Technical Tip : How to configure FortiAuthenticator as TACACS+ client

Admin access to FortiAuthenticator can be configured to use the TACACS+ server user database.

FortiAuthenticator does not have a wildcard admin option like FortiGate. Any user who should have administrator permissions on FortiAuthenticator must either be created locally or created/imported under remote users.

Create TACACS+ Server: Go under Authentication -> Remote Auth. Servers -> TACACS+ -> Create New.

Import Remote Users: Go under Authentication -> User Management -> Remote Users -> TACACS+ -> Create New.

This 'user1' needs to be available or created previously on the TACACS+ Server. 'user1' username can then be used to log in to FortiAuthenticator Web GUI.

When FortiAuthenticator is used as a TACACS+ client, error logs can be found under Logging -> Log Access -> Logs. In the 'Download' section, select 'Raw Log' for detailed information. Additionally, RADIUS debug logs may provide further insight, since remote administrator logins are processed by the RADIUS service in FortiAuthenticator.

These debug logs can be accessed at https://<FortiAuthenticator-IP>/debug.