TACACS+ Servers
TACACS+ is a remote authentication protocol that provides access control for routers, network access servers, and other network devices through one or more centralized servers.
FortiOS sends the following proprietary TACACS+ attributes to the TACACS+ server during authorization requests:
|
Attribute |
Description |
|---|---|
|
service=<name> |
User must be authorized to access the specified service. |
|
memberof |
Group that the user belongs to. |
|
admin_prof |
Administrator profile (admin access only). |
|
Only |
You can configure up to ten remote TACACS+ servers in FortiOS. You must configure at least one server before you can configure remote users.
|
|
A TACACS+ server must first be added in the CLI to make the option visible in the GUI. |
To configure TACACS+ authentication in the CLI:
- Configure the TACACS+ server entry:
config user tacacs+ edit "TACACS-SERVER" set server <IP address> set key <string> set authen-type ascii set source-ip <IP address> next end - Configure the remote user group:
config user group edit "TACACS-GROUP" set group-type firewall set member "TACACS-SERVER" next end - Configure the remote user:
config system admin edit TACACS-USER set remote-auth enable set accprofile "super_admin" set vdom "root" set wildcard enable set remote-group "TACACS-GROUP" next end
To configure a TACACS+ server in the GUI:
- Go to User & Device > TACACS+ Servers.
- Click Create New.
- Configure the following settings:
Name
Enter the TACACS+ server name.
Authentication Type
Select the authentication type used for the TACACS+ server.
Selecting Auto tries PAP, MSCHAP, and CHAP, in that order.
Server IP/Name
Enter the domain name or IP address for the primary server.
Server Secret
Enter the key to access the primary server.
- Click OK.