Fortinet white logo
Fortinet white logo

Handbook

Using a TACACS+ authentication server

Using a TACACS+ authentication server

Terminal Access Controller Access-Control System Plus (TACACS+) is a remote authentication protocol that provides access control for routers, network access servers, and other network computing devices through one or more centralized servers. TACACS+ allows FortiADC to accept a user name and password and send a query to a TACACS authentication server. The server host determines whether to accept or deny the request and sends a response back that allows or denies access to the FortiADC user. The default TCP port for a TACACS+ server is 49.

Once TACACS+ is enabled, a series of checks is performed locally and at the TACACS+ server level. The diagram below illustrates the TACACS+ authentication flow.

To use a TACACS+ server to authenticate administrators, the server must be configured before configuring the administrator accounts that will use it.

Basic steps:
  1. Configure a connection to a TACACS+ server that can authenticate administrator or user logins.
  2. Select the TACACS+ server configuration when you add administrator users or user groups.
Before you begin:
  • You must know the IP address, port, authentication protocol, and shared secret used to access the TACACS+ server.
  • You must have Read-Write permission for System settings.
To configure a TACACS+ server:
  1. Go to User Authentication > Remote Server.
  2. Click the TACACS+ Server tab.
  3. Click Create New to display the configuration editor.
  4. Configure the following settings:

    Setting

    Description

    Name

    Specify a unique name for the TACACS+ server configuration. Valid characters are A-Z, a-z, 0-9, _, and -. No space is allowed.

    After you initially save the configuration, you cannot edit the name.

    Authentication Protocol

    Select the authentication protocol used for the TACACS+ server:

    • Auto — FortiADC tries all authentication protocols in order: MS-CHAP → CHAP → PAP → ASCII.
    • MS-CHAP — Microsoft version of CHAP (Challenge Handshake Authentication Protocol).
    • CHAP — Challenge Handshake Authentication Protocol (defined in RFC 1994).
    • PAP — Password Authentication Protocol.
    • ASCII — American Standard Code for Information Interchange.

    Auto is the default option.

    TimeoutSpecify the amount of time that FortiADC must wait for responses from the remote TACACS+ server before it times out the connection. Valid values are from 5 to 60 seconds. The default is 5 seconds.
    Shared SecretShared secret string used when connecting to the TACACS+ server.
    ServerEnter the IP address or FQDN of the TACACS+ server.

    Test Connectivity

    Tests the connectivity of the TACACS+ server.

  5. Click Save.

Using a TACACS+ authentication server

Using a TACACS+ authentication server

Terminal Access Controller Access-Control System Plus (TACACS+) is a remote authentication protocol that provides access control for routers, network access servers, and other network computing devices through one or more centralized servers. TACACS+ allows FortiADC to accept a user name and password and send a query to a TACACS authentication server. The server host determines whether to accept or deny the request and sends a response back that allows or denies access to the FortiADC user. The default TCP port for a TACACS+ server is 49.

Once TACACS+ is enabled, a series of checks is performed locally and at the TACACS+ server level. The diagram below illustrates the TACACS+ authentication flow.

To use a TACACS+ server to authenticate administrators, the server must be configured before configuring the administrator accounts that will use it.

Basic steps:
  1. Configure a connection to a TACACS+ server that can authenticate administrator or user logins.
  2. Select the TACACS+ server configuration when you add administrator users or user groups.
Before you begin:
  • You must know the IP address, port, authentication protocol, and shared secret used to access the TACACS+ server.
  • You must have Read-Write permission for System settings.
To configure a TACACS+ server:
  1. Go to User Authentication > Remote Server.
  2. Click the TACACS+ Server tab.
  3. Click Create New to display the configuration editor.
  4. Configure the following settings:

    Setting

    Description

    Name

    Specify a unique name for the TACACS+ server configuration. Valid characters are A-Z, a-z, 0-9, _, and -. No space is allowed.

    After you initially save the configuration, you cannot edit the name.

    Authentication Protocol

    Select the authentication protocol used for the TACACS+ server:

    • Auto — FortiADC tries all authentication protocols in order: MS-CHAP → CHAP → PAP → ASCII.
    • MS-CHAP — Microsoft version of CHAP (Challenge Handshake Authentication Protocol).
    • CHAP — Challenge Handshake Authentication Protocol (defined in RFC 1994).
    • PAP — Password Authentication Protocol.
    • ASCII — American Standard Code for Information Interchange.

    Auto is the default option.

    TimeoutSpecify the amount of time that FortiADC must wait for responses from the remote TACACS+ server before it times out the connection. Valid values are from 5 to 60 seconds. The default is 5 seconds.
    Shared SecretShared secret string used when connecting to the TACACS+ server.
    ServerEnter the IP address or FQDN of the TACACS+ server.

    Test Connectivity

    Tests the connectivity of the TACACS+ server.

  5. Click Save.