Fortinet black logo

Administration Guide

Creating policies

Creating policies

TACACS+ policy configuration is available under Authentication > TACACS+ Service > Policies.

FortiAuthenticator TACACS+ authentication requires that a TACACS+ client is assigned one or more policies. Policies determine the authentication method, identity source, and TACACS+ response for the clients assigned to the policy.

To create a TACACS+ policy:
  1. Go to Authentication > TACACS+ Service > Policies.
    The Create New TACACS+ Policy Wizard opens.
  2. Enter the following information:
    TACACS+ clients

    Specify the policy name and description.

    Specify all clients that this policy will accept TACACS+ requests from.

    Policy nameEnter a name for the policy.
    DescriptionOptionally, enter a description of the policy.
    TACACS+ clients

    Lists the available TACACS+ clients. Select the client(s) to which this policy applies by using the arrows to move clients into the Chosen TACACS+ Clients box.

    For more information about creating TACACS+ clients, see Adding clients.

    Identity source

    Specify the identity sources against which to authenticate end-users.

    Username format

    Select one of the following three username input formats:

    • username@realm
    • realm\username
    • realm/username

    Use default realm when user-provided realm is different from all configured realms

    When enabled, FortiAuthenticator selects the default realm for authentication when the user-specified realm is different from all configured realms.

    Realms

    Add the realms to which the client(s) will be associated.

    • Select a realm from the dropdown menu in the Realm column.
    • Select whether or not to allow local users to override remote users for the selected realm.
    • Select whether or not to use Windows AD domain authentication.
    • Edit the group filter as needed to filter users based on the groups they are in.
    • If necessary, add more realms to the list.
    • Select the realm that will be the default realm for this client.

    Authentication factors

    Specify which authentication factors to verify.

    Authentication method

    Select one of the following:

    • Mandatory two-factor authentication: Two-factor authentication is required for every user.
    • Verify all configured authentication factors: Two-factor authentication is required if it is enabled on the user's account, otherwise, allow one-factor authentication.
    • Password-only authentication: Authenticate users through password verification only. If password authentication is disabled on the user account, the account cannot be authenticated.
    • Token-only authentication: Authenticate users through token verification only. If token-based authentication is disabled on the user account, the account cannot be authenticated.

    TACACS+ response

    TACACS+ authentication response based on the outcome of the authentication.

  3. Click OK to save the policy.

Creating policies

TACACS+ policy configuration is available under Authentication > TACACS+ Service > Policies.

FortiAuthenticator TACACS+ authentication requires that a TACACS+ client is assigned one or more policies. Policies determine the authentication method, identity source, and TACACS+ response for the clients assigned to the policy.

To create a TACACS+ policy:
  1. Go to Authentication > TACACS+ Service > Policies.
    The Create New TACACS+ Policy Wizard opens.
  2. Enter the following information:
    TACACS+ clients

    Specify the policy name and description.

    Specify all clients that this policy will accept TACACS+ requests from.

    Policy nameEnter a name for the policy.
    DescriptionOptionally, enter a description of the policy.
    TACACS+ clients

    Lists the available TACACS+ clients. Select the client(s) to which this policy applies by using the arrows to move clients into the Chosen TACACS+ Clients box.

    For more information about creating TACACS+ clients, see Adding clients.

    Identity source

    Specify the identity sources against which to authenticate end-users.

    Username format

    Select one of the following three username input formats:

    • username@realm
    • realm\username
    • realm/username

    Use default realm when user-provided realm is different from all configured realms

    When enabled, FortiAuthenticator selects the default realm for authentication when the user-specified realm is different from all configured realms.

    Realms

    Add the realms to which the client(s) will be associated.

    • Select a realm from the dropdown menu in the Realm column.
    • Select whether or not to allow local users to override remote users for the selected realm.
    • Select whether or not to use Windows AD domain authentication.
    • Edit the group filter as needed to filter users based on the groups they are in.
    • If necessary, add more realms to the list.
    • Select the realm that will be the default realm for this client.

    Authentication factors

    Specify which authentication factors to verify.

    Authentication method

    Select one of the following:

    • Mandatory two-factor authentication: Two-factor authentication is required for every user.
    • Verify all configured authentication factors: Two-factor authentication is required if it is enabled on the user's account, otherwise, allow one-factor authentication.
    • Password-only authentication: Authenticate users through password verification only. If password authentication is disabled on the user account, the account cannot be authenticated.
    • Token-only authentication: Authenticate users through token verification only. If token-based authentication is disabled on the user account, the account cannot be authenticated.

    TACACS+ response

    TACACS+ authentication response based on the outcome of the authentication.

  3. Click OK to save the policy.