Skip to main content
mflamingos
Staff
mflamingos
Staff
July 3, 2018

Technical Tip: FortiAuthenticator support TACACS+ for authentication and authortization

  • July 3, 2018
  • 0 replies
  • 2701 views

Description

 

This article describes the basics of TACACS+ authentication, how this can be used for authorization, and general troubleshooting logs. 


Scope

 

FortiAuthenticator.

 

Solution

 

Provides Authentication, Accounting, and Authorization for devices as routers, switches, firewalls, and servers. Uses TCP port 49, and the payload is encrypted, providing security. 

 

Working:

  • User attempts to log in. 
  • Username is checked locally; if present, it is forwarded to the TACACS+ server. 
  • Password is verified successfully, forwarded, and processed to verify the Trusted host list.
  • The required profiles and resources are allowed for the user.
  • Successful authentication returns the Vendor-specific attributes (VSA) as per the specified user group.

 

Successful snippets of logs for reference.

TACACS+ Authentication logs:

 

2025-12-09T09:42:08.789839+00:00 FAC01 authen_tac_plus[2916]: 10.10.10.2 test1 ssh 10.10.10.1 pap login succeeded
2025-12-09T09:42:08.826070+00:00 FAC01 authen_tac_plus[44930]: 10.10.10.2 test1 ssh 10.10.10.1 pap login succeeded

 

TACACS+ Accounting logs:


2025-12-09T09:42:09.802826+00:00 FAC01 acct_tac_plus[2916]: 10.10.10.2 test1 ssh 10.10.10.1 start start_time=1215575841 task_id=64612 service=test-ssh protocol=ip

 

TACACS+ Authorization logs:

 

2025-12-09T09:42:08.523056+00:00 FAC01 author_tac_plus[60848]: 10.10.10.2 new.user/TestRule ssh 10.10.10.1 add  test-ssh group1=global-read-write shell=/usr/bin/cli

 

Troubleshooting Commands: 

  • For Packet capture on FortiGate, diagnose sniffer packet any ‘hostx.x.x.xand port 49’ 6 0 a.
  • To test the credentials directly from FortiGate, use the command 'diagnose test authserver tacacs+ <servername> <username> <password>'.
  • Packet capture on FortiAuthenticator using the command, execute tcpdump -c2 -v -i port host x.x.x.x and port 49.
  • On FortiAuthenticator, more logs can be viewed by downloading:
  1. FortiAuthenticator/Logging/Log Access/Logs -> Downloads drop-down list -> Authentication.
  2. FortiAuthenticator/Logging/Log Access/Logs -> Downloads drop-down list -> Accounting.
  3. FortiAuthenticator/Logging/Log Access/Logs -> Downloads drop-down list -> Authorization.

 

Related articles:
FortiAuthenticator can be used as a TACACS+ server for Cisco Switch. Refer to Technical Tip: FortiAuthenticator as TACACS+ server for Cisco switch and clear pass for remote user authorization.

FortiAuthenticator can be used as a TACACS server, and FortiGate as the TACACS+ client. Refer to Technical Tip: Configure FortiAuthenticator as TACACS+ server, and FortiGate as TACACS+ client for authentication, and authorization 

FortiAuthenticator is used as the TACACS+ server with FortiAnalyzer/FortiManager. Refer to Technical Tip: FortiAuthenticator as TACACS+ server for FortiAnalyzer / FortiManager user authorization.

FortiAuthenticator is used as the TACACS+ server with steps for user authorization. Refer to Technical Tip: FortiAuthenticator as TACACS+ server for FortiGate user authorization.

Terms & ConditionsAccessibility statement