Fortinet Document Library

Version:

Version:


Table of Contents

Cookbook

Download PDF
Copy Link

TACACS+ Servers

TACACS+ is a remote authenticate protocol that provides access control for routers, network access servers, and other network devices via one or more centralized servers.

FortiOS sends the following proprietary TACACS+ attributes to the TACACS+ server during authorization requests:

Attribute

Description

service=<name>

User must be authorized to access the specified service.

memberof

Group that the user belongs to.

admin_prof

Administrator profile (admin access only).

Note

Only memberof and admin_prof attributes are parsed in authentication replies.

You can configure up to ten remote TACACS+ servers in FortiOS. You must configure at least one server before you can configure remote users.

Note

You must configure a TACACS+ server in the CLI before you can access User & Device > TACACS+ Servers in the GUI.

To configure FortiOS for TACACS+ authentication in the CLI:

config user tacacs+

edit "TACACS-SERVER"

set server [IP_ADDRESS]

set key [PASSWORD]

set authen-type ascii

next

end

config user group

edit "TACACS-GROUP"

set group-type firewall

set member "TACACS-SERVER"

next

end

config system admin

edit TACACS-USER

set remote-auth enable

set accprofile "super_admin"

set vdom "root"

set wildcard enable

set remote-group "TACACS-GROUP"

next

end

To configure a TACACS+ server in the GUI:
  1. Go to User & Device > TACACS+ Servers. Click Create New.
  2. Configure the following settings:

    Setting

    Description

    Name

    TACACS+ server name.

    Server Name/IP

    TACACS+ server domain name or IP address.

    Server Key

    Key to access the TACACS+ server.

    Authentication Type

    Select the authentication type to use for the TACACS+ server.

    Selecting Auto tries PAP, MSCHAP, and CHAP, in that order.

To configure IPv6 address support for TACACS+ servers:

config user tacacs+

edit <name>

set server <ipv6 address>

set source-ipv6 <ipv6 address>

next

end

TACACS+ Servers

TACACS+ is a remote authenticate protocol that provides access control for routers, network access servers, and other network devices via one or more centralized servers.

FortiOS sends the following proprietary TACACS+ attributes to the TACACS+ server during authorization requests:

Attribute

Description

service=<name>

User must be authorized to access the specified service.

memberof

Group that the user belongs to.

admin_prof

Administrator profile (admin access only).

Note

Only memberof and admin_prof attributes are parsed in authentication replies.

You can configure up to ten remote TACACS+ servers in FortiOS. You must configure at least one server before you can configure remote users.

Note

You must configure a TACACS+ server in the CLI before you can access User & Device > TACACS+ Servers in the GUI.

To configure FortiOS for TACACS+ authentication in the CLI:

config user tacacs+

edit "TACACS-SERVER"

set server [IP_ADDRESS]

set key [PASSWORD]

set authen-type ascii

next

end

config user group

edit "TACACS-GROUP"

set group-type firewall

set member "TACACS-SERVER"

next

end

config system admin

edit TACACS-USER

set remote-auth enable

set accprofile "super_admin"

set vdom "root"

set wildcard enable

set remote-group "TACACS-GROUP"

next

end

To configure a TACACS+ server in the GUI:
  1. Go to User & Device > TACACS+ Servers. Click Create New.
  2. Configure the following settings:

    Setting

    Description

    Name

    TACACS+ server name.

    Server Name/IP

    TACACS+ server domain name or IP address.

    Server Key

    Key to access the TACACS+ server.

    Authentication Type

    Select the authentication type to use for the TACACS+ server.

    Selecting Auto tries PAP, MSCHAP, and CHAP, in that order.

To configure IPv6 address support for TACACS+ servers:

config user tacacs+

edit <name>

set server <ipv6 address>

set source-ipv6 <ipv6 address>

next

end