Terminal Access Controller Access-Control System Plus (TACACS+) is a remote authentication protocol that provides access control for routers, network access servers, and other network computing devices through one or more centralized servers. TACACS+ allows FortiADC to accept a user name and password and send a query to a TACACS authentication server. The server host determines whether to accept or deny the request and sends a response back that allows or denies access to the FortiADC user. The default TCP port for a TACACS+ server is 49.
Once TACACS+ is enabled, a series of checks is performed locally and at the TACACS+ server level. The diagram below illustrates the TACACS+ authentication flow.
To use a TACACS+ server to authenticate administrators, the server must be configured before configuring the administrator accounts that will use it.
- Configure a connection to a TACACS+ server that can authenticate administrator or user logins.
- Select the TACACS+ server configuration when you add administrator users or user groups.
- You must know the IP address, port, authentication protocol, and shared secret used to access the TACACS+ server.
- You must have Read-Write permission for System settings.
- Go to User Authentication > Remote Server.
- Click the TACACS+ Server tab.
- Click Create New to display the configuration editor.
- Configure the following settings:
Specify a unique name for the TACACS+ server configuration. Valid characters are
-. No space is allowed.
After you initially save the configuration, you cannot edit the name.
Select the authentication protocol used for the TACACS+ server:
- Auto — FortiADC tries all authentication protocols in order: MS-CHAP → CHAP → PAP → ASCII.
- MS-CHAP — Microsoft version of CHAP (Challenge Handshake Authentication Protocol).
- CHAP — Challenge Handshake Authentication Protocol (defined in RFC 1994).
- PAP — Password Authentication Protocol.
- ASCII — American Standard Code for Information Interchange.
Auto is the default option.
Timeout Specify the amount of time that FortiADC must wait for responses from the remote TACACS+ server before it times out the connection. Valid values are from 5 to 60 seconds. The default is 5 seconds. Shared Secret Shared secret string used when connecting to the TACACS+ server. Server Enter the IP address or FQDN of the TACACS+ server.
Tests the connectivity of the TACACS+ server.
- Click Save.