Fortinet black logo

TACACS

Copy Link
Copy Doc ID 4d7cadb8-193a-11eb-96b9-00505692583a:701014
Download PDF

TACACS

This chapter contains information on using Terminal Access Controller Access-Control System (TACACS+) authentication with your FortiSwitch unit.

This chapter covers the following topics:

Administrative accounts

Administrative, or admin, accounts allow access to various aspects of the FortiSwitch configuration. The level of access is determined by the admin profile that is assigned to the admin account.

See Configuring administrator tasks for the steps to create an admin profile.

Configuring a TACACS admin account

TACACS+ is a remote authentication protocol that provides access control for routers, network access servers, and other network computing devices using one or more centralized servers. If you have configured TACACS+ support and an administrator is required to authenticate using a TACACS+ server, the FortiSwitch unit contacts the TACACS+ server for authentication.

Using the GUI:
  1. Go to System > Admin > Administrators and select Add Administrator.
  2. Give the administrator account an appropriate name.
  3. Select Remote for the administrator type.
  4. Select a user group for remote users.
  5. Enable Wildcard.
  6. Select an administrator profile.
  7. Select Add.
Using the CLI:

config system admin

edit tacuser

set remote-auth enable

set wildcard enable

set remote-group <group>

set accprofile <profile>

end

end

User accounts

User accounts identify a network user and determine what parts of the network the user is allowed to access.

Configuring a user account

config user tacacs+

edit <tacserver>

set authen-type {ascii | auto | chap | ms_chap | pap}

set authorization enable

set key <authorization_key>

set server <server>

end

end

Configuring a user group

config user group

edit <tacgroup>

set member <tacserver>

config match

edit 1

set server-name <server>

set group-name <group>

end

end

end

end

Example configuration

The following is an example configuration of a TACACS+ user account, with the CLI syntax shown to create it:

  1. Configuring a TACACS user account for login authentication:

    config user tacacs+

    edit tacserver

    set authen-type ascii

    set authorization enable

    set key temporary

    set server tacacs_server

    end

  2. Configuring a TACACS+user group:

    config user group

    edit tacgroup

    set member tacserver

    config match

    edit 1

    set server-name tacserver

    set group-name tacgroup

    end

    end

    end

    end

  3. Configuring a TACACS+ system admin user account:

    config system admin

    edit tacuser

    set remote-auth enable

    set wildcard enable

    set remote-group tacgroup

    set accprofile noaccess

    end

    end

TACACS

This chapter contains information on using Terminal Access Controller Access-Control System (TACACS+) authentication with your FortiSwitch unit.

This chapter covers the following topics:

Administrative accounts

Administrative, or admin, accounts allow access to various aspects of the FortiSwitch configuration. The level of access is determined by the admin profile that is assigned to the admin account.

See Configuring administrator tasks for the steps to create an admin profile.

Configuring a TACACS admin account

TACACS+ is a remote authentication protocol that provides access control for routers, network access servers, and other network computing devices using one or more centralized servers. If you have configured TACACS+ support and an administrator is required to authenticate using a TACACS+ server, the FortiSwitch unit contacts the TACACS+ server for authentication.

Using the GUI:
  1. Go to System > Admin > Administrators and select Add Administrator.
  2. Give the administrator account an appropriate name.
  3. Select Remote for the administrator type.
  4. Select a user group for remote users.
  5. Enable Wildcard.
  6. Select an administrator profile.
  7. Select Add.
Using the CLI:

config system admin

edit tacuser

set remote-auth enable

set wildcard enable

set remote-group <group>

set accprofile <profile>

end

end

User accounts

User accounts identify a network user and determine what parts of the network the user is allowed to access.

Configuring a user account

config user tacacs+

edit <tacserver>

set authen-type {ascii | auto | chap | ms_chap | pap}

set authorization enable

set key <authorization_key>

set server <server>

end

end

Configuring a user group

config user group

edit <tacgroup>

set member <tacserver>

config match

edit 1

set server-name <server>

set group-name <group>

end

end

end

end

Example configuration

The following is an example configuration of a TACACS+ user account, with the CLI syntax shown to create it:

  1. Configuring a TACACS user account for login authentication:

    config user tacacs+

    edit tacserver

    set authen-type ascii

    set authorization enable

    set key temporary

    set server tacacs_server

    end

  2. Configuring a TACACS+user group:

    config user group

    edit tacgroup

    set member tacserver

    config match

    edit 1

    set server-name tacserver

    set group-name tacgroup

    end

    end

    end

    end

  3. Configuring a TACACS+ system admin user account:

    config system admin

    edit tacuser

    set remote-auth enable

    set wildcard enable

    set remote-group tacgroup

    set accprofile noaccess

    end

    end