Fortinet white logo
Fortinet white logo

Handbook

Configuring TACACS+ authentication

Configuring TACACS+ authentication

You can configure administrator authentication using a Terminal Access Controller Access-Control System Plus (TACACS+) server.

Once you complete the TACACS+ Server Configuration, create an administrator user under System > Admin > Administrator page and select TACACS+ as the Strategy. When TACACS+ is selected, no local password option is available. You can also specify Admin (access) profile and trusted host list for that user. For more details about creating a user profile, see here.

Once TACACS+ is enabled, a series of checks is performed locally and at the TACACS+ server level. The diagram below illustrates the TACACS+ authentication flow.

The FortiDDoS-F does not currently support TACACS+ Attribute pairs or Two Factor Authentication (2FA).

Before you begin:

  • You must have Read-Write permission for System settings.
To configure FortiDDoS for TACACS+ authentication:

  1. Go to System > Authentication > TACACS+.
  2. Complete the TACACS+ Server Configuration.

    Settings Guidelines
    Status Select to enable TACACS+ server configuration or deselect to disable.
    Primary Server IP IP address or FQDN of the primary TACACS+ server.
    Primary Server Secret TACACS+ server shared secret – maximum 116 characters (special characters are allowed).
    Port TACACS+ port number in the range: 1 - 65535. The default value is 49.
    Secondary Server IP (Optional) IP address or FQDN of a backup TACACS+ server.
    Secondary Server Secret (Optional) TACACS+ server shared secret – maximum 116 characters (special characters are allowed).
    Authentication Protocol
    • PAP - Password Authentication Protocol
    • CHAP - Challenge Handshake Authentication Protocol (defined in RFC 1994)
    • ASCII
    • Auto - Automatically selects one of the above protocols.
  3. Save the configuration.
CLI commands:

config system authentication tacacs+ 
  set state {enable|disable}
  set primary-server <ip|domain>
  set primary-secret <string>
  set port <port>
  set backup-server <ip|domain>
  set backup-secret <string>
  set authprot {pap|chap|ascii|auto}
end

Configuring TACACS+ authentication

Configuring TACACS+ authentication

You can configure administrator authentication using a Terminal Access Controller Access-Control System Plus (TACACS+) server.

Once you complete the TACACS+ Server Configuration, create an administrator user under System > Admin > Administrator page and select TACACS+ as the Strategy. When TACACS+ is selected, no local password option is available. You can also specify Admin (access) profile and trusted host list for that user. For more details about creating a user profile, see here.

Once TACACS+ is enabled, a series of checks is performed locally and at the TACACS+ server level. The diagram below illustrates the TACACS+ authentication flow.

The FortiDDoS-F does not currently support TACACS+ Attribute pairs or Two Factor Authentication (2FA).

Before you begin:

  • You must have Read-Write permission for System settings.
To configure FortiDDoS for TACACS+ authentication:

  1. Go to System > Authentication > TACACS+.
  2. Complete the TACACS+ Server Configuration.

    Settings Guidelines
    Status Select to enable TACACS+ server configuration or deselect to disable.
    Primary Server IP IP address or FQDN of the primary TACACS+ server.
    Primary Server Secret TACACS+ server shared secret – maximum 116 characters (special characters are allowed).
    Port TACACS+ port number in the range: 1 - 65535. The default value is 49.
    Secondary Server IP (Optional) IP address or FQDN of a backup TACACS+ server.
    Secondary Server Secret (Optional) TACACS+ server shared secret – maximum 116 characters (special characters are allowed).
    Authentication Protocol
    • PAP - Password Authentication Protocol
    • CHAP - Challenge Handshake Authentication Protocol (defined in RFC 1994)
    • ASCII
    • Auto - Automatically selects one of the above protocols.
  3. Save the configuration.
CLI commands:

config system authentication tacacs+ 
  set state {enable|disable}
  set primary-server <ip|domain>
  set primary-secret <string>
  set port <port>
  set backup-server <ip|domain>
  set backup-secret <string>
  set authprot {pap|chap|ascii|auto}
end