Technical Tip: How to configure TACACS+ authentication and authorization in FortiGate
Description
This article describes how to configure password authentication and access using a remote TACACS+ server on FortiGate.
Scope
FortiGate provides support for many remote authentication servers, including TACACS+. If deciding to use a TACACS+ server for authentication, FortiGate will forward the user's submitted credentials to it and wait for its response.
By default, TACACS+ cannot be configured in the GUI. It cannot be enabled from System -> Feature Visibility, so initially it needs to be configured via CLI, and once the server is set up, it will appear in the GUI as well under User & Authentication -> TACACS+ Servers.
Solution
Here is a step-by-step guide:
1. Add the TACACS+ server to the FortiGate using the following commands on the CLI:
config user tacacs+
edit <server name>
set authorization enable
set server <server ip>
set key <server key>
set authen-type chap
next
end
'set authen-type' can have the following options: PAP, MSCHAP, CHAP, and Auto.
Selecting 'Auto' tries PAP, MSCHAP, and CHAP, in that order.
The 'Auto' option does not work with TACACS+, so it is necessary to select the authentication type from the available options.
It is possible to find the server key in the configuration file of the TACACS+ server.
It is also possible to specify the source IP address and Interface used to communicate with the TACACS+ server.
config user tacacs+
edit <server name>
set interface-select-method specify
set interface <interface name>
set source-ip <IP address of interface>
next
end
The TACACS+ Servers tab will only appear under the User & Authentication tab after configuring TACACS+ via the CLI:
2. Create a user group and add the server as a member:
config user group
edit <tacacs+ group name>
set member <server name>
next
end
With this method, any user with an account on the remote server can authenticate.
Note:
Another method would be to create TACACS+ user accounts directly on FortiGate. In this case, it is necessary to specify which TACACS+ server desired to be used for each user created:
config user local
edit <user name>
set type tacacs+
set tacacs+-server <server name>
next
end
3. Create an admin user set up for remote login, wildcard, and a no-access profile.
For this step, it is necessary to be in a global context if the FortiGate is configured with VDOMs:
config global
Start by creating the access profile (minimum level so that the access profile on the TACACS+ server can be set on top of it):
config system accprofile
edit noaccess
next
end
Then create the admin wanted:
config system admin
edit <profile name>
set remote-auth enable
set accprofile "noaccess"
set vdom "root"
set wildcard enable
set remote-group <tacacs+ group name>
set accprofile-override enable
next
end
Enabling the override means the ability to give a TACACS+ admin user more rights than the noaccess profile would allow.
TACACS+ server configuration:
Create the wanted users and user groups in the TACACS+ server configuration file.
A basic example:
group = read-only {
default service = permit
}
An admin group example:
group = admins {
default service = permit
service = fortigate {
admin_prof = super_admin
}
}
Calling the 'fortigate' service and setting 'admin_prof' to 'super_admin' allows giving users of this group admin access.
For the desired users, configure CHAP as the authentication method to make it work with the FortiGate:
user = <regular user name> {
default service = permit
member = read-only
login = cleartext <password>
chap = cleartext <password>
}
user = <admin user name> {
default service = permit
member = admins
login = cleartext <password>
chap = cleartext <password>
}
Verification:
Admin profile: super_admin
If it fails, the error will be as follows:
authenticate user 'fortiadmin' on server 'tac_plus' failed
Admin profile: <none>
set admin-restrict-local enable
end