Configuring TACACS+ authentication
You can configure administrator authentication using a Terminal Access Controller Access-Control System Plus (TACACS+) server.
Once you complete the TACACS+ Server Configuration, create an administrator user under System > Admin > Administrator page and select TACACS+ as the Strategy. When TACACS+ is selected, no local password option is available. You can also specify Admin (access) profile and trusted host list for that user. For more details about creating a user profile, see here.
Once TACACS+ is enabled, a series of checks is performed locally and at the TACACS+ server level. The diagram below illustrates the TACACS+ authentication flow.
The FortiDDoS-F does not currently support TACACS+ Attribute pairs or Two Factor Authentication (2FA). |
Before you begin:
- You must have Read-Write permission for System settings.
To configure FortiDDoS for TACACS+ authentication:
- Go to System > Authentication > TACACS+.
- Complete the TACACS+ Server Configuration.
Settings Guidelines Status Select to enable TACACS+ server configuration or deselect to disable. Primary Server IP IP address or FQDN of the primary TACACS+ server. Primary Server Secret TACACS+ server shared secret – maximum 116 characters (special characters are allowed). Port TACACS+ port number in the range: 1 - 65535. The default value is 49. Secondary Server IP (Optional) IP address or FQDN of a backup TACACS+ server. Secondary Server Secret (Optional) TACACS+ server shared secret – maximum 116 characters (special characters are allowed). Authentication Protocol - PAP - Password Authentication Protocol
- CHAP - Challenge Handshake Authentication Protocol (defined in RFC 1994)
- ASCII
- Auto - Automatically selects one of the above protocols.
- Save the configuration.
CLI commands:
config system authentication tacacs+ set state {enable|disable} set primary-server <ip|domain> set primary-secret <string> set port <port> set backup-server <ip|domain> set backup-secret <string> set authprot {pap|chap|ascii|auto} end |