Fortinet black logo

Handbook

6.6.3
7.0.0
6.6.3
6.6.3
6.6.1
6.6.0
6.5.1
6.5.0
6.4.1
6.4.0
6.3.3
6.3.2
6.3.1
6.2.3
6.2.2
6.2.1
6.2.0
6.1.1

Configuring TACACS+ authentication

Configuring TACACS+ authentication

You can configure administrator authentication using a Terminal Access Controller Access-Control System Plus (TACACS+) server.

You can login to FortiDDoS 3 ways:

  • Local Username, Password, Admin Profile, Trusted hosts (optional)

    • No TACACS+ required. It is highly recommended that at least one local super_admin_pro(file) is available as well as the admin/super_admin_profile that cannot be deleted.

    • TACACS+ is not used

  • Local Username, Admin Profile, Trusted hosts (optional) with TACACS+ password management and no local password.

  • No local username or password – TACACS+ provides login credentials, with Admin Profile and Trusted Hosts in Shell Profiles and Custom Attributes.

    Correct credentials with no Shell Profiles and Custom Attributes results in a login with no access.

Once you complete the TACACS+ Server Configuration, create an administrator user under System > Admin > Administrator page and select TACACS+ as the Strategy. When TACACS+ is selected, no local password option is available. You can also specify Admin (access) profile and trusted host list for that user. For more details about creating a user profile, see here.

Note: Any access profile (read-only, read-write or none combinations) is usable for GUI users. CLI users must have “super_admin_prof” Profile or they will be rejected.

The FortiDDoS-F does not currently support TACACS+ Attribute pairs or Two Factor Authentication (2FA).

Before you begin:

  • You must have Read-Write permission for System settings.
To configure FortiDDoS for TACACS+ authentication:

  1. Go to System > Authentication > TACACS+.
  2. Complete the TACACS+ Server Configuration.

    SettingsGuidelines
    StatusSelect to enable TACACS+ server configuration or deselect to disable.
    Primary Server IPIP address or FQDN of the primary TACACS+ server.
    Primary Server SecretTACACS+ server shared secret – maximum 116 characters (special characters are allowed).
    PortTACACS+ port number in the range: 1 - 65535. The default value is 49.
    Secondary Server IP(Optional) IP address or FQDN of a backup TACACS+ server.
    Secondary Server Secret(Optional) TACACS+ server shared secret – maximum 116 characters (special characters are allowed).
    Authentication Protocol
    • PAP - Password Authentication Protocol
    • CHAP - Challenge Handshake Authentication Protocol (defined in RFC 1994)
    • ASCII
    • Auto - Automatically selects one of the above protocols.
  3. Save the configuration.
CLI commands: 

config system authentication tacacs+ 
  set state {enable|disable}
  set primary-server <ip|domain>
  set primary-secret <string>
  set port <port>
  set backup-server <ip|domain>
  set backup-secret <string>
  set authprot {pap|chap|ascii|auto}
end
TACACS+ ACS Shell Profiles and Custom Attributes

Shell Profiles

For Admin Profiles, create TACACS+ Shell Profiles like the sample below. Shell Profiles must match case and spelling of the Admin Profile configured in FortiDDoS:

Custom Attributes

Under the Custom Attributes tab, add the custom attributes based on the Shell profile. For example:

  • AdminProf:

    • Fortinet-FDD-Access-Profile: super_admin_prof

    • Fortinet-FDD-Trusted-Hosts: 172.30.153.0/24

      Custom Attributes spelling and case must match the above.

Previous
Next

Configuring TACACS+ authentication

You can configure administrator authentication using a Terminal Access Controller Access-Control System Plus (TACACS+) server.

You can login to FortiDDoS 3 ways:

  • Local Username, Password, Admin Profile, Trusted hosts (optional)

    • No TACACS+ required. It is highly recommended that at least one local super_admin_pro(file) is available as well as the admin/super_admin_profile that cannot be deleted.

    • TACACS+ is not used

  • Local Username, Admin Profile, Trusted hosts (optional) with TACACS+ password management and no local password.

  • No local username or password – TACACS+ provides login credentials, with Admin Profile and Trusted Hosts in Shell Profiles and Custom Attributes.

    Correct credentials with no Shell Profiles and Custom Attributes results in a login with no access.

Once you complete the TACACS+ Server Configuration, create an administrator user under System > Admin > Administrator page and select TACACS+ as the Strategy. When TACACS+ is selected, no local password option is available. You can also specify Admin (access) profile and trusted host list for that user. For more details about creating a user profile, see here.

Note: Any access profile (read-only, read-write or none combinations) is usable for GUI users. CLI users must have “super_admin_prof” Profile or they will be rejected.

The FortiDDoS-F does not currently support TACACS+ Attribute pairs or Two Factor Authentication (2FA).

Before you begin:

  • You must have Read-Write permission for System settings.
To configure FortiDDoS for TACACS+ authentication:

  1. Go to System > Authentication > TACACS+.
  2. Complete the TACACS+ Server Configuration.

    SettingsGuidelines
    StatusSelect to enable TACACS+ server configuration or deselect to disable.
    Primary Server IPIP address or FQDN of the primary TACACS+ server.
    Primary Server SecretTACACS+ server shared secret – maximum 116 characters (special characters are allowed).
    PortTACACS+ port number in the range: 1 - 65535. The default value is 49.
    Secondary Server IP(Optional) IP address or FQDN of a backup TACACS+ server.
    Secondary Server Secret(Optional) TACACS+ server shared secret – maximum 116 characters (special characters are allowed).
    Authentication Protocol
    • PAP - Password Authentication Protocol
    • CHAP - Challenge Handshake Authentication Protocol (defined in RFC 1994)
    • ASCII
    • Auto - Automatically selects one of the above protocols.
  3. Save the configuration.
CLI commands: 

config system authentication tacacs+ 
  set state {enable|disable}
  set primary-server <ip|domain>
  set primary-secret <string>
  set port <port>
  set backup-server <ip|domain>
  set backup-secret <string>
  set authprot {pap|chap|ascii|auto}
end
TACACS+ ACS Shell Profiles and Custom Attributes

Shell Profiles

For Admin Profiles, create TACACS+ Shell Profiles like the sample below. Shell Profiles must match case and spelling of the Admin Profile configured in FortiDDoS:

Custom Attributes

Under the Custom Attributes tab, add the custom attributes based on the Shell profile. For example:

  • AdminProf:

    • Fortinet-FDD-Access-Profile: super_admin_prof

    • Fortinet-FDD-Trusted-Hosts: 172.30.153.0/24

      Custom Attributes spelling and case must match the above.

Previous
Next