Fortinet black logo

CLI Reference

config user tacacs+

Use this command to configure the Terminal Access Controller Access-Control System Plus (TACACS+) authentication server.

Basic steps:
  1. Configure a connection to a TACACS+ server that can authenticate administrator or user logins.
  2. Select the TACACS+ server configuration when you add administrator users or user groups.
Before you begin:
  • You must know the IP address, port, authentication protocol, and shared secret used to access the TACACS+ server.
  • You must have read-write permission for system settings.

Syntax

config user tacacs+

edit <name>

set server <string>

set secret <passwd>

set auth-type {auto|ms_chap|chap|pap|ascii}

set port <integer>

set timeout <integer>

set vdom <datasource>

next

end

server

Enter the IP address or FQDN of the TACACS+ server.

secret

Shared secret string used when connecting to the TACACS+ server. The shared secret can be a maximum of 16 characters in length.

auth-type

Specify the authentication protocol used for the TACACS+ server:

  • auto — FortiADC tries all authentication protocols in order: MS-CHAP → CHAP → PAP → ASCII.
  • ms_chap — Microsoft version of CHAP (Challenge Handshake Authentication Protocol).
  • chap — Challenge Handshake Authentication Protocol (defined in RFC 1994).
  • pap — Password Authentication Protocol.
  • ascii — American Standard Code for Information Interchange.

The default option is auto.

port

Port number for the server. The commonly used port for TACACS+ is 49.

timeout

Specify the amount of time that FortiADC must wait for responses from the remote TACACS+ server before it times out the connection. Valid values are from 5 to 60 seconds. The default is 5 seconds.

vdom

Reserved for future use.

Use this command to configure the Terminal Access Controller Access-Control System Plus (TACACS+) authentication server.

Basic steps:
  1. Configure a connection to a TACACS+ server that can authenticate administrator or user logins.
  2. Select the TACACS+ server configuration when you add administrator users or user groups.
Before you begin:
  • You must know the IP address, port, authentication protocol, and shared secret used to access the TACACS+ server.
  • You must have read-write permission for system settings.

Syntax

config user tacacs+

edit <name>

set server <string>

set secret <passwd>

set auth-type {auto|ms_chap|chap|pap|ascii}

set port <integer>

set timeout <integer>

set vdom <datasource>

next

end

server

Enter the IP address or FQDN of the TACACS+ server.

secret

Shared secret string used when connecting to the TACACS+ server. The shared secret can be a maximum of 16 characters in length.

auth-type

Specify the authentication protocol used for the TACACS+ server:

  • auto — FortiADC tries all authentication protocols in order: MS-CHAP → CHAP → PAP → ASCII.
  • ms_chap — Microsoft version of CHAP (Challenge Handshake Authentication Protocol).
  • chap — Challenge Handshake Authentication Protocol (defined in RFC 1994).
  • pap — Password Authentication Protocol.
  • ascii — American Standard Code for Information Interchange.

The default option is auto.

port

Port number for the server. The commonly used port for TACACS+ is 49.

timeout

Specify the amount of time that FortiADC must wait for responses from the remote TACACS+ server before it times out the connection. Valid values are from 5 to 60 seconds. The default is 5 seconds.

vdom

Reserved for future use.