Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.6
Download PDF
Copy Link

user tacacs+

Use this command to add or edit information used for Terminal Access Controller Access-Control System (TACACS+) authentication, a remote authentication protocol used to communicate with an authentication server. The default port for a TACACS+ server is 49. A maximum of 10 remote TACACS+ servers can be configured, and alternative authentication methods can be set for each server. These methods include CHAP, PAP, MS-CHAP, and ASCII. The host name for TACACS+ servers must comply with RFC1035.

config user tacacs+
    edit {name}
    # Configure TACACS+ server entries.
        set name {string}   TACACS+ server entry name. size[35]
        set server {string}   Primary TACACS+ server CN domain name or IP address. size[63]
        set secondary-server {string}   Secondary TACACS+ server CN domain name or IP address. size[63]
        set tertiary-server {string}   Tertiary TACACS+ server CN domain name or IP address. size[63]
        set port {integer}   Port number of the TACACS+ server. range[1-65535]
        set key {password_string}   Key to access the primary server. size[128]
        set secondary-key {password_string}   Key to access the secondary server. size[128]
        set tertiary-key {password_string}   Key to access the tertiary server. size[128]
        set authen-type {option}   Allowed authentication protocols/methods.
                mschap  MSCHAP.
                chap    CHAP.
                pap     PAP.
                ascii   ASCII.
                auto    Use PAP, MSCHAP, and CHAP (in that order).
        set authorization {enable | disable}   Enable/disable TACACS+ authorization.
        set source-ip {string}   source IP for communications to TACACS+ server. size[63]
    next
end

Additional information

The following section is for those options that require additional explanation.

authen-type {mschap | chap | pap | ascii | auto}

Authentication method for this TACACS+ server.

  • mschap: MS-CHAP
  • chap: Challenge Handshake Authentication Protocol
  • pap: Password Authentication Protocol
  • ascii: American Standard Code for Information Interchange, a protocol that represents characters as numerical values.
  • auto: Uses PAP, MS-CHAP, and CHAP (in that order). This is set by default.

authorization {enable | disable}

Enable or disable (by default) TACACS+ authorization.

key <key>

Key used to access the server.

port <port>

TACACS+ port number for this server. Set the value between 1-65535. The default is set to 49.

secondary-key <key>

Key used to access the second server.

secondary-server <name/ip>

Name or IP address of the second sever.

server <name/ip>

Name or IP address of the TACACS+ sever.

source-ip <src-ip>

Enter the source IP address for communications to the TACACS+ server.

tertiary-key <key>

Key used to access the third server.

tertiary-server <name/ip>

Name or IP address of the third sever.

user tacacs+

Use this command to add or edit information used for Terminal Access Controller Access-Control System (TACACS+) authentication, a remote authentication protocol used to communicate with an authentication server. The default port for a TACACS+ server is 49. A maximum of 10 remote TACACS+ servers can be configured, and alternative authentication methods can be set for each server. These methods include CHAP, PAP, MS-CHAP, and ASCII. The host name for TACACS+ servers must comply with RFC1035.

config user tacacs+
    edit {name}
    # Configure TACACS+ server entries.
        set name {string}   TACACS+ server entry name. size[35]
        set server {string}   Primary TACACS+ server CN domain name or IP address. size[63]
        set secondary-server {string}   Secondary TACACS+ server CN domain name or IP address. size[63]
        set tertiary-server {string}   Tertiary TACACS+ server CN domain name or IP address. size[63]
        set port {integer}   Port number of the TACACS+ server. range[1-65535]
        set key {password_string}   Key to access the primary server. size[128]
        set secondary-key {password_string}   Key to access the secondary server. size[128]
        set tertiary-key {password_string}   Key to access the tertiary server. size[128]
        set authen-type {option}   Allowed authentication protocols/methods.
                mschap  MSCHAP.
                chap    CHAP.
                pap     PAP.
                ascii   ASCII.
                auto    Use PAP, MSCHAP, and CHAP (in that order).
        set authorization {enable | disable}   Enable/disable TACACS+ authorization.
        set source-ip {string}   source IP for communications to TACACS+ server. size[63]
    next
end

Additional information

The following section is for those options that require additional explanation.

authen-type {mschap | chap | pap | ascii | auto}

Authentication method for this TACACS+ server.

  • mschap: MS-CHAP
  • chap: Challenge Handshake Authentication Protocol
  • pap: Password Authentication Protocol
  • ascii: American Standard Code for Information Interchange, a protocol that represents characters as numerical values.
  • auto: Uses PAP, MS-CHAP, and CHAP (in that order). This is set by default.

authorization {enable | disable}

Enable or disable (by default) TACACS+ authorization.

key <key>

Key used to access the server.

port <port>

TACACS+ port number for this server. Set the value between 1-65535. The default is set to 49.

secondary-key <key>

Key used to access the second server.

secondary-server <name/ip>

Name or IP address of the second sever.

server <name/ip>

Name or IP address of the TACACS+ sever.

source-ip <src-ip>

Enter the source IP address for communications to the TACACS+ server.

tertiary-key <key>

Key used to access the third server.

tertiary-server <name/ip>

Name or IP address of the third sever.