Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    6.6.0
    7.0.3
    7.0.1
    7.0.0
    6.6.3
    6.6.3
    6.6.1
    6.6.0
    6.5.1
    6.5.0
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.1

    Configuring TACACS+ authentication

    Configuring TACACS+ authentication

    You can configure administrator authentication using a Terminal Access Controller Access-Control System Plus (TACACS+) server.

    You can login to FortiDDoS 3 ways:

    • Local Username, Password, Admin Profile, Trusted hosts (optional)

      • No TACACS+ required. It is highly recommended that at least one local super_admin_pro(file) is available as well as the admin/super_admin_profile that cannot be deleted.

      • TACACS+ is not used

    • Local Username, Admin Profile, Trusted hosts (optional) with TACACS+ password management and no local password.

    • No local username or password – TACACS+ provides login credentials, with Admin Profile and Trusted Hosts in Shell Profiles and Custom Attributes.

      Correct credentials with no Shell Profiles and Custom Attributes results in a login with no access.

    Once you complete the TACACS+ Server Configuration, create an administrator user under System > Admin > Administrator page and select TACACS+ as the Strategy. When TACACS+ is selected, no local password option is available. You can also specify Admin (access) profile and trusted host list for that user. For more details about creating a user profile, see here.

    Note: Any access profile (read-only, read-write or none combinations) is usable for GUI users. CLI users must have “super_admin_prof” Profile or they will be rejected.

    The FortiDDoS-F does not currently support TACACS+ Attribute pairs or Two Factor Authentication (2FA).

    Before you begin:

    • You must have Read-Write permission for System settings.
    To configure FortiDDoS for TACACS+ authentication:

    1. Go to System > Authentication > TACACS+.
    2. Complete the TACACS+ Server Configuration.

      SettingsGuidelines
      StatusSelect to enable TACACS+ server configuration or deselect to disable.
      Primary Server IPIP address or FQDN of the primary TACACS+ server.
      Primary Server SecretTACACS+ server shared secret – maximum 116 characters (special characters are allowed).
      PortTACACS+ port number in the range: 1 - 65535. The default value is 49.
      Secondary Server IP(Optional) IP address or FQDN of a backup TACACS+ server.
      Secondary Server Secret(Optional) TACACS+ server shared secret – maximum 116 characters (special characters are allowed).
      Authentication Protocol
      • PAP - Password Authentication Protocol
      • CHAP - Challenge Handshake Authentication Protocol (defined in RFC 1994)
      • ASCII
      • Auto - Automatically selects one of the above protocols.
    3. Save the configuration.
    CLI commands: 

    config system authentication tacacs+ 
  set state {enable|disable}
  set primary-server <ip|domain>
  set primary-secret <string>
  set port <port>
  set backup-server <ip|domain>
  set backup-secret <string>
  set authprot {pap|chap|ascii|auto}
end
    TACACS+ ACS Shell Profiles and Custom Attributes

    Shell Profiles

    For Admin Profiles, create TACACS+ Shell Profiles like the sample below. Shell Profiles must match case and spelling of the Admin Profile configured in FortiDDoS:

    Custom Attributes

    Under the Custom Attributes tab, add the custom attributes based on the Shell profile. For example:

    • AdminProf:

      • Fortinet-FDD-Access-Profile: super_admin_prof

      • Fortinet-FDD-Trusted-Hosts: 172.30.153.0/24

        Custom Attributes spelling and case must match the above.

    Previous
    Next

    Configuring TACACS+ authentication

    Configuring TACACS+ authentication

    You can configure administrator authentication using a Terminal Access Controller Access-Control System Plus (TACACS+) server.

    You can login to FortiDDoS 3 ways:

    • Local Username, Password, Admin Profile, Trusted hosts (optional)

      • No TACACS+ required. It is highly recommended that at least one local super_admin_pro(file) is available as well as the admin/super_admin_profile that cannot be deleted.

      • TACACS+ is not used

    • Local Username, Admin Profile, Trusted hosts (optional) with TACACS+ password management and no local password.

    • No local username or password – TACACS+ provides login credentials, with Admin Profile and Trusted Hosts in Shell Profiles and Custom Attributes.

      Correct credentials with no Shell Profiles and Custom Attributes results in a login with no access.

    Once you complete the TACACS+ Server Configuration, create an administrator user under System > Admin > Administrator page and select TACACS+ as the Strategy. When TACACS+ is selected, no local password option is available. You can also specify Admin (access) profile and trusted host list for that user. For more details about creating a user profile, see here.

    Note: Any access profile (read-only, read-write or none combinations) is usable for GUI users. CLI users must have “super_admin_prof” Profile or they will be rejected.

    The FortiDDoS-F does not currently support TACACS+ Attribute pairs or Two Factor Authentication (2FA).

    Before you begin:

    • You must have Read-Write permission for System settings.
    To configure FortiDDoS for TACACS+ authentication:

    1. Go to System > Authentication > TACACS+.
    2. Complete the TACACS+ Server Configuration.

      SettingsGuidelines
      StatusSelect to enable TACACS+ server configuration or deselect to disable.
      Primary Server IPIP address or FQDN of the primary TACACS+ server.
      Primary Server SecretTACACS+ server shared secret – maximum 116 characters (special characters are allowed).
      PortTACACS+ port number in the range: 1 - 65535. The default value is 49.
      Secondary Server IP(Optional) IP address or FQDN of a backup TACACS+ server.
      Secondary Server Secret(Optional) TACACS+ server shared secret – maximum 116 characters (special characters are allowed).
      Authentication Protocol
      • PAP - Password Authentication Protocol
      • CHAP - Challenge Handshake Authentication Protocol (defined in RFC 1994)
      • ASCII
      • Auto - Automatically selects one of the above protocols.
    3. Save the configuration.
    CLI commands: 

    config system authentication tacacs+ 
  set state {enable|disable}
  set primary-server <ip|domain>
  set primary-secret <string>
  set port <port>
  set backup-server <ip|domain>
  set backup-secret <string>
  set authprot {pap|chap|ascii|auto}
end
    TACACS+ ACS Shell Profiles and Custom Attributes

    Shell Profiles

    For Admin Profiles, create TACACS+ Shell Profiles like the sample below. Shell Profiles must match case and spelling of the Admin Profile configured in FortiDDoS:

    Custom Attributes

    Under the Custom Attributes tab, add the custom attributes based on the Shell profile. For example:

    • AdminProf:

      • Fortinet-FDD-Access-Profile: super_admin_prof

      • Fortinet-FDD-Trusted-Hosts: 172.30.153.0/24

        Custom Attributes spelling and case must match the above.

    Previous
    Next