Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    6.5.0
    7.0.3
    7.0.1
    7.0.0
    6.6.3
    6.6.3
    6.6.1
    6.6.0
    6.5.1
    6.5.0
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.1

    Configuring TACACS+ authentication

    Configuring TACACS+ authentication

    You can configure administrator authentication using a Terminal Access Controller Access-Control System Plus (TACACS+) server.

    Once you complete the TACACS+ Server Configuration, create an administrator user under System > Admin > Administrator page and select TACACS+ as the Strategy. When TACACS+ is selected, no local password option is available. You can also specify Admin (access) profile and trusted host list for that user. For more details about creating a user profile, see here.

    Note 1: Any access profile (read-only, read-write or none combinations) is usable for GUI users. CLI users must have “super_admin_prof” Profile or they will be rejected.

    Note 2:FortiDDoS-F does not support TACAS+ Custom Attribute pairs. A local username is required for GUI and CLI access. Anyone attempting to access the system without a local username, but valid LDAP credentials, will be refused via CLI. An anomaly in the GUI code will allow non-local valid users access to the GUI but pages will be empty of any configuration information and there will be no write access.

    Once TACACS+ is enabled, a series of checks is performed locally and at the TACACS+ server level. The diagram below illustrates the TACACS+ authentication flow.

    The FortiDDoS-F does not currently support TACACS+ Attribute pairs or Two Factor Authentication (2FA).

    Before you begin:

    • You must have Read-Write permission for System settings.
    To configure FortiDDoS for TACACS+ authentication:

    1. Go to System > Authentication > TACACS+.
    2. Complete the TACACS+ Server Configuration.

      SettingsGuidelines
      StatusSelect to enable TACACS+ server configuration or deselect to disable.
      Primary Server IPIP address or FQDN of the primary TACACS+ server.
      Primary Server SecretTACACS+ server shared secret – maximum 116 characters (special characters are allowed).
      PortTACACS+ port number in the range: 1 - 65535. The default value is 49.
      Secondary Server IP(Optional) IP address or FQDN of a backup TACACS+ server.
      Secondary Server Secret(Optional) TACACS+ server shared secret – maximum 116 characters (special characters are allowed).
      Authentication Protocol
      • PAP - Password Authentication Protocol
      • CHAP - Challenge Handshake Authentication Protocol (defined in RFC 1994)
      • ASCII
      • Auto - Automatically selects one of the above protocols.
    3. Save the configuration.
    CLI commands: 

    config system authentication tacacs+ 
  set state {enable|disable}
  set primary-server <ip|domain>
  set primary-secret <string>
  set port <port>
  set backup-server <ip|domain>
  set backup-secret <string>
  set authprot {pap|chap|ascii|auto}
end
    Previous
    Next

    Configuring TACACS+ authentication

    Configuring TACACS+ authentication

    You can configure administrator authentication using a Terminal Access Controller Access-Control System Plus (TACACS+) server.

    Once you complete the TACACS+ Server Configuration, create an administrator user under System > Admin > Administrator page and select TACACS+ as the Strategy. When TACACS+ is selected, no local password option is available. You can also specify Admin (access) profile and trusted host list for that user. For more details about creating a user profile, see here.

    Note 1: Any access profile (read-only, read-write or none combinations) is usable for GUI users. CLI users must have “super_admin_prof” Profile or they will be rejected.

    Note 2:FortiDDoS-F does not support TACAS+ Custom Attribute pairs. A local username is required for GUI and CLI access. Anyone attempting to access the system without a local username, but valid LDAP credentials, will be refused via CLI. An anomaly in the GUI code will allow non-local valid users access to the GUI but pages will be empty of any configuration information and there will be no write access.

    Once TACACS+ is enabled, a series of checks is performed locally and at the TACACS+ server level. The diagram below illustrates the TACACS+ authentication flow.

    The FortiDDoS-F does not currently support TACACS+ Attribute pairs or Two Factor Authentication (2FA).

    Before you begin:

    • You must have Read-Write permission for System settings.
    To configure FortiDDoS for TACACS+ authentication:

    1. Go to System > Authentication > TACACS+.
    2. Complete the TACACS+ Server Configuration.

      SettingsGuidelines
      StatusSelect to enable TACACS+ server configuration or deselect to disable.
      Primary Server IPIP address or FQDN of the primary TACACS+ server.
      Primary Server SecretTACACS+ server shared secret – maximum 116 characters (special characters are allowed).
      PortTACACS+ port number in the range: 1 - 65535. The default value is 49.
      Secondary Server IP(Optional) IP address or FQDN of a backup TACACS+ server.
      Secondary Server Secret(Optional) TACACS+ server shared secret – maximum 116 characters (special characters are allowed).
      Authentication Protocol
      • PAP - Password Authentication Protocol
      • CHAP - Challenge Handshake Authentication Protocol (defined in RFC 1994)
      • ASCII
      • Auto - Automatically selects one of the above protocols.
    3. Save the configuration.
    CLI commands: 

    config system authentication tacacs+ 
  set state {enable|disable}
  set primary-server <ip|domain>
  set primary-secret <string>
  set port <port>
  set backup-server <ip|domain>
  set backup-secret <string>
  set authprot {pap|chap|ascii|auto}
end
    Previous
    Next