following information:
    NameEnter a name for the non-shell service.
    ServiceEnter the service. The service string can only contain ASCII characters in the 0x20-0x7E range, except '@' and '/'.
    Default permission for attributes

    Allow: Attributes not listed in this service are allowed. These attributes are copied unchanged from the authorization request into the authorization response.

    Deny: Attributes not listed in this service are denied. If the TACACS+ client marked the denied attribute as mandatory, the authorization response is fail. If marked as optional, the attribute is removed from the authorization response.

  3. Click OK to save the non-shell service.
  4. Once the non-shell service has been created, you can then edit it to add, edit, or remove attribute value-pairs.
    To create a new attribute-value pair, click Add Attribute in the Attribute-value Pairs section and configure the following information:

    Attribute-value Pairs

    Specify the attribute, value, and restriction for this service.
    The available options for the restriction setting include:

    • Mandatory: Requires that the receiving side understands the attribute and will act on it. If the client receives a mandatory argument that it cannot oblige or does not understand, it must consider the authorization to have failed.
    • Optional: May be disregarded by the client.

Creating authorization rules

TACACS+ authorization can be managed from Authentication > TACACS+ Service > Authorization. In the TACACS+ Authorization menu, you can configure Rules, non-shell Services, and Shell Commands. Authorization rules can be specified within user groups or on individual user accounts. See Assigning authorization rules.

Caution

After successful authentication, FortiAuthenticator creates an authorization session for the user that lasts 28,800 seconds (8 hours). Any changes made to authorization rule configurations during that time will not apply to the user until the 8 hour session has expired.

To configure the maximum time duration (in seconds) for which an authenticated TACACS+ user is authorized to issue commands, go to Authentication > User Account Policies > General, and enter a value between 120 - 36,000 for Session duration of authenticated TACACS+ user.

To create an authorization rule:
  1. Go to Authentication > TACACS+ Service > Authorization, select Rules, and click Create New.
    The Create New TACACS+ Rule window opens.
  2. Enter the following information:
    NameEnter a name for the authorization rule.
    Privilege level

    Determines the access level users have before they are required to enter an enable password.

    The privilege level can be set in the range of 0 and 15.

    Currently, escalation/elevation of privileges using the enable mode is not supported.

    Default permission for non-shell services

    Set the permissions for non-shell services.

    Non-shell services cannot be specified and are only supported as Allow all or Deny all.

    Allowed services

    Specify the list of allowed services. See Services.

    Default permission for shell commands

    Set the permissions for shell commands not explicitly specified under Allowed shell commands.

    Shell commands

    Select the configured shell commands to include in this authorization rule.

  3. Click OK to save the authorization rule.
To create a shell command:
  1. Go to Authentication > TACACS+ Service > Authorization, select Shell commands, and click Create New.
    The Create New TACACS+ Shell Command window opens.
  2. Enter the following information:
    NameEnter a name for the shell command.
    CommandEnter the shell command.
    Default permission for unspecified arguments

    Set the permission for command arguments not explicitly specified under Allowed/Denied arguments.

    Allowed arguments/Denied arguments

    Specify all sets of arguments to be allowed or denied.

    One set of arguments can be provided per line, and curly braces are not permitted.

  3. Select OK to save the shell command.
To create a non-shell service:
  1. Go to Authentication > TACACS+ Service > Authorization, select Services, and click Create New.
    The Edit TACACS+ Service window opens.
  2. Enter the following information:
    NameEnter a name for the non-shell service.
    ServiceEnter the service. The service string can only contain ASCII characters in the 0x20-0x7E range, except '@' and '/'.
    Default permission for attributes

    Allow: Attributes not listed in this service are allowed. These attributes are copied unchanged from the authorization request into the authorization response.

    Deny: Attributes not listed in this service are denied. If the TACACS+ client marked the denied attribute as mandatory, the authorization response is fail. If marked as optional, the attribute is removed from the authorization response.

  3. Click OK to save the non-shell service.
  4. Once the non-shell service has been created, you can then edit it to add, edit, or remove attribute value-pairs.
    To create a new attribute-value pair, click Add Attribute in the Attribute-value Pairs section and configure the following information:

    Attribute-value Pairs

    Specify the attribute, value, and restriction for this service.
    The available options for the restriction setting include:

    • Mandatory: Requires that the receiving side understands the attribute and will act on it. If the client receives a mandatory argument that it cannot oblige or does not understand, it must consider the authorization to have failed.
    • Optional: May be disregarded by the client.