Skip to main content
John_Stoker
John_Stoker
Explorer
April 28, 2009
Question

TACACS+ and/or RADIUS Admin Authentication

  • April 28, 2009
  • 6 replies
  • 6263 views
We' re hoping to setup TACACS or RADIUS so that when we have a new engineer or one leave we can just remove him/her from the auth server and not have to go to every FG, but so far it looks like you still have to put in the username and pswd for every admin on every FG and it just verifies the username and pswd used matches that on the auth server. Is this the only way and correct way for this to work? Thanks, John

    6 replies

    abelio
    SuperUser
    abelio
    SuperUser
    April 29, 2009
    Is this the only way and correct way for this to work?
    not exactly Authentication is always again usergroups. Define your radius or tac+ server and include it within a usergroup; then associate the administrator with the user group. Done. regards
    A
    Anonymous_User
    New Contributor III
    January 29, 2010
    Hi Abel: I came to same conclusion John did, should I leave the password field blank? Also, can the FGT handle a secure communication to the LDAP/RADIUS/TACACS server? I want to prevent cleartext password in my network. Regards, Sebastian
    abelio
    SuperUser
    abelio
    SuperUser
    January 29, 2010
    I came to same conclusion John did, should I leave the password field blank?
    Not exactly; Authenticate FTG administrators against remote server (Radius, Tac+, etc) has different approach that standard non-administrative users. Indeed, for administrators, you have to include the password in the FTG even when it be authenticated against remote server; If you want block an administrator if the guy leaves your company, change its credentials in the TAC+ server; after that the authentication will fail for that admin. This don' t saves the extra work of entering into each FGT box to remove the administrator user, but you can prevent that him could connect to the box. regards,
    romanr
    romanr
    New Member
    January 29, 2010
    Hi, unfortunately I have not done a Tacacs installation with FortiOS by myself, but would be really interested to hear about administrators being handled via Tacacs. Tacacs+ itself is encrypted transport via tcp!! cheers.roman
    A
    Anonymous_User
    New Contributor III
    January 29, 2010
    Thks
    p768
    p768
    New Member
    February 2, 2010
    You can configure the FG to use the Wildcard option for TACACS. This way you do not need to provide either the Administrators username or password. The TACACS server authenticates the administrator, and then they are given the Access profile you have specified.
    John_Stoker
    John_StokerAuthor
    Explorer
    February 10, 2010
    You can configure the FG to use the Wildcard option for TACACS. This way you do not need to provide either the Administrators username or password. The TACACS server authenticates the administrator, and then they are given the Access profile you have specified.
    p768 THANK YOU!!! Works like a charm! :D
    Terms & ConditionsAccessibility statement