TACACS+ Servers
TACACS+ is a remote authenticate protocol that provides access control for routers, network access servers, and other network devices via one or more centralized servers.
FortiOS sends the following proprietary TACACS+ attributes to the TACACS+ server during authorization requests:
Attribute |
Description |
---|---|
service=<name> |
User must be authorized to access the specified service. |
memberof |
Group that the user belongs to. |
admin_prof |
Administrator profile (admin access only). |
![]() |
Only |
You can configure up to ten remote TACACS+ servers in FortiOS. You must configure at least one server before you can configure remote users.
![]() |
You must configure a TACACS+ server in the CLI before you can access User & Authentication > TACACS+ Servers in the GUI. |
To configure FortiOS for TACACS+ authentication in the CLI:
config user tacacs+
edit "TACACS-SERVER"
set server [IP_ADDRESS]
set key [PASSWORD]
set authen-type ascii
next
end
config user group
edit "TACACS-GROUP"
set group-type firewall
set member "TACACS-SERVER"
next
end
config system admin
edit TACACS-USER
set remote-auth enable
set accprofile "super_admin"
set vdom "root"
set wildcard enable
set remote-group "TACACS-GROUP"
next
end
To configure a TACACS+ server in the GUI:
![]() |
A TACACS+ server must first be added in the CLI to make the option visible in the GUI. |
- Go to User & Authentication > TACACS+ Servers.
- Click Create New.
- Configure the following settings:
Setting
Description
Name
TACACS+ server name.
Server Name/IP
TACACS+ server domain name or IP address.
Server Key
Key to access the TACACS+ server.
Authentication Type
Select the authentication type to use for the TACACS+ server.
Selecting Auto tries PAP, MSCHAP, and CHAP, in that order.
To configure IPv6 address support for TACACS+ servers:
config user tacacs+
edit <name>
set server <ipv6 address>
set source-ipv6 <ipv6 address>
next
end