Fortinet black logo

Administration Guide

TACACS+ servers

TACACS+ servers

TACACS+ is a remote authentication protocol that provides access control for routers, network access servers, and other network devices through one or more centralized servers.

FortiOS sends the following proprietary TACACS+ attributes to the TACACS+ server during authorization requests:

Attribute

Description

service=<name>

User must be authorized to access the specified service.

memberof

Group that the user belongs to.

admin_prof

Administrator profile (admin access only).

Note

Only memberof and admin_prof attributes are parsed in authentication replies.

You can configure up to ten remote TACACS+ servers in FortiOS. You must configure at least one server before you can configure remote users.

Note

A TACACS+ server must first be added in the CLI to make the option visible in the GUI.

To configure TACACS+ authentication in the CLI:
  1. Configure the TACACS+ server entry:
    config user tacacs+
        edit "TACACS-SERVER"
            set server <IP address>
            set key <string>
            set authen-type ascii
            set source-ip <IP address>
        next
    end
  2. Configure the remote user group:
    config user group
        edit "TACACS-GROUP"
            set group-type firewall
            set member "TACACS-SERVER"
        next
    end
  3. Configure the remote user:
    config system admin
        edit TACACS-USER
            set remote-auth enable
            set accprofile "super_admin"
            set vdom "root"
            set wildcard enable
            set remote-group "TACACS-GROUP"
        next
    end
To configure a TACACS+ server in the GUI:
  1. Go to User & Authentication > TACACS+ Servers.
  2. Click Create New.
  3. Configure the following settings:

    Name

    Enter the TACACS+ server name.

    Authentication Type

    Select the authentication type used for the TACACS+ server.

    Selecting Auto tries PAP, MSCHAP, and CHAP, in that order.

    Server IP/Name

    Enter the domain name or IP address for the primary server.

    Server Secret

    Enter the key to access the primary server.

  4. Click OK.

TACACS+ servers

TACACS+ is a remote authentication protocol that provides access control for routers, network access servers, and other network devices through one or more centralized servers.

FortiOS sends the following proprietary TACACS+ attributes to the TACACS+ server during authorization requests:

Attribute

Description

service=<name>

User must be authorized to access the specified service.

memberof

Group that the user belongs to.

admin_prof

Administrator profile (admin access only).

Note

Only memberof and admin_prof attributes are parsed in authentication replies.

You can configure up to ten remote TACACS+ servers in FortiOS. You must configure at least one server before you can configure remote users.

Note

A TACACS+ server must first be added in the CLI to make the option visible in the GUI.

To configure TACACS+ authentication in the CLI:
  1. Configure the TACACS+ server entry:
    config user tacacs+
        edit "TACACS-SERVER"
            set server <IP address>
            set key <string>
            set authen-type ascii
            set source-ip <IP address>
        next
    end
  2. Configure the remote user group:
    config user group
        edit "TACACS-GROUP"
            set group-type firewall
            set member "TACACS-SERVER"
        next
    end
  3. Configure the remote user:
    config system admin
        edit TACACS-USER
            set remote-auth enable
            set accprofile "super_admin"
            set vdom "root"
            set wildcard enable
            set remote-group "TACACS-GROUP"
        next
    end
To configure a TACACS+ server in the GUI:
  1. Go to User & Authentication > TACACS+ Servers.
  2. Click Create New.
  3. Configure the following settings:

    Name

    Enter the TACACS+ server name.

    Authentication Type

    Select the authentication type used for the TACACS+ server.

    Selecting Auto tries PAP, MSCHAP, and CHAP, in that order.

    Server IP/Name

    Enter the domain name or IP address for the primary server.

    Server Secret

    Enter the key to access the primary server.

  4. Click OK.