Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiAuthenticator 6.4.9 Administration Guide
    6.4.9
    6.6.2
    6.6.1
    6.6.0
    6.5.5
    6.5.4
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.2
    6.2.1
    6.2.0
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.5.0
    5.4.0
    5.3.0
    5.2.0
    5.1.0
    5.0.0
    4.3.0
    4.2.1
    4.2.0

    Creating policies

    Creating policies

    TACACS+ policy configuration is available under Authentication > TACACS+ Service > Policies.

    FortiAuthenticator TACACS+ authentication requires that a TACACS+ client is assigned one or more policies. Policies determine the authentication method, identity source, and TACACS+ response for the clients assigned to the policy.

    To create a TACACS+ policy:
    1. Go to Authentication > TACACS+ Service > Policies, and click Create New.
      The Create New TACACS+ Policy Wizard opens.
    2. Enter the following information:
      TACACS+ clients

      Specify the policy name and description.

      Specify all clients that this policy will accept TACACS+ requests from.

      Policy nameEnter a name for the policy.
      DescriptionOptionally, enter a description of the policy.
      TACACS+ clients

      Lists the available TACACS+ clients. Select the client(s) to which this policy applies by using the arrows to move clients into the Chosen TACACS+ Clients box.

      For more information about creating TACACS+ clients, see Adding clients.

      Identity source

      Specify the identity sources against which to authenticate end-users.

      Username format

      Select one of the following three username input formats:

      • username@realm
      • realm\username
      • realm/username

      Use default realm when user-provided realm is different from all configured realms

      When enabled, FortiAuthenticator selects the default realm for authentication when the user-specified realm is different from all configured realms.

      Realms

      Add the realms to which the client(s) will be associated.

      • Select a realm from the dropdown menu in the Realm column.
      • Select whether or not to allow local users to override remote users for the selected realm.
      • Select whether or not to use Windows AD domain authentication.
      • Edit the group filter as needed to filter users based on the groups they are in.
      • If necessary, add more realms to the list.
      • Select the realm that will be the default realm for this client.

      Authentication factors

      Specify which authentication factors to verify.

      Authentication method

      Select one of the following:

      • Mandatory password and OTP: Two-factor authentication is required for every user.
      • All configured password and OTP factors: Two-factor authentication is required if it is enabled on the user's account, otherwise, allow one-factor authentication.
      • Password-only: Authenticate users through password verification only. If password authentication is disabled on the user account, the account cannot be authenticated.
      • OTP-only: Authenticate users through token verification only. If token-based authentication is disabled on the user account, the account cannot be authenticated.

      Adaptive Authentication

      Enable this option if you would like to have certain users bypass OTP validation, so long as they belong to a trusted subnet.

      Select All trusted subnets to add all the available trusted subnets.

      You can specify the trusted subnets by selecting Specify trusted subnets and clicking the pen icon. This opens a window where you can choose from a list of available trusted subnets.

      Adaptive Authentication is available only for the following authentication types:

      • Mandatory password and OTP

      • All configured password and OTP factors

      TACACS+ response

      TACACS+ authentication response based on the outcome of the authentication.

    3. Click OK to save the policy.
    Previous
    Next

    Creating policies

    Creating policies

    TACACS+ policy configuration is available under Authentication > TACACS+ Service > Policies.

    FortiAuthenticator TACACS+ authentication requires that a TACACS+ client is assigned one or more policies. Policies determine the authentication method, identity source, and TACACS+ response for the clients assigned to the policy.

    To create a TACACS+ policy:
    1. Go to Authentication > TACACS+ Service > Policies, and click Create New.
      The Create New TACACS+ Policy Wizard opens.
    2. Enter the following information:
      TACACS+ clients

      Specify the policy name and description.

      Specify all clients that this policy will accept TACACS+ requests from.

      Policy nameEnter a name for the policy.
      DescriptionOptionally, enter a description of the policy.
      TACACS+ clients

      Lists the available TACACS+ clients. Select the client(s) to which this policy applies by using the arrows to move clients into the Chosen TACACS+ Clients box.

      For more information about creating TACACS+ clients, see Adding clients.

      Identity source

      Specify the identity sources against which to authenticate end-users.

      Username format

      Select one of the following three username input formats:

      • username@realm
      • realm\username
      • realm/username

      Use default realm when user-provided realm is different from all configured realms

      When enabled, FortiAuthenticator selects the default realm for authentication when the user-specified realm is different from all configured realms.

      Realms

      Add the realms to which the client(s) will be associated.

      • Select a realm from the dropdown menu in the Realm column.
      • Select whether or not to allow local users to override remote users for the selected realm.
      • Select whether or not to use Windows AD domain authentication.
      • Edit the group filter as needed to filter users based on the groups they are in.
      • If necessary, add more realms to the list.
      • Select the realm that will be the default realm for this client.

      Authentication factors

      Specify which authentication factors to verify.

      Authentication method

      Select one of the following:

      • Mandatory password and OTP: Two-factor authentication is required for every user.
      • All configured password and OTP factors: Two-factor authentication is required if it is enabled on the user's account, otherwise, allow one-factor authentication.
      • Password-only: Authenticate users through password verification only. If password authentication is disabled on the user account, the account cannot be authenticated.
      • OTP-only: Authenticate users through token verification only. If token-based authentication is disabled on the user account, the account cannot be authenticated.

      Adaptive Authentication

      Enable this option if you would like to have certain users bypass OTP validation, so long as they belong to a trusted subnet.

      Select All trusted subnets to add all the available trusted subnets.

      You can specify the trusted subnets by selecting Specify trusted subnets and clicking the pen icon. This opens a window where you can choose from a list of available trusted subnets.

      Adaptive Authentication is available only for the following authentication types:

      • Mandatory password and OTP

      • All configured password and OTP factors

      TACACS+ response

      TACACS+ authentication response based on the outcome of the authentication.

    3. Click OK to save the policy.
    Previous
    Next