Technical Tip: How to configure TACACS+ user authorization
Description
This article describes how to configure password authentication using a remote TACACS+ server for a system admin user, while the authorization is done on the FortiGate.
Scope
FortiGate.
Solution
- Add the TACACS+ server to the FortiGate.
From GUI:
From CLI:
config user tacacs+
edit "TACACS_server"
set server "10.0.3.114"
set key <server key>
set authen-type chap
set authorization enable
next
end
edit "TACACS_server"
set server "10.0.3.114"
set key <server key>
set authen-type chap
set authorization enable
next
end
- Create a user group and add the server as a member.
From GUI:
From CLI:
config user group
edit "TACACS_GROUP"
set member "TACACS_server"
next
end
edit "TACACS_GROUP"
set member "TACACS_server"
next
end
- Create the custom access profile.
From GUI:
From CLI:
config system accprofile
edit "read_only"
set secfabgrp read
set ftviewgrp read
set authgrp read
set sysgrp read
set netgrp read
set loggrp read
set fwgrp read
set vpngrp read
set utmgrp read
set wanoptgrp read
set wifi read
next
end
edit "read_only"
set secfabgrp read
set ftviewgrp read
set authgrp read
set sysgrp read
set netgrp read
set loggrp read
set fwgrp read
set vpngrp read
set utmgrp read
set wanoptgrp read
set wifi read
next
end
- Create the admin user and select the Administrator Profile.
From GUI:
From CLI:
config system admin
edit "limited_admin"
set remote-auth enable
set accprofile "read_only"
set vdom "root"
set remote-group "TACACS_GROUP"
next
end
edit "limited_admin"
set remote-auth enable
set accprofile "read_only"
set vdom "root"
set remote-group "TACACS_GROUP"
next
end
Related articles:
Technical Tip: TACACS+ responses and interpretations
Technical Tip: How to configure TACACS+ authentication and authorization in FortiGate