Terminal Access Controller Access-Control System (TACACS+) is a remote authentication protocol that provides access control for routers, network access servers, and other network computing devices via one or more centralized servers. It allows a client to accept a user name and password and send a query to a TACACS authentication server. The server host determines whether to accept or deny the request and sends a response back that allows or denies network access to the user. The default TCP port for a TACACS+ server is 49.
If you have configured TACACS+ support and an administrator is required to authenticate using a TACACS+ server, the FortiAnalyzer unit contacts the TACACS+ server for authentication. If the TACACS+ server can authenticate the administrator, they are successfully authenticated with the FortiAnalyzer unit. If the TACACS+ server cannot authenticate the administrator, the connection is refused by the FortiAnalyzer unit.
To use a TACACS+ server to authenticate administrators, you must configure the server before configuring the administrator accounts that will use it.
- Go to System Settings > Admin > Remote Authentication Server.
- Select Create New > TACACS+ Server from the toolbar. The New TACACS+ Server pane opens.
- Configure the following settings, and then click OK to add the TACACS+ server.
Enter a name to identify the TACACS+ server.
Enter the IP address or fully qualified domain name of the TACACS+ server.
Enter the port for TACACS+ traffic. The default port is 49.
Enter the key to access the TACACS+ server. The server key can be a maximum of 16 characters in length.
Select the authentication type the TACACS+ server requires. If you select the default ANY, FortiAnalyzer tries all authentication types.