Technical Tip: Allowing TACACS users to view edit admin user settings

To allow TACACS users to view and edit admin user settings without attaching the Super Admin profile, follow these steps:

• Go to System -> Admin -> Admin Profiles and select the custom Admin-profile attached to the TACACS administrator.
• Select Edit and go to System -> Admin -> Admin Profiles -> Profile.
• In the Admin Profile section, select Read-Write for the System category.
• To test connectivity for TACACS+, navigate to User & Authentication -> TACACS+ Servers -> Edit Server -> Select Test.
• Or run the command diagnose test authserver tacacs+ <servername> <username> <password> to test the TACACS authentication.

'OK' output shows as:

authenticate user '<user-test>' on server 'tacacs-test' succeeded

Admin profile: super_admin

If it fails, the error will be as follows:

authenticate user 'fortiadmin' on server 'tac_plus' failed
Admin profile: <none>

In some cases, an fnbamd process crash impacts all authentication-related functions until the process restarts automatically. While the process is down, authentication requests fail.

To verify whether the fnbamd process has crashed, use:

diagnose debug crashlog read

• Verify that the TACACS user can view and edit the admin user settings by going to System -> Admin -> Administrators.

Related article:

Technical Tip: Access using TACACS+ authentication with admin profile and group matching